Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

How to Eliminate Alert Fatigue by Turbo-Charging Splunk Phantom with Corelight NSM

  • Thursday, June 11, 2020 at 12:00 PM EDT (2020-06-11 16:00:00 UTC)
  • Wissam Ali-Ahmad, Troy Moore, Richard Bejtlich, Mark Overholser


  • Corelight

You can now attend the webcast using your mobile device!



Every Security Operations Center experiences challenges daily. Things like alert fatigue, false positives, overwhelming numbers of cases, a mountain of events to analyze, and limited time and resources to handle the workload. Fortunately, Corelight Network Security Monitoring (NSM) combined with Splunks Security Orchestration, Automation, and Response (SOAR) platform, Phantom, delivers a cure.

By blending Splunk Phantom playbooks with Corelight network data, analysts can leverage automated, pre-correlated views to make high-fidelity decisions in seconds while maintaining auditor-quality control of forensic data. These playbooks gather network context based on alerts can automatically make a determination of whether or not it is a false positive.

Join experts from Corelight, Splunk, and Idaho National Laboratory to learn how these capabilities can multiply your security operations efforts and shorten incident response time.

Speaker Bios

Wissam