Splunk> Phantom Integration

Document created by Susan Read-Miller Employee on Aug 13, 2017Last modified by Gloria Higley on Jan 11, 2021
Version 8Show Document
  • View in full screen mode

Splunk Phantom Logo

Splunk> Phantom is a community-powered security automation and orchestration solution. The Splunk> Phantom Platform integrates existing security technologies, such as Archer, forming a layer of connective tissue between separate products. Manual security-operations tasks codified into Phantom Playbooks become software workflows that run at machine-speed to orchestrate complex interactions among Archer and other Phantom-connected security products.

 

The integration of Splunk> Phantom with Archer enables Splunk> Phantom to create, list, retrieve, and update Archer incidents (tickets). Phantom Playbooks can leverage Archer capabilities to improve efficiency and precision of the security incident management process including ticketing, investigation, response, and reporting. In doing so, the SOC can work smarter, respond faster, and focus attention onto mission-critical decisions.

 

Splunk> Phantom integrates using the Archer App for Splunk> Phantom to call Archer web services (REST and SOAP) APIs. The Archer App comes pre-installed and runs entirely within Splunk>Phantom — no new code need be installed on the Archer Platform. Once you enable and configure the App, Archer ticketing actions are available within Splunk> Phantom.

 

Integration Features

The Splunk> Phantom integration with Archer enables organizations to:

  • Automate the gathering of system information from a variety of security and network tools
  • Pass security alerts to Archer for review and prioritization
  • Escalate high impact events to manage the incident response and the investigation process

 

Solution and Platform Information

  • Solution Area: Archer IT & Security Risk Management
  • Impacted Use Cases: Archer Security Incident Management
  • Supported Platform Version: This offering has been validated on Archer Platform release 6.9 SP1.

 

For More Information

To learn more about the Phantom RSA Ready certified integration, review the Implementation Guide.

 

For Additional Support

To learn more about Splunk> Phantom, please visit their website or contact the Splunk> Phantom sales team at 1.866.438.7758. For technical support questions regarding Archer, please open a support case or contact Archer at archersupport@rsa.com

Attachments

    Outcomes