Understanding Phantom ROI Summary Metrics

Splunk Phantom has a useful widget on the dashboard called Automation ROI Summary. With it, we get a summary of automation gains made with Phantom, including the total resolved events, mean dwell time, mean time to resolve, and some metrics around “return on investment” or ROI. These ROI metrics can be a bit mysterious in …

Splunk Phantom Tips: ES Notable Playbook Validation

When using Splunk Phantom to process notable events from Splunk ES, a best practice is to validate that the playbook the analyst is running is the right one for that notable event and they are running it on the correct artifact. Here are two tips for doing just that: Decision Block At the beginning of …

Splunk Phantom Tips: How to Get the Username of the User Who Ran a Playbook in That Playbook

This is an issue I ran into recently. I wanted to assign a task to the user who ran a playbook, but that was easier said than done. The first step is to get the effective_user_id of the playbook. We can do this by creating a custom code block, so that we can pass around …