インシデント対応手順をプログラム化（Playbook化）、反復的なタスクを自動処理する事で工数を削減します。

Moreover, automated actions are executed within seconds, providing automated intelligence for decision making.

Use APIs provided by other products and tools to obtain information and change settings.
APIs are templated in the form of Apps. Splunk Phantom has over 200 Apps and can execute over 1,000 APIs. In addition, even if there are no existing Apps, you can create new ones with Python code.

Example of integration: Automatically query and obtain IP reputation information from VirusTotal; if malicious, register the IP in the FW blacklist

• Splunk Phantom Apps list screen
  
• Apps Template Overview
  (Symantec Endpoint Protection)
  

Example Scenario

By centralizing security operations tools in Splunk Phantom and providing a common screen and chat function, it becomes possible for all involved parties to share the history and situation of an incident.

By using Splunk Phantom to carry out consultations and exchanges of opinions between staff members, and even explanations from the SOC department to network administrators, barriers between teams and roles are removed, enabling more efficient operations.

Manage security events as they occur.

You can efficiently manage events by viewing the occurrence date, status, urgency, etc.

Events that qualify as incidents are elevated to cases and managed accordingly.

Cases manage the incident response status, assigned personnel, next response steps, and more, helping to ensure a rapid response without any omissions.

The actions and playbooks set in the template are listed as tasks.

Case Management Page

It provides not only operators but also administrators with an incident response summary, the benefits (ROI) gained from Phantom, etc. It is also possible to output the executive summary report to PDF.

Report Summary Screen