Using Kaspersky Threat Intelligence Portal for Splunk Phantom in playbooks

You can use Kaspersky Threat Intelligence Portal for Splunk Phantom actions in Splunk Phantom playbooks. This section contains an example of how to create a playbook that requests full information about an IP address.

To create a playbook that requests full information about an IP address:

  1. In Splunk Phantom, click the Home split button and in the drop-down list select Playbooks.

    playbooks_section

    The Playbooks section

  2. In the list, select the item you want and then click the + Playbook (new_playbook) button.

    The Phantom Playbook Editor opens.

  3. In the Playbook name text box, specify the playbook name that you want.
  4. Click the green semicircle of the START element.

    A panel with elements that can be created appears to the left of the playbook scheme.

  5. In the left panel, click the Filter element and create a filter element that checks whether an event contains a value in the dst field.
  6. Click the right green semicircle of the filter element just created and create an action element that calls the ip reputation action of Kaspersky Threat Intelligence Portal for Splunk Phantom.

    This action retrieves the reputation of the IP address contained in the dst field of the event being checked.

  7. Create a decision element linked to the filter element just created.

    Specify the following condition in the decision element: the value of the threat_score field of the event being checked is equal to or greater than 75.

  8. Link the Else branch to the END element.
  9. For the if branch of the decision element, create an action element that calls the get detailed info action of Kaspersky Threat Intelligence Portal for Splunk Phantom.
  10. Link this action element to the END element.

    playbook_sample

    A playbook sample

Page top