Security teams are tasked with triaging an unmanageable number of alerts on a daily basis, attempting to decipher real threats from false positives. Many teams rely on a manual review of alerts that drains analyst resources and time, and can still leave organizations exposed because the number of alerts is overwhelming.

The Flashpoint Splunk Phantom integration facilitates easy access to Flashpoint collections, including illicit conversations, technical data, compromised assets, and finished intelligence with the associated context specifically for Splunk Phantom users.

Once integrated, Flashpoint datasets enrich internal data, therefore assisting security teams to automate tasks, orchestrate workflows and support a broad range of SOC functions including event and case management, collaboration and reporting.

The Flashpoint & Splunk Phantom Advantage

Leveraging Flashpoint’s collections provides Splunk Phantom users visibility into illicit online communities and discussions, including technical data and compromised credentials, in order to correlate information related to their infrastructure by providing security orchestration, automation and response (SOAR) capabilities. Teams gain insights and actionability in a timely manner to:

  • prioritize response leveraging connections within the datasets

  • improve security effectiveness with enhanced security alert metrics

  • mitigate risk by integrating teams, processes, and tools via an automated process

Key Features

  • Prioritize alerts with additional context and analysis from Flashpoint’s unique access to illicit communities and threat actor discussions

  • Conduct searches across all integrated Flashpoint datasets

  • Phantom Playbooks integrated with Flashpoint Intelligence bring more context to investigations of potentially malicious IPs, URLs, domains, hashes or file names

  • Collect integrated data using Flashpoint’s REST-based API

Integrated Flashpoint Datasets


Forums: Access to signal-rich discussions from illicit threat actor communities. Supplement internal data with targeted data from highly curated sources.

Chat Services: Access to around-the-clock conversations within threat-actor channels to monitor and gain insights across threat-actor communities.

Blogs: Provides a broader view into open web data by providing online sources of news and information related to threat actors and collectives, allowing users to monitor activity in malicious communities more comprehensively, as well as risks impacting the organization or brand.

4chan & 8chan: Provides access to the anonymous 4chan and 8chan message boards, enabling users to monitor malicious content and discussions ranging from hacktivism to physical threats.


Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets and those included in Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.

CVEs: Access to the latest CVEs within Flashpoint collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts.


Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.


Compromised Credentials Monitoring - Enterprise (CCM - E): Enables organizations to search and monitor Flashpoint’s unique collections for compromised enterprise accounts and passwords in order to flag accounts, reset employee passwords, and restrict permissions to prevent actors from accessing confidential or personally identifiable information (PII).

Use Cases


Employee reuse of passwords, where the same or similar passwords and email addresses are recycled for different web-based services, presents a major risk to enterprises. Knowing this tendency, threat actors who compromise or gain access to leaked credentials will use them to gain access to numerous enterprise networks or web-based services. Fraud teams require insight into the leaked credentials to understand their exposure, in order to prevent account takeover (ATO). The Flashpoint Splunk Phantom integration provides an active directory that correlates leaked enterprise credentials to Flashpoint’s expansive data collection, which scales breaches and leaks of all magnitudes, and includes thousands of automated and manually sourced breaches processed within Flashpoint’s collections since 2011.


Organizations collect large amounts of security event data, requiring significant resources to sift through, identify, and protect against a vast number of threat indicators. Security operations centers (SOCs) can leverage the Flashpoint Splunk Phantom integration to correlate high-fidelity IOCs curated by Flashpoint intelligence analysts with the client’s security event data and orchestrate automated responses with Phantom Playbooks.


The Flashpoint Splunk Phantom integration enables organizations to quickly query across Flashpoint technical data, expediting incident response investigations and enabling teams to enrich data collected during an investigation, in which response time is critical.

Deploying the Flashpoint Splunk App and Add-on

Flashpoint Splunk Phantom is available on Github: https://github.com/flashpoint-intel/phantom/

Users may download the app, deploy, and configure it using a Flashpoint API key.

For more information contact: [email protected]

Did this answer your question?