implementing-soar-automation-with-phantom

# Implementing SOAR Automation with Phantom ## When to Use Use this skill when: - SOC teams need to automate repetitive triage and enrichment tasks for high-volume alerts - Manual response times exceed SLA requirements and automation can reduce MTTR - Multiple security tools (SIEM, EDR, firewall, TIP) need orchestrated response actions - Playbook standardization is required to ensure consistent analyst response across shifts **Do not use** for fully autonomous containment without human approval gates — always include analyst decision points for high-impact actions like account disabling or host isolation. ## Prerequisites - Splunk SOAR (Phantom) 6.x+ deployed with web interface access - App connectors configured: VirusTotal, CrowdStrike, ServiceNow, Active Directory, Splunk ES - Splunk ES integration for ingesting notable events as SOAR events - API credentials for each integrated tool stored in SOAR asset configuration - Python knowledge for custom playbook actions ## Workflow ### Step 1: Configure Asset Connections Set up integrations with security tools via SOAR Apps: **VirusTotal Asset Configuration:** ```json { "app": "VirusTotal v3", "asset_name": "virustotal_prod", "configuration": { "api_key": "YOUR_VT_API_KEY", "rate_limit": true, "max_requests_per_minute": 4 }, "product_vendor": "VirusTotal", "product_name": "VirusTotal" } ``` **CrowdStrike Falcon Asset:** ```json { "app": "CrowdStrike Falcon", "asset_name": "crowdstrike_prod", ...