The Splunk Security Team is excited to share some of the new and enhanced capabilities of Splunk Phantom, Splunk’s security orchestration, automation and response (SOAR) technology. Phantom’s latest update (v4.10) makes automation implementation, operation and scaling easier than ever for your security team. Using automation, you can more efficiently address the ever-increasing volume of security events your SOC receives each day, reduce mean time to detect (MTTD) and mean time to respond (MTTR), and optimize your security operations.
Let’s Take a Look at Some of the Recent Innovations:
- Custom Functions: Phantom’s custom functions make playbook creation and execution faster and easier. Leverage our out-of-the-box library of custom functions for quick deployment, and easily reuse them across multiple playbooks to minimize playbook development time and automate additional security processes. Check out our on-demand webinar, "Splunk Phantom: Put the Fun in Custom Functions," to learn more.
- Modular Workbook Development: Phantom’s modular workbooks allow you to effortlessly adapt your security operations workflow. Rather than trying to create all-encompassing end-to-end workbooks that strictly define every single task, modular workbooks allow you to create task modules and combine them in different ways to complete your investigation process. This not only enables more dynamic run-time assignment but also makes workbooks more adaptable and scalable across a variety of use cases. Check out our on-demand webinar “Adaptable Incident Response with Splunk Phantom Modular Workbooks” to learn more.
- Python 3: Phantom is now Python 3-enabled for custom functions and playbooks. With the release of Phantom 4.10, you have access to conversion scripts that easily allow you to convert your existing Python 2 content, making this change an easy feat. For step-by-step instructions, check out our documentation here.
- 508 Compliance: We’re excited to announce that Phantom has achieved 508 compliance, ensuring that the Phantom platform is more accessible to those with disabilities. In adherence to Section 508, we implemented keyboard navigation, high contrast buttons and links, and additional support for screen reader technology. We hope that these changes make the Phantom experience easier, more efficient and inclusive.
- Markdown Support for Prompts: 4.9 introduced markdown support for a variety of different areas of the product, and 4.10 continues this by extending markdown to playbook prompts. It’s easy to include stylized text, URLs, images and more when soliciting information from users or when providing responses back.
- Data Retention: Before v4.10, data retention involved managing multiple scripts and cron jobs to age out old data. We’ve created a centralized management script for handling data retention strategies for containers, indicators, audit data, device profiles, notifications and playbook run logs. You’ll now be able to easily define maximum data age for each data type with a single CLI command. With Phantom’s updated data retention feature, managing disk space has become significantly easier.
Security automation is now easier than ever — see all of these capabilities in action in this webinar.