SOAR

Splunk Phantom Integration: Maximizing Automation for Incident Detection and Remediation

Mike Reynolds
by Mike Reynolds
category SOAR
tags Cyber Security, Security Automation, Security Operations Center, security orchestration and automation response, SOAR

Automation is becoming more and more prevalent and sought after by Security Operations Centers (SOC). This is driven by the increasing cybersecurity skills gap, intensified by the volume of security data and alerts that require analysis. To address this, SOC teams are looking at tools such Security Orchestration Automation and Remediation (SOAR) systems.

However, in our interactions with customers, we are finding a great deal of frustration for organizations that have rolled out SOARs. Much of this frustration comes from the inability of the SOAR to digest the volume of data and alerts that are generated from various sensors in the environment. Not to mention the correlation and decision-making that needs to happen to find malicious behavior. When this occurs, organizations miss out on the automation benefits, particularly for incident remediation, that SOAR was meant to address in the first place.

Exacerbating this frustration is the sheer amount of time, effort and cost it takes to write playbooks for automated incident remediation.  Additionally, playbooks must be maintained over time to keep up with the latest Tactics, Techniques and Procedures (TTP) that are constantly changing. However, if the SOAR isn’t finding the incidents or cannot monitor the data at scale (as is necessary), those playbooks that automate remediation are of little value.

As we announced last fall, the Respond Analyst integrates with Splunk Phantom. This integration allows Respond to take the heavy lifting of front-end alert monitoring, triage and scoping off of Phantom. Once incidents are identified and false positives are discarded, the Respond Analyst forwards only the malicious incidents that require remediation. From there, Phantom will automate remediation actions to close the incident.

Unlocking SOAR with eXtended Detection and Response (XDR)

The Respond Analyst, an XDR Engine from Respond Software, enables organizations to unlock the true automation capabilities of their SOAR deployments by managing the up-front analysis and triage of events before they are passed to the SOAR system. The Respond Analyst is scalable to handle millions of events, escalating actionable and malicious incidents into SOAR for remediation, while filtering out false positives. However, unlike SOAR, the Respond Analyst does not require coding, customization or maintenance over time, therefore, time to value can be recognized in hours. Leveraging the Respond Analyst with SOAR reduces attack dwell time, remediates security issues faster through additional automation, and elevates analyst collaboration.

The Respond Analyst and Splunk Phantom Integration – how it works

When the Respond Analyst escalates an incident, it will also create a new Phantom Container. A clickable link to the Phantom container is added to the incident in the Respond Analyst console. Additionally, every escalated event associated with an incident is pushed to the Phantom Container as an artifact.

Incidents escalated by the Respond Analyst are automatically pushed to Phantom as events.

In the Phantom interface, a description is created that contains a summary of the incident escalated by the Respond Analyst. Escalated events are also presented as Artifacts on the Container Timeline in the Phantom console. 

Each escalation that makes up a Respond incident is available as a container artifact in Phantom.  All of the rich data the Respond Analyst collects about each escalation is available in Phantom as well.

When the incident is closed in Phantom, it is automatically closed it in the Respond Analyst.

Summary

The Respond Analyst investigates, scopes, triages and correlates events, increasing the incident remediation capabilities of Phantom. The Respond Analyst enables security analysts to stop looking at consoles all day and start investigating incidents, a more valuable use of their time. The combination of the Respond Analyst and Phantom will result in reduced attack dwell time for customers that have or are considering the use of both solutions.

For more information on the Respond Analyst and SOAR:

The Respond Analyst + Splunk Phantom Demo
Is the Respond Analyst a SOAR Tool?
Putting the Automation into SOAR