Super Speed with Phantom Slash Commands

Are you the type of person who loves the command-line? Is tab-complete your friend? Do you move faster on a keyboard than with a mouse? Then Phantom Slash Commands are for you!

What Are They?

In short, slash commands are a command-line interface for investigating Phantom events. Slash commands are instructions written into Splunk Phantom’s activity pane text box that begin with a forward slash ( / ) followed by a command. These allow you to run playbooks and actions by simply typing into your CLI, saving you time and effort by removing the need for excess mouse clicks. Paired with keyboard navigation from Phantom’s 508 compliance, slash commands are a powerful tool for every Phantom user.

Here is a screenshot of where they appear in the Phantom UI:

As you can see, when you start with a forward-slash Phantom automatically gives you a list of available commands. Here is a full list in text form:

  • Run an action
  • Run a playbook
  • Add a note to a container
  • Update or edit a container
  • Get datapath information for use with other actions

Features of Slash Commands

Slash commands come with some excellent accessibility features and in a few cases, are quicker than the same process using just a mouse and keyboard. For example, as I type /action, Phantom shows me the full syntax for executing an action.

In addition to showing proper syntax, Slash commands feature suggested arguments and allows you to tab auto-complete your word, as well as use the keyboard directional keys to select which item from the pop-out menu you want to select.

How to Use Slash Commands

Now let's return to our example of executing an action. After I select the “/action” command, it's time to pick which action to use.

But “Wait!”, you say. “What if I don’t know which action I can run?” “What if I don’t know the name of the app?” Don’t worry, Phantom has you covered here. As I press space, Phantom shows me all the available actions.

I can either click the action with a mouse, type in the first letters and use tab auto-complete, or use the keyboard directional keys to select an action and press enter.

Next, Phantom shows me which apps are available to perform the action that I selected. In this case it is showing “VirusTotal” and “Recorded Future” — the two apps that I have configured to do “ip_reputation.”

Finally, I need to enter an IP address to execute my “ip_reputation.” Optionally, you can enter the name of a specific asset, if you have multiple to pick from, with the optional flag “--asset.” In this case, I only have one configured asset for VirusTotal.

In the next screenshot, you can see my command in the audit trail and the resulting summary. Turns out that quite a few URLs talk out to this IP address (who knew!).

I can also use the new enhanced keyboard navigation to select the details of the IP Reputation action and get a full screen view.

Lastly, it wouldn’t be a command-line interface without a --help command. If you’re ever lost you can always enter --help to figure out what information is required.

This is just a small walkthrough of what you can do with the power of Slash Commands. Tune in to our webinar, "Super Speed with Phantom Slash Commands" to see an in depth demo on how Slash Commands speed up investigations to save you time and effort.

This blog post is co-authored by Olivia Courtney and Kelby Shelton.

Kelby Shelton
Posted by

Kelby Shelton

Kelby Shelton has worked as an Incident Responder for most of his career, having done alert triage, threat analysis, and incident reporting for both large and small companies. During this time he has built-out detections, created SOC response plans, and leveraged automation to respond quickly to emerging threats. He now guides companies worldwide on how to use Splunk products effectively throughout the Security lifecycle.