Mission Control: On-Demand Action Execution

This article is a part of a series describing key features of the Phantom Security Automation and Orchestration platform and how they work to improve the analyst experience and drive greater efficiency within the SOC.

Introduction

Analysts are easily overwhelmed in a SOC environment that uses many disparate tools. In fact, some SOCs have over 50 different tools deployed in their environment. Each of these tools has unique controls that analysts are typically expected to master. Moreover, while triaging an event in a non-automated environment, analysts have to open many browser tabs to engage with each tool, use an intermediary scratch pad (e.g. a text editor) to collect information, and cut-and-paste repeatedly to manage information exchange between tools.

An SA&O platform should connect the tools that exist in the SOC and facilitate not only information exchange, but also facilitate action execution across the toolset. In Phantom, this is made possible through the Phantom App framework, which abstracts vendor-specific APIs away from the analyst and playbooks, and instead, presents normalized action calls with input parameters. Phantom enables analysts to initiate on-demand actions and playbooks through Mission Control without requiring knowledge of a tool’s control syntax.

On-Demand Actions in Mission Control

Mission Control allows analysts to use the launch action feature to quickly issue actions across their infrastructure without all of the complexity they usually experience. There are several benefits to this approach:

  • One view, many tools: Analysts don’t have to open 10, 20, 30, or more tabs to interact with the tools in their environment. With Phantom, they access all tools from a single screen, allowing them to avoid getting lost in a myriad of browser tabs.
  • Data accessibility and event context: With Phantom, analysts launch actions against their tools from within the same view that the event or case data is presented in. This saves the analyst time, prevents error-prone copying and pasting, and allows them to stay in context to their current mission.
  • Integrated collaboration: The activity pane in Mission Control provides real-time chat functionality and a historical log of all activity relating to an event. Analysts can quickly pivot based on collaboration with others without breaking out of their workflow, changing screens, or opening more browser tabs.

 

1 Action Button.png
Analysts issue on-demand actions through the ACTION button in the Mission Control view.

Once the Launch Action dialog box is present, the analyst has the option to access the Action by action name, app name, or asset type. Note that each option supports the ability to search for the target using text input.

 

2 Action name.png
Launching an on-demand action by action name.
3 App name.png
Launching an on-demand action by the app name.

 

 

4 Asset type.png
Launching an on-demand action by asset type.

 

The launch action screen is responsible for linking an analyst to the available SOC tools. From this screen, every tool and action is accessible without switching contexts or opening multiple browser windows or tabs.

The remainder of the action execution path is straightforward, where after the action is selected, the analyst then selects the tool and parameters for the action. It is important to note that you can supply multiple parameters, IP addresses in this example, for the target action.

 

5 tool selection.png
Associating the tool for an intended action.

 

 

6 parameters.png
Supplying parameters for the on-demand action.

 

The last item to note about the launch action feature is the ability to schedule the on-demand action to execute at a specified time. This is helpful in a wide variety of situations, like getting a general status check (e.g. get ticket) or undoing an action after a certain amount of time has elapsed (e.g. unblock ip after an ip block has been deployed).

 

7 schedule.png
Scheduling an on-demand action for execution at a specific time.

 

Conclusion

In closing, the design goal of Mission Control and the launch action functionality was to simplify the way analysts interact with tools and high volumes of data. It eliminates context swapping penalties associated with pivoting between toolsets, making it easy for analysts to interact with tools at scale. Having a single view for action execution across all tools in the SOC simplifies analyst workflow and shortens MTTR.

On-demand action execution is just one of the enhancements you’ll find in the Phantom 3.0 Platform that enables you to streamline your workflow, reduce your MTTR, and improve collaboration across your SOC. If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.

Other articles in this series can be found here.