DATA SHEET

Splunk Phantom allows customers to work smarter, respond faster, and strengthen their defenses through automation and orchestration. Phantom playbooks enable customers to create customized, repeatable security workflows that can be automated. The following examples are automated playbooks leveraging Phantom, Splunk, and threat intelligence from Recorded Future.

Enrichment | Automate the process of retrieving external data for details and context on IOCs.

• Example: When a Splunk IOC alert is passed to Phantom, a playbook can be automatically invoked to get Recorded Future risk scores and associated enriched context for those IOCs. The playbook’s decision logic can immediately escalate the IOC to an analyst if deemed risky.

• Business impact: Prioritize analysts’ time to make quicker decisions on the highest-risk threats and discover threats faster.

Correlation | Identify relationships between internal activity logs in Splunk and external risk and threat intelligence. Splunk will initiate a playbook based on the correlation of the data, and Recorded Future will enrich that data.

• Example: Based on suspicious log data, Splunk issues a Breach-IOC alert to Phantom. The Phantom playbook enhances the IOC. If the risk score is greater than 80 and the risk string contains ransomware, then the playbook will look for and add the offending IOC into an internal list, create a feedback loop into Splunk, and send an email notification to the analyst. Other actions may be added to block or quarantine the threat via other products available in the security stack.

• Business impact: Proactive intelligent blocking can lower risk profile and prevent breaches.

Automate Threat Intelligence Security Actions Using Recorded Future and Splunk Phantom Playbooks

.

About Recorded Future

Recorded Future arms security teams with the only complete threat intelligence solution powered by patented machine learning to lower risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides invaluable context in real time and packaged for human analysis or integration with security technologies.

© Recorded Future, Inc. All rights reserved. All trademarks remain property of their respective owners.@RecordedFuture

www.recordedfuture.com

Monitoring | Use Recorded Future alerts to stay on top of external information like news, events, and risk factors important to your organization. Use Phantom to speed up team’s workflow review with alerting on company-specific entities found in external data.

• Example: Recorded Future uncovers multiple alerts based on potential threats to the organization. A Phantom playbook can be used to automate and orchestrate precautionary and remediation actions based on the alert name or validation actions.

• Business impact: Get early warning to risks and take preventive action. Up to 10 times faster identification of threats.

Threat Hunting | Proactively and iteratively search through networks to detect and isolate advanced threats that evade existing security solutions. Enable analysts to quickly pull together related evidence to reveal a larger threat.

• Example: From a suspicious event generated by Splunk, use Recorded Future and Splunk Phantom to gather risk scores on IOCs and expand the investigation to include related entities.

• Business impact: This playbook can significantly lower risk by deploying an informed hunting capability and providing analysts with more time on analysis rather than doing data collection.