This article is a part of a series describing key features of the Phantom Security Automation and Orchestration platform.
In this installment of the series, we will explore how the Heads-Up Display (HUD) in Phantom Mission Control™ can shorten the resolution time for security events. The core objective of the HUD is to allow the most important event information to be brought to the analyst’s attention as quickly and easily as possible. This is the intent with most heads-up displays, which is why we went with that naming for the feature. Analysts can now open an event, view the HUD, and from a single location get a quick assessment of the severity of the event and data, and quickly determine what to do next. The HUD eliminates a scenario where the analyst has to hunt for valuable information in order to pivot to their next steps while processing the event.
The act of adding information to the HUD is referred to as “pinning.” A characteristic of the HUD that makes it so practical is that any piece of data or information from any source can be pinned and retained. Information can be pinned manually by an analyst or automatically during playbook execution using the internal Phantom API call phantom.pin(). The API is exposed through the UI in two ways: the contextual menu and the Visual Playbook Editor (VPE).
To manually post data to the HUD in the Mission Control interface, use the contextual menu from any data point in the event. When pinning data to the HUD, there is the option to post a message with the data for added context.
To post data to the HUD through automation, the phantom.pin() API can be used in the visual playbook editor.
When pinning through automation, you can leverage all previous artifact and action result data that was obtained from prior action execution within the playbook. In this example we are using the results from a file reputation lookup, pivoting on the threat score, and if the threat score exceeds a certain value the playbook will pin the data to the HUD.
The above example is an ideal use case for the HUD, where the automation engine can do a significant amount of work independent of the analyst, then presents the most important results to the analyst. This is another way within Phantom to fast-track the processing of important data.
After each of the above examples, the analyst is left with a useful summary of the event populated through automation APIs and the contextual menu. The resulting view is as follows:
The HUD feature was incorporated into the product by user and community request. We will continue to optimize this feature, as well as other Mission Control and Phantom Platform features by closely interacting with our community and customer. Stay tuned for more information on enhancements to the HUD and other Phantom features coming soon!
If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.
Other articles in this series can be found here.
More info on Phantom Mission Control can be found here.