Here at Splunk, when we discuss Splunk Phantom with customers we end up talking about phishing pretty frequently because it’s something like Olivia outlined in a recent blog post, "Between Two Alerts: Phishing Emails — Don’t Get Reeled In!", customers both encounter and talk to us about all the time. It makes a lot of sense — phishing is a super common issue that almost everyone deals with ad nauseum and it’s annoying to investigate. Like Tim and Olivia demonstrate in this short "Between Two Alerts" webinar, those two things combined with Phantom make for an easy, automation-backed win. Another term that we use a lot at Splunk is GDI, or “get data in.” When it comes to phishing emails in Phantom, getting the data in is actually a really cool and powerful thing and it’s ultimately what builds the foundation that allows for easy investigation.
To take a step back, Phantom is a little bit different from products likeSplunk Enterprise Security or Splunk IT Service Intelligence. Rather than being a premium application deployed on top of Splunk Enterprise, it’s actually a standalone application, albeit tightly integrated with the rest of the Splunk suite for customers using it all together. This means that getting data in, or “ingestion,” is a bit different. The data we look to “ingest” are pieces of data that will be used to start an investigation or response: alerts from your SIEM, threat intelligence from your TIP, tickets from your ticketing system, or in this case, phishing reports from users. We’re not looking to ingest supporting information like raw logs or reputation information — we can automatically go get that later.
The vast majority of data ingested into Phantom is ingested using its “Apps” which are basically the translation tools between Phantom and the various products and services in a customer’s environment. The App works with the APIs of the external products, collects alerts (notables, tickets, IOCs, emails, etc), and turns them into “events” within Phantom.
In the case of email, Phantom has an IMAP App which allows it to ingest emails from any provider which supports IMAP, which is just about all of them. For certain services, like Exchange, Office365, and Gmail we also have service-specific Apps that implement additional “actions” (or commands) like “run query” or “delete email”.
Many of our customers make use of a phishing report inbox for users to forward suspicious emails manually or using something like a “Report Phishing.” In the below example, we’re automatically pulling from a mailbox like that using the built-in IMAP App.
The first thing we see is that an event was created where the email in question was brought in as an “artifact,” or piece of technical information. We see the email right in front of us!
Scroll down a little bit and we see that not only was the email brought in, but all of the headers are individually parsed out as well. Artifacts are basically a set of related key-value pairs. That means that all of these fields are trivial to use in a playbook like Olivia and Tim demonstrated in their webinar. The out-of-the-box ingestion ability doesn’t stop there, though!
The above screenshot is an example of an “Asset” configuration. An asset is an individual configuration of a tool — so Phantom can support multiple IMAP configurations alongside each other — but this is one. Down at the bottom you can see a bunch of checkboxes telling the IMAP App to extract indicators.
As simple as that, we see all of the domains, URLs, etc. parsed out of the email into individual artifacts which makes them trivial to investigate via the GUI (like in the screenshot) or automatically via a playbook.
See it in Action
When it comes to triage and investigation, whether automated or not, having all of your phish in a row is the foundation of a quick and solid investigation. Phantom’s out-of-the-box email ingestion lines them up so you can knock them all down as easily as possible. To see some of the next steps in action, tune in to our Between Two Alerts webinar episode,"Phishing Emails — Don’t Get Reeled In!"