Phantom Incident Response Orchestration Sandbox

Solution Overview
Security Automation, Orchestration and Response ("SOAR") is a family of technologies that tie together a organization's people, processes and technologies for effective incident response.  Automation can improve incident response time and capacity, increase the effectiveness of threat hunting, combine and extend the capabilities an organization's security tools, analysts and engineers and reduce human error.  

WWT integrates Phantom, a best-of-breed SOAR tool, to help customers perform security infrastructure orchestration, playbook automation and case management.  Phantom improves security operations by automating repetitive tasks, reducing dwell times with automated investigations and tying existing security tools together to extend their reach.  Supported by a diverse online community with an extensive library of tool integrations and close integration with the industry leading Splunk platform, Phantom can be a key component of an enterprise risk reduction strategy.

This scheduled lab demonstrates how Phantom can be used to automate diverse security tools to improve an organization's overall risk posture.

Goals & Objectives

This sandbox will demonstrate:
  • How Phantom can organize people, processes and security tools to provide effective incident response.
  • How Phantom reduces organizational risk by automating repeatable incident response processes.
  • How Phantom makes integration of diverse security tools simple.
  • How Phantom helps organize, integrate and control an organization's incident response capabilities.

Hardware & Software

Software (Products may vary depending upon scenario)
  • Phantom Orchestration Server
  • Splunk Server(s)
  • Vulnerability Scanner (Optional)
  • Endpoint Protection ("EPP") / Endpoint Detection and Response ("EDR") Product

Server Devices
  • 1x Windows Jumphost (Windows Server 2016)
  • 2x Windows Domain Controllers / DNS Servers
  • 1x Linux Email Server (CentOS 7)
  • 1x Generic Application Server (CentOS 7)
  • 1x Phantom server (Appliance)
  • 1x Splunk Server (CentOS 7)
  • 1x Vulnerability Scanner Server (TBD)
  • 1x Syslog Server (CentOS 7)
  • 2x Splunk Servers (CentOS 7)

Client Devices
  • 4x Windows 10 Clients (Windows 10 Enterprise)
  • 3x Windows 7 Clients (Windows 7 Enterprise)
  • 3x Red Hat Clients (Red Hat Enterprise Linux 7)
  • 2x Attack Hosts (Kali Linux)