SlideShare a Scribd company logo

SplunkLive! Stockholm 2019 - Customer presentation: Norlys

Download as PPTX, PDF
Splunk
Splunk

Norlys give an Introduction to incident response with Splunk Phantom

Technology
1 of 29
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Introduction to Incident response with Splunk>Phantom Splunk Live! Stockholm, 2019-11-13 Tibor Földesi | Security Analyst at Norlys a.m.b.a Twitter: @Multi_Task_King
© 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
© 2019 SPLUNK INC. About me ▶ Security Automation Analyst at Norlys a.m.b.a ▶ Main areas: ▶ Log analytics ▶ SIEM content engineering ▶ Incident response ▶ Automation & Orchestration ▶ Threat Intel ▶ Splunk ES + Phantom user since 2016 ▶ Fan of everything in infosec, but bored of repetitive tasks
© 2019 SPLUNK INC. About Norlys a.m.b.a ▶ Ex-Sydenergi, -Stofa, -Eniig, -Boxer, -Evonet, -N1 ▶ 709k owners ▶ 704 board members ▶ 2500 employees ▶ 1.5M customers ▶ 12 locations ▶ Biggest power utility and and telecommunications concern in Denmark
© 2019 SPLUNK INC. What really is Splunk Phantom?
© 2019 SPLUNK INC. How We Got Started ▶ "Every battle is won or lost before it is fought." - Sun Tzu ▶ Our team had a clear vision ▶ Gather a relatively small team of talents with diverse knowledge pool ▶ Collect all the logs in Splunk ▶ Automate all the repetitive tasks ▶ Drink a lot of coffee tonic instead of work
© 2019 SPLUNK INC. Our Story ▶ Situation: ▶ We had to build log analytics and incident response capabilities from the ground up for a relatively big company in Denmark. ▶ Struggling with: ▶ Repetitive tasks, myriad of tools, slow webUIs, creating and maintaining internal processes ▶ Wanted: ▶ A Mission Control for investigations with in-depth documentation and automation capabilities. ▶ Enter Phantom: ▶ With Phantom we are now able to automate the boring tasks and document every step, it doesn’t matter if it’s automated or manual
© 2019 SPLUNK INC. Our 5 Step Journey with Splunk Phantom 1. Using Phantom for documentation and adding everything manually 2. Using applications in Phantom for semi-automate investigation processes 3. Chaining applications/actions together for creating playbooks 4. Customizing the playbooks with some custom code, if needed 5. Connecting Splunk and Phantom for more closer integration  Most notable alerts from Splunk ES are now forwarded to Phantom – automated ticket creation  Most of the tickets are automatically initiating enrichment actions – automated ticket enrichment  Advanced incident handling capabilities: Mission Control allows us to document and maintain our processes inside Phantom
© 2019 SPLUNK INC. Servers Endpoints Network Devices Apps / API Splunk>Phantom in real life
© 2019 SPLUNK INC. Use Cases at Norlys (Part 1) Production server group containment with 4 eyes principle Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis Grab browsing history from endpoint
© 2019 SPLUNK INC. Production server group containment with 4 eyes principle (2018) ▶ Same analyst can actually approve the contain action twice ▶ No 2 factor authentication ▶ Early, but working version of a great idea
© 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis
© 2019 SPLUNK INC. Production server group containment with 4 eyes principle (2019)
© 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2018) ▶ This playbook required too many resources and used a lot of custom code ▶ Hard to maintain and to debug, but possible ▶ Is there a better and more automated way?
© 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2019)
© 2019 SPLUNK INC. Grab browsing history from endpoint (2018) ▶ Early version, lot of custom code ▶ How can we improve it?
© 2019 SPLUNK INC. Grab browsing history from endpoint (2019)
© 2019 SPLUNK INC. Create HUD for AV alerts Chat tool notification if a ticket was created automatically Initiate memory capture remotely on an endpoint Use Cases at Norlys (Part 2)
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Chat tool notification if an automated ticket was created
© 2019 SPLUNK INC. Initiate memory capture remotely on an endpoint
© 2019 SPLUNK INC. Initiate memory capture remotely on an endpoint ▶ No user interaction ▶ Relatively fast ▶ Auto check if finished with a scheduled playbook
© 2019 SPLUNK INC. Mission Control in Phantom on-premise
© 2019 SPLUNK INC. KPIs ▶ Our goal is not to work, just to drink coffee ▶ Mostly, we measure success if: ▶ We don’t have to disturb the users - actual KPI ▶ We don’t have to physically obtain the machines for forensics ▶ We can at least semi-automate investigation and documentation tasks (more the better) ▶ Sneaker-net vs API speed - the real advantage ▶ Hours/days vs 30 seconds
© 2019 SPLUNK INC. 1. Splunk offers professional services for Phantom – highly recommended 2. Have a separated development environment 3. If you hit walls, custom code option is there 4. The Community Edition is FREE 5. Join the friendly and helpful phantom- community Slack channel Key Takeaways
© 2019 SPLUNK INC. Links for getting started ▶ Phantom community webpage: https://my.phantom.us/ ▶ Phantom community Slack: https://phantom-community.slack.com/ ▶ Documentation: https://my.phantom.us/4.6/docs/ ▶ Online trainings on Splunk Education: ▶ https://education.splunk.com/catalog?category=phantom-courses
© 2019 SPLUNK INC. News from Splunk .conf19 ▶ Applications are now open-source ▶ Per-seat license model ▶ Python 3 migration work underway (currently only 2.7) ▶ Mission Control (for Splunk cloud environment) ▶ Mobile app is now available with Phantom 4.6
© 2019 SPLUNK INC.
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.

