Watch Now

Risk Based Alerting at Machine Speed with Splunk Phantom
Security Operations Centers are being inundated with low-fidelity alerts, making it hard for analysts to respond in a timely manner. Day after day, this results in a pile up of abandoned cases. Splunk Enterprise Security, using Risk Based Alerting (RBA) functionality, reduces the quantity of alerts so you can focus on the threats that matter. The resulting high-fidelity alerts provide your team with valuable pieces of context to improve investigations that you need to respond to quickly.

That’s where Splunk Phantom comes in. Phantom’s SOAR capabilities combined with RBA allow you to quickly gather necessary context of a security event. A risk-based alert may contain any number of anomalous events correlated together. Phantom is used to investigate all of those anomalies simultaneously. Indicators of compromise like IPs, domains, URLs, and hashes can be queued up for automatic blocking. The risky device or user in your environment can also be automatically quarantined or disabled to buy investigators valuable time.

Tune in to this Tech Talk to learn how to:

  • Incorporate threat indicators to your RBA strategy
  • Build an extensible Phantom playbook framework for new use-cases
  • Automate analyst information gathering steps


Kelby Shelton

Consulting Sales Engineer, Splunk

Olivia Courtney

Security Product Marketing Specialist, Splunk

Tracking Fields


Event Fields

I agree to the Splunk Websites Terms and Conditions of Use.*
I agree to receive marketing communications by email, including educational materials, product and company announcements, and community event information, from Splunk Inc. and its Subsidiaries pursuant to the terms of Splunk’s Privacy Policy. I can unsubscribe at any time.