By Splunk March 14, 2017
Custom Lists are a powerful capability of the Phantom platform. Customers typically use Custom Lists to maintain a dynamic list of items that persists on the platform. The function also commonly serves a caching mechanism to reduce overburdening a service. Custom Lists are available on-platform to playbooks and externally to third-party systems. In this blog entry, we will explore the use of Custom Lists to enable threshold-based decision making with the Phantom platform.
To access Custom Lists in Phantom’s web-based UI, select Playbooks from the Main Menu, and then Custom Lists. In this section you can manually create and edit Custom Lists in a spreadsheet layout. Within a Phantom playbook, you can create, reference, modify, or delete any Custom List.
As an example, we will implement decision logic that uses the number of events over a certain time period. Perhaps if you see one alert of this type in a day, then you might follow a workflow to investigate why it is happening. If you see 500 alerts of this alert type in 5 minutes, however, then you might take an alternate workflow and escalate the incident to a human analyst with the highest priority.
Screenshot of the Phantom platform web-based interface, showing an example Custom List.
The example Custom List tracks IP addresses with a count. There are three columns in this Custom List: IP address, observation count, and a timestamp indicating the last occurrence. Using the count and the timestamp, you can understand the rate of the IP alerts over a period of time. You might also build in logic that uses these fields to age out old IP address alerts from the list. Finally, you can also see the magnitude of a potential outbreak, which might affect the response that is chosen.
This is just one example detailing how you can implement threshold-based alerts with the Phantom platform. If you would like to learn more or want to try the capability out for yourself, visit the Phantom Community site and reference the Phantom documentation on datastore_* API calls.
If you haven’t downloaded the free Phantom Community edition yet, you can get it now from the Phantom Community.
----------------------------------------------------
Thanks!
Paul Davis