Recommended

Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
The Risks and Rewards of AI
The Risks and Rewards of AIThe Risks and Rewards of AI
The Risks and Rewards of AI
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
SplunkLive! Stockholm 2019 - Customer presentation: ISS
SplunkLive! Stockholm 2019 - Customer presentation: ISS SplunkLive! Stockholm 2019 - Customer presentation: ISS
SplunkLive! Stockholm 2019 - Customer presentation: ISS
Splunk
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Splunk Incident Response, Orchestrierung und Automation
Splunk Incident Response, Orchestrierung und AutomationSplunk Incident Response, Orchestrierung und Automation
Splunk Incident Response, Orchestrierung und Automation
Splunk
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK FrameworkLeveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 

Recommended

Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
The Risks and Rewards of AI
The Risks and Rewards of AIThe Risks and Rewards of AI
The Risks and Rewards of AI
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
SplunkLive! Stockholm 2019 - Customer presentation: ISS
SplunkLive! Stockholm 2019 - Customer presentation: ISS SplunkLive! Stockholm 2019 - Customer presentation: ISS
SplunkLive! Stockholm 2019 - Customer presentation: ISS
Splunk
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Splunk Incident Response, Orchestrierung und Automation
Splunk Incident Response, Orchestrierung und AutomationSplunk Incident Response, Orchestrierung und Automation
Splunk Incident Response, Orchestrierung und Automation
Splunk
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK FrameworkLeveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOpsSplunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk Discovery Köln - 17-01-2020 - Willkommen!Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk
 
Machine Learning in Action
Machine Learning in Action Machine Learning in Action
Machine Learning in Action
Splunk
 
Einführung in Security Analytics Methoden
Einführung in Security Analytics MethodenEinführung in Security Analytics Methoden
Einführung in Security Analytics Methoden
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Turning Data Into Business Outcomes
Splunk Discovery Köln - 17-01-2020 - Turning Data Into Business OutcomesSplunk Discovery Köln - 17-01-2020 - Turning Data Into Business Outcomes
Splunk Discovery Köln - 17-01-2020 - Turning Data Into Business Outcomes
Splunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
Splunk
 
Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML
Splunk
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
Splunk
 
Turning Data into Business outcomes
Turning Data into Business outcomes Turning Data into Business outcomes
Turning Data into Business outcomes
Splunk
 
Clear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with SplunkClear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with Splunk
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Connected Experiences
Splunk Connected ExperiencesSplunk Connected Experiences
Splunk Connected Experiences
Anthony Reinke
 
Machine Learning in Action
Machine Learning in ActionMachine Learning in Action
Machine Learning in Action
Splunk
 

More Related Content

What's hot

Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
Splunk
 

What's hot (20)

Splunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOpsSplunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOps
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
 
Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk Discovery Köln - 17-01-2020 - Willkommen!Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk Discovery Köln - 17-01-2020 - Willkommen!
 
