Incydr + Splunk Phantom

Integration Overview

Use automated response to protect data from loss, leak, misuse and theft

Threats to data from inside the organization happen accidentally when employees share the wrong file or fall prey to phishing attempts as well as maliciously when employees intentionally leak, sell or sabotage data. In order to minimize operational, financial and reputational harm to an organization, security teams need reliable methods to increase their visibility and improve their response times.

Incydr helps organizations detect data loss, leak, misuse and theft by continuously monitoring file activity across endpoints and cloud services as well as preserving current and historical endpoint files for rapid content retrieval and investigation. The Phantom platform combines security infrastructure orchestration, playbook automation and case management capabilities to integrate teams, processes and tools together. When utilized together, security professionals receive the robust file information needed to enforce automated responses to risk, inform security decisions and reduce response times.


Reduce phishing response times

A standard phishing playbook built for Splunk Phantom may involve investigation actions that can be applied to a suspicious email such as investigate and geolocate IP addresses, and conduct reputation searches for IPs and domains. The logical next step is to help a security professional determine if a harmful attachment has made its way into the organization. With actions from Incydr added to the playbook, security teams can search the entire environment by file hash for other copies of the file. Finding multiple copies of a file can be quick evidence that there may be a widespread email campaign against users in the organization.

On the other hand, the search may show that the file has a long history on a company's endpoints. This history may suggest that the file exists as part of normal operating procedure and the security team is dealing with a false alarm. Either way, security gains additional file context so it can make smarter decisions about what to do next. Combining the speed of Incydr with the automation of Splunk Phantom can cut remediation time significantly.

Of course, this type of action does not need to be limited to investigating suspected phishing emails. In fact, it could be applied to any security event that involves a file — such as an anti-virus alert, an EDR alert or even IDS/IPS alerts that trigger on file events.


Protect files during employee departure

Many employees take company-owned files with them when they leave their jobs. When alerted that an employee is leaving the company, a Splunk Phantom playbook utilizing Incydr actions can ensure data loss protection measures are in place. A departing employee playbook can be built to monitor employee behavior. Because employees may delete important files from the device prior to leaving the company, the playbook can automatically collect all files and file versions and preserve them to ensure no data is destroyed.

Although employee offboarding is a common time when data is put at greater risk, it is far from the only time an employee's file activity may require increased scrutiny. These actions can be triggered by playbooks any time. Combining the capabilities of Incydr with the automation of Splunk Phantom allows security teams to improve these processes.


Splunk Phantom

  • Preserve files by retaining all files and file versions indefinitely
  • Investigate files by searching file name, hash or other details across endpoints and cloud
  • Detect external file sharing by searching cloud service activity

Get Started Today

Joint Incydr and Splunk Phantom customers can benefit by downloading the Incydr app for Splunk Phantom.