Using Custom Lists in Phantom Playbooks

By Splunk

Custom Lists are a powerful capability of the Phantom platform. Customers typically use Custom Lists to maintain a dynamic list of items that persists on the platform. The function also commonly serves a caching mechanism to reduce overburdening a service. Custom Lists are available on-platform to playbooks and externally to third-party systems. In this blog entry, we will explore the use of Custom Lists to enable threshold-based decision making with the Phantom platform.

To access Custom Lists in Phantom’s web-based UI, select Playbooks from the Main Menu, and then Custom Lists. In this section you can manually create and edit Custom Lists in a spreadsheet layout. Within a Phantom playbook, you can create, reference, modify, or delete any Custom List.

As an example, we will implement decision logic that uses the number of events over a certain time period. Perhaps if you see one alert of this type in a day, then you might follow a workflow to investigate why it is happening. If you see 500 alerts of this alert type in 5 minutes, however, then you might take an alternate workflow and escalate the incident to a human analyst with the highest priority.

The example Custom List tracks IP addresses with a count. There are three columns in this Custom List: IP address, observation count, and a timestamp indicating the last occurrence. Using the count and the timestamp, you can understand the rate of the IP alerts over a period of time. You might also build in logic that uses these fields to age out old IP address alerts from the list. Finally, you can also see the magnitude of a potential outbreak, which might affect the response that is chosen.

This is just one example detailing how you can implement threshold-based alerts with the Phantom platform. If you would like to learn more or want to try the capability out for yourself, visit the Phantom Community site and reference the Phantom documentation on datastore_* API calls.

If you haven’t downloaded the free Phantom Community edition yet, you can get it now from the Phantom Community.

----------------------------------------------------
Thanks!
Paul Davis

Splunk

The world’s leading organizations trust Splunk to help keep their digital systems secure and reliable. Our software solutions and services help to prevent major issues, absorb shocks and accelerate transformation. Learn what Splunk does and why customers choose Splunk.

Tips & Tricks 9 Min Read

Splunk > Clara-fication: Dashboarding Best Practices

So you want to build a better dashboard, do you? Well good, you’ve come to the right place! Learn the do's and don'ts of optimizing dashboard naming standards, layouts and more.

Tips & Tricks 5 Min Read

Docker 1.13 with improved Splunk Logging Driver

More improvements from Docker 1.13 including an improved Splunk logging driver. New changes lead to better user experience and smoother operation.

Tips & Tricks 1 Min Read

Make Your App More Secure By Updating to jQuery® Version 3.5 or Newer

Splunk will be deprecating use of older versions of jQuery and migrating to v 3.5.0 or newer. Here is what you need to know to start preparing for this upcoming migration.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.