Machine Learning in Action
Machine Learning in Action Machine Learning in Action
Machine Learning in Action
 
Einführung in Security Analytics Methoden
Einführung in Security Analytics MethodenEinführung in Security Analytics Methoden
Einführung in Security Analytics Methoden
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
 
Splunk Discovery Köln - 17-01-2020 - Turning Data Into Business Outcomes
Splunk Discovery Köln - 17-01-2020 - Turning Data Into Business OutcomesSplunk Discovery Köln - 17-01-2020 - Turning Data Into Business Outcomes
Splunk Discovery Köln - 17-01-2020 - Turning Data Into Business Outcomes
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
 
Turning Data into Business outcomes
Turning Data into Business outcomes Turning Data into Business outcomes
Turning Data into Business outcomes
 
Clear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with SplunkClear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 

Similar to SplunkLive! Stockholm 2019 - Customer presentation: Norlys

SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
Splunk
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 

Similar to SplunkLive! Stockholm 2019 - Customer presentation: Norlys (20)

Splunk Connected Experiences
Splunk Connected ExperiencesSplunk Connected Experiences
Splunk Connected Experiences
 
Machine Learning in Action
Machine Learning in ActionMachine Learning in Action
Machine Learning in Action
 
Machine Learning in Action
Machine Learning in Action Machine Learning in Action
Machine Learning in Action
 
Machine Learning in Action
Machine Learning in ActionMachine Learning in Action
Machine Learning in Action
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
 
SEC1671/ Attack range/Splunk SIEMulator splunkconf2019
SEC1671/ Attack range/Splunk SIEMulator splunkconf2019SEC1671/ Attack range/Splunk SIEMulator splunkconf2019
SEC1671/ Attack range/Splunk SIEMulator splunkconf2019
 
Get More From Your Data with Splunk AI + ML
Get More From Your Data with Splunk AI + MLGet More From Your Data with Splunk AI + ML
Get More From Your Data with Splunk AI + ML
 
Why Splunk Chose Pulsar_Karthik Ramasamy
Why Splunk Chose Pulsar_Karthik RamasamyWhy Splunk Chose Pulsar_Karthik Ramasamy
Why Splunk Chose Pulsar_Karthik Ramasamy
 
Pulsar summit-keynote-final
Pulsar summit-keynote-finalPulsar summit-keynote-final
Pulsar summit-keynote-final
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
SplunkLive! Utrecht 2019: NXP
SplunkLive! Utrecht 2019: NXP SplunkLive! Utrecht 2019: NXP
SplunkLive! Utrecht 2019: NXP
 
Get more from your Machine Date with Splunk AI and ML
Get more from your Machine Date with Splunk AI and ML Get more from your Machine Date with Splunk AI and ML
Get more from your Machine Date with Splunk AI and ML
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
 

