What is Phantom?
Phantom helps you automate repetitive tasks and investigations, and streamline your processes. With Phantom, you can automate security tasks and investigations, and integrate your current security infrastructure.
Phantom can remotely launch collections.
Whom is it built for?
Internal IR Teams.
Why is it useful?
The Phantom/Cyber Triage integration makes your response team more efficient by automatically starting an analysis of a remote system so that the data is waiting for you when you have time to start working on the alert.
Where is it used?
Phantom can start a Cyber Triage endpoint investigation as part of a workflow. Automating your security process allows you to respond faster to incidents and therefore more quickly contain the damage. Phantom can help you execute actions in a fraction of your typical time.
What are the usage details?
This plug-in allows you to perform a collection as part of your playbook.
The primary action of this plug-in is scan endpoint, which sends the Cyber Triage collection tool to the specified endpoint.
To use this action, you must specify the:
- target endpoint
- username with admin privileges
- password of the admin user.
To set up the action, you will need to specify the:
- hostname of the Cyber Triage server/REST API
- server key (that you can get from the Cyber Triage Server options panel).
The test connectivity action allows you to test that Phantom can communicate with the Cyber Triage server.
If you configured Cyber Triage to use your own SSL certificate, then change the verify_server_cert property to true and import your certificate into the Phantom Certificate Store.
What is the required Cyber Triage version?
- Splunk Security Orchestration and Automation
- Phantom Integration Allows For Faster Responses
*For more information about this integration contact our sales team: firstname.lastname@example.org.