Using Custom Lists in Phantom Playbooks

By Splunk

Custom Lists are a powerful capability of the Phantom platform. Customers typically use Custom Lists to maintain a dynamic list of items that persists on the platform. The function also commonly serves a caching mechanism to reduce overburdening a service. Custom Lists are available on-platform to playbooks and externally to third-party systems. In this blog entry, we will explore the use of Custom Lists to enable threshold-based decision making with the Phantom platform.

To access Custom Lists in Phantom’s web-based UI, select Playbooks from the Main Menu, and then Custom Lists. In this section you can manually create and edit Custom Lists in a spreadsheet layout. Within a Phantom playbook, you can create, reference, modify, or delete any Custom List.

As an example, we will implement decision logic that uses the number of events over a certain time period. Perhaps if you see one alert of this type in a day, then you might follow a workflow to investigate why it is happening. If you see 500 alerts of this alert type in 5 minutes, however, then you might take an alternate workflow and escalate the incident to a human analyst with the highest priority.

The example Custom List tracks IP addresses with a count. There are three columns in this Custom List: IP address, observation count, and a timestamp indicating the last occurrence. Using the count and the timestamp, you can understand the rate of the IP alerts over a period of time. You might also build in logic that uses these fields to age out old IP address alerts from the list. Finally, you can also see the magnitude of a potential outbreak, which might affect the response that is chosen.

This is just one example detailing how you can implement threshold-based alerts with the Phantom platform. If you would like to learn more or want to try the capability out for yourself, visit the Phantom Community site and reference the Phantom documentation on datastore_* API calls.

If you haven’t downloaded the free Phantom Community edition yet, you can get it now from the Phantom Community.

----------------------------------------------------
Thanks!
Paul Davis

Splunk

The world’s leading organizations trust Splunk to help keep their digital systems secure and reliable. Our software solutions and services help to prevent major issues, absorb shocks and accelerate transformation. Learn what Splunk does and why customers choose Splunk.

Tips & Tricks 3 Min Read

Encrypting and Decrypting Fields

Tips & Tricks 2 Min Read

Making the Collection of Centralised S3 Logs into Splunk easy with Lambda and SQS

If you got multiple AWS data sources in the same S3 bucket but struggle with efficient SNS notifications based on prefix wildcards, this article has got you covered.

Tips & Tricks 4 Min Read

How to: Splunk Analytics for Hadoop on Amazon EMR.

Amazon EMR & Splunk Analytics How-To guide for machine data in all kinds of sources & forms-sys logs, metrics, sensors, app logs, stored in Amazon S3 or Hadoop.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk

Using Custom Lists in Phantom Playbooks

Related Articles

Encrypting and Decrypting Fields

Making the Collection of Centralised S3 Logs into Splunk easy with Lambda and SQS

How to: Splunk Analytics for Hadoop on Amazon EMR.

About Splunk

Subscribe to our blog

Connect with Splunk on X

Connect with Splunk on Instagram