More from Splunk

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

SplunkLive! Stockholm 2019 - Customer presentation: Norlys

  • 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Introduction to Incident response with Splunk>Phantom Splunk Live! Stockholm, 2019-11-13 Tibor Földesi | Security Analyst at Norlys a.m.b.a Twitter: @Multi_Task_King
  • 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
  • 3. © 2019 SPLUNK INC. About me ▶ Security Automation Analyst at Norlys a.m.b.a ▶ Main areas: ▶ Log analytics ▶ SIEM content engineering ▶ Incident response ▶ Automation & Orchestration ▶ Threat Intel ▶ Splunk ES + Phantom user since 2016 ▶ Fan of everything in infosec, but bored of repetitive tasks
  • 4. © 2019 SPLUNK INC. About Norlys a.m.b.a ▶ Ex-Sydenergi, -Stofa, -Eniig, -Boxer, -Evonet, -N1 ▶ 709k owners ▶ 704 board members ▶ 2500 employees ▶ 1.5M customers ▶ 12 locations ▶ Biggest power utility and and telecommunications concern in Denmark
  • 5. © 2019 SPLUNK INC. What really is Splunk Phantom?
  • 6. © 2019 SPLUNK INC. How We Got Started ▶ "Every battle is won or lost before it is fought." - Sun Tzu ▶ Our team had a clear vision ▶ Gather a relatively small team of talents with diverse knowledge pool ▶ Collect all the logs in Splunk ▶ Automate all the repetitive tasks ▶ Drink a lot of coffee tonic instead of work
  • 7. © 2019 SPLUNK INC. Our Story ▶ Situation: ▶ We had to build log analytics and incident response capabilities from the ground up for a relatively big company in Denmark. ▶ Struggling with: ▶ Repetitive tasks, myriad of tools, slow webUIs, creating and maintaining internal processes ▶ Wanted: ▶ A Mission Control for investigations with in-depth documentation and automation capabilities. ▶ Enter Phantom: ▶ With Phantom we are now able to automate the boring tasks and document every step, it doesn’t matter if it’s automated or manual
  • 8. © 2019 SPLUNK INC. Our 5 Step Journey with Splunk Phantom 1. Using Phantom for documentation and adding everything manually 2. Using applications in Phantom for semi-automate investigation processes 3. Chaining applications/actions together for creating playbooks 4. Customizing the playbooks with some custom code, if needed 5. Connecting Splunk and Phantom for more closer integration  Most notable alerts from Splunk ES are now forwarded to Phantom – automated ticket creation  Most of the tickets are automatically initiating enrichment actions – automated ticket enrichment  Advanced incident handling capabilities: Mission Control allows us to document and maintain our processes inside Phantom
  • 9. © 2019 SPLUNK INC. Servers Endpoints Network Devices Apps / API Splunk>Phantom in real life
  • 10. © 2019 SPLUNK INC. Use Cases at Norlys (Part 1) Production server group containment with 4 eyes principle Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis Grab browsing history from endpoint
  • 11. © 2019 SPLUNK INC. Production server group containment with 4 eyes principle (2018) ▶ Same analyst can actually approve the contain action twice ▶ No 2 factor authentication ▶ Early, but working version of a great idea
  • 12. © 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis
  • 13. © 2019 SPLUNK INC. Production server group containment with 4 eyes principle (2019)
  • 14. © 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2018) ▶ This playbook required too many resources and used a lot of custom code ▶ Hard to maintain and to debug, but possible ▶ Is there a better and more automated way?
  • 15. © 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2019)
  • 16. © 2019 SPLUNK INC. Grab browsing history from endpoint (2018) ▶ Early version, lot of custom code ▶ How can we improve it?
  • 17. © 2019 SPLUNK INC. Grab browsing history from endpoint (2019)
  • 18. © 2019 SPLUNK INC. Create HUD for AV alerts Chat tool notification if a ticket was created automatically Initiate memory capture remotely on an endpoint Use Cases at Norlys (Part 2)
  • 20. © 2019 SPLUNK INC. Chat tool notification if an automated ticket was created
  • 21. © 2019 SPLUNK INC. Initiate memory capture remotely on an endpoint
  • 22. © 2019 SPLUNK INC. Initiate memory capture remotely on an endpoint ▶ No user interaction ▶ Relatively fast ▶ Auto check if finished with a scheduled playbook
  • 23. © 2019 SPLUNK INC. Mission Control in Phantom on-premise
  • 24. © 2019 SPLUNK INC. KPIs ▶ Our goal is not to work, just to drink coffee ▶ Mostly, we measure success if: ▶ We don’t have to disturb the users - actual KPI ▶ We don’t have to physically obtain the machines for forensics ▶ We can at least semi-automate investigation and documentation tasks (more the better) ▶ Sneaker-net vs API speed - the real advantage ▶ Hours/days vs 30 seconds
  • 25. © 2019 SPLUNK INC. 1. Splunk offers professional services for Phantom – highly recommended 2. Have a separated development environment 3. If you hit walls, custom code option is there 4. The Community Edition is FREE 5. Join the friendly and helpful phantom- community Slack channel Key Takeaways
  • 26. © 2019 SPLUNK INC. Links for getting started ▶ Phantom community webpage: https://my.phantom.us/ ▶ Phantom community Slack: https://phantom-community.slack.com/ ▶ Documentation: https://my.phantom.us/4.6/docs/ ▶ Online trainings on Splunk Education: ▶ https://education.splunk.com/catalog?category=phantom-courses
  • 27. © 2019 SPLUNK INC. News from Splunk .conf19 ▶ Applications are now open-source ▶ Per-seat license model ▶ Python 3 migration work underway (currently only 2.7) ▶ Mission Control (for Splunk cloud environment) ▶ Mobile app is now available with Phantom 4.6
  • 29. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.

