Expanse Debuts New Integration for Splunk Phantom

Expanse is pleased to announce the release of our new integration for Splunk Phantom. As a Security Orchestration, Automation, and Response (SOAR) solution, Phantom plays a critical role in many of our customers’ ecosystems, helping them improve security teams’ efficiency and reduce incident response times. 

Many of our customers in the Splunk universe are already using the Expanse Technical Add-on for Splunk to incorporate data from Expanse Expander and Behavior into their everyday workflows and enrich data from other sources within the Splunk interface. Now, with the Phantom integration, customers can automatically create incidents in Phantom based on information from Expander and Behavior as well as enrich information on Internet assets to take actions within Phantom with greater context.

This empowers customers to improve efficiency for Security Operations Center (SOC) teams by executing automated actions based on information from Expanse. Customers can orchestrate playbooks across hundreds of IT and security tools in the Phantom ecosystem, and they can investigate and respond to threats more quickly by enriching their Phantom environments with Expanse’s Internet-wide visibility. 

Once Expanse events have been received by Phantom, security teams are able to track incidents, indicators, and cases related to those events. They can also easily generate executive reports to outline the types of Expanse events that are being reported, resolution metrics, and cost savings.

The Expanse integration includes all the necessary commands to enrich information on Internet assets like IP addresses, domains, and certificates, as well as Expanse Behavior data within Phantom. Customers can use custom playbooks to leverage Expanse context with many other security tools they may already be using, including Vulnerability Management (VM) platforms, Security Information and Event Management (SIEM) systems, Threat Intelligence Providers (TIP), and IT Service Management (ITSM) solutions. 

Current Expanse customers using Phantom can add the Expanse integration immediately by searching for Expanse in the Apps section of the Phantom product. Installation only requires an API token provided by your Engagement Manager. Users will also need to have the Phantom Add-on for Splunk installed so administrators can configure event forwarding or Splunk alert actions to send Expander and Behavior data from their Splunk environment to Phantom. 

And if you’re not a current customer, you can schedule a demo today to learn more about how Expanse can reduce risk and drive improved IT and security outcomes for your team.