Phishing investigation and threat analysis in Splunk Enterprise Security
Determine if a finding is a phish using email metadata and other details all from the side panel in Splunk Enterprise Security. Then, start your investigation and drill-down further to validate the threat, triage, and respond.
With an embedded, automated threat analysis directly in your phishing investigation workflow, you can evaluate suspicious emails without the need for constant context switching between multiple platforms.
- Perform static analysis on email bodies and metadata to identify malicious activity.
- Review resource trees and system verdicts to assess the nature of the threat.
- Examine email screenshots to confirm visual indicators of phishing.
- Determine if a threat is a true or false positive without leaving your current view
By keeping all your data in one place, you don't need to switch between different applications to gather information. This streamlines your workflow, eliminates time-consuming manual data collection, and allows you to make faster, more accurate triage decisions.
Jumplist of steps
Follow these steps to create a .....
-
Configure apps that ingest Enterprise Security data.
See Configure Splunk SOAR apps in Splunk Enterprise Security.
-
Create playbooks using those apps.
-
Create automation rules to run the playbooks when findings are created.
See Configure automation rules to run playbooks based on findings in Splunk Enterprise Security