Editor's Notes

  1. Hi, my name is Tibor Földesi and I work as a Security Automation Analyst for Norlys in Denmark for almost 2 years now. My main tasks include log analytics, SIEM content engineering, automation & orchestration, consuming and generating threat intel. I am using Splunk Enterprise Security and Phantom together for more than 3 years and I still love them and I still did not get bored of them. Why? Because I really don’t like to do the same thing twice.
  2. I am working for Norlys, we are operating in the Jutland region of Denmark. We recently had a big merger, so today we have more than 700k owners, 700 board members, 2500 employees and more than 1.5M customers. We are the biggest power utility and telecommunication concern in Denmark
  3. Phantom’s flexible app model supports hundreds of tools and thousands of unique APIs, enabling you to connect and coordinate complex workflows across your team and tools. Powerful abstraction allows you to focus on what you want to accomplish, while the platform translates that into tool-specific actions. In human language: imagine if you have a box of LEGO bricks, but you are not really sure what you actually want to build just yet. Phantom is here to help you to organize and guide you to the building process, like the building manuals for LEGO sets: You can follow those, or you can go wild and follow your imaganiation.
  4. "Every battle is won or lost before it is fought." - Sun Tzu said this more than 2000 years ago, meaning if you are prepared, almost nothing can surprise you. I believe this quote applies to today’s cyber landscape really well. The security analytics team of Norlys were hired late 2017 with the idea of understanding and developing the analytics and incident response capabilities of the company. I joined them a little bit later in 2018 February. We had a clear vision from the start: Hire top level talents with different kind of expertise Collect every logs we can Automate the repetitive and boring tasks Drink coffee and enjoy the work, spend time on serious things, like threat hunting and building detections Your company will face some kind of IT breach sooner or later, but there are some questions regarding to that: Will be able to detect? Will you be able respond? Will you able to remediate?
  5. Our situation was hard: hundreds of gigabytes of logs/day, but only a handful of people in security analytics. We were considering automation from day one. We were struggling with: repetitive tasks, myriad of tools, slow web interfaces, lack of internal processes. We wanted: a centralized Mission Control for our investigations, with the option to document and automate most of our job. Then we started to evaluate if Phantom is the right SOAR tools for us. We were using the free Community Edition for 6 months, then made a decision to purchase it. Compared to other automation & orchestration tools, we saw great advantage in the documentation and incident handling capabilities.
  6. The first step was using Phantom for documentation and adding every information manually. Imagine Notepad++ on steroids. You actually use it, because it is so easy to use. The second step was configuring and installing applications to semi-automate different kind of tasks. We started to investigate what are the “built-in” functions we can use out of the box. For example containing a machine, or figuring out if an endpoint is online. The third step was chaining the apps together and creating playbooks. When we were comfortable using manual tasks, we started to think that we want to drink more coffee and work even less, so what if we can chain actions together. For example, when a ticket is created send a notification to our chat tool and check if the suspicious file hash is malicious. The fourth step was customizing the playbooks with custom Python code. We had some really crazy ideas that went beyond the possibilities of Phantom, and almost all of them were realized through using some custom code. The fifth step was finally connecting Splunk and Phantom for more closer integration Selected notable alerts from Splunk ES are now forwarded to Phantom – automated ticket creation – instant ticket creations vs 10 minutes manual work Some tickets are automatically initiating enrichment actions – automated ticket enrichment – 30 seconds vs 30 minutes Advanced incident handling capabilities: Case Management allows us to document and maintain our processes inside Phantom, also if you have a lot of event you can just merge to a single one with a few clicks, or you can even automate it
  7. As you can see here inNorlys we gather every log we can, then some alerts created by Splunk are automatically forwarded to Phantom. Through Phantom you can initiate actions with specific Apps. If you have an Endpoint Response tool: You can download files from endpoints You can run PowerShell scripts on endpoints You can automate tasks that you usually click through the webinterface And all of this is properly documented and also visualized with a timeline. If your organisation is mature enough, you can even handle the full OODA-loop (observe–orient–decide–act) without any human interaction. Of course to do that you need to have the right employees with the skillset and willingness for automation. I was working in SOCs for many years and was bored of repetitive tasks, so in my mind, automation is helping to keep IT Security interesting and relevant.
  8. I am going to show you 6 use cases we have at Norlys: The first one will show you how we implemented 4 eyes principle in major decision making actions. The second one will show you in a case of antivirus alerts how Phantom automatically grabs the file from the endpoints and uploads it to a malware sandbox for analysis The third one will show you in a case of malicious domain alert how Phantom is grabbing the browsing history from the user’s machine
  9. Let’s say a company faces a very serious ransomware infection in their production environment. The incident handlers might make a decision to contain all the production servers in able to save them from spreading the infection. Also let’s say the senior analyst has to approve it before it actually happens and it has to be documented before it happens. Usually in the past I saw this happening in the following way: a mail chain with 100+ mails asking for verification from at least two level 3 analyst for initiating the actions Action initiated manually by someone in the web interface, hence there is no real documentation Mail is attached to the ticket for documentation, but still no one knows who actually initiated the action We managed to handle this in the following way: Let’s say the manager or a level 3 analyst is initiating the production server group containment All the level 3 analysts gets a notification for this action An action is listing all the group IDs and if two separate level 3 analysts picked the same group the action proceeds Everything is documented in the ticket with timestamps But this was not even close to perfect
  10. In a case of an antivirus alert, a ticket is automatically created in Phantom. This playbook grabs the quarantined file from the endpoint, then uploads it to malware sandbox. After some delay, it downloads the summary in PDF form, then presents it to the analyst.
  11. This is how the playbook looks like today: We require DUO 2FA authentication from both level3 analysts More robust and stable, than before Better documentation
  12. Not a perfect playbook, but how to improve it?
  13. Splunk’s Professional Services helped us to improve our existing playbooks. Today this playbook is: Using a lot less resources, than before Scheduled to check the sandbox job every 2 minutes No human interaction is needed If the sandbox analysis is done, the analyst is presented with a PDF report to make a decision
  14. In case of a bad domain/IP alert, this playbook: Copy Nirsoft’s browser history view to the endpoint Run it with csv output Grab the file from the machine and put it to the ticket’s file vault Clean the temporary files after the process This playbook was completely built on a previously written custom code, but Splunk’s Professional Services helped us to simplify it.
  15. The playbook today uses zero custom code, now we are only using actions provided by the Apps. Very visual Even a non-coder can understand or edit it Much more easier to debug.
  16. The other 3 uses cases will be the following: Creating a dashboard-like visualization for analysts Notifying analyts if a ticket was opened automatically Initiate memory capture remotely
  17. And that’s what I like. The top 5 things, I usually check when I open a ticket: Hostname OS running User currently using the machine The file that triggered the alert The action the Antivirus made
  18. In a weekend when I’m on duty I don’t want to manually check every 4 hours if there is a high severity ticket opened. Instead of manually checking, I just want a single notification on my phone to check Phantom. This playbook will send me a pre-formatted message with a clickable link to the ticket. It can be a chat notification or an e-mail, based on your preference.
  19. If an investigation requires capturing memory from an endpoint, that is also possible with a playbook, that requires zero human interaction. This playbook initiates the mmeory capture action, the checks every 10 minutes, if the action finished. If not, then it will check automatically again in 5 minutes. If yes, the analyst will get a notification.
  20. If an investigation requires capturing memory from an endpoint, that is also possible with a playbook, that requires zero human interaction. This playbook initiates the mmeory capture action, the checks every 10 minutes, if the action finished. If not, then it will check automatically again in 5 minutes. If yes, the analyst will get a notification.
  21. This is how a ticket (or an event) looks like in Phantom. On the left you have an activity timeline, on the middle you have a visual timeline and on the bottom you can have a visual representation of the output of your actions.
  22. We say each other in the team: if we can make coffee whenever we want, then we do a good job Mostly, we measure our success if: We don’t have to disturb the users We don’t have to physically obtain the machines for forensics We can at least semi-automate investigation and documentation tasks (more the better) And the real advantage here: in a matter of seconds we have enough information to make decisions and take actions, we don’t have to wait for anyone Instead of opening tickets and do the forensics manually we can: Drink coffee Do threat hunting Do trainings Help each other to be better
  23. There are 5 key takeaways for today: Splunk offers professional services for Phantom, helping you and your team to achieve your automation goals Have a separated environment for testing :) If you hit walls with Phantom, the option is there to implement your custom code or even your custom Application The Community Edition is free up to 100 actions / day, more than enough to try, we used the Community Edition for 6 months There is a friendly Slack community out there, someone will help you out very fast
  24. Links for getting started
  25. Application are now open-source! New per-seat license model has been introduced Python 3 support will come soon Mission Control dashboard for Splunk cloud environment Mobile app is now available with Phantom 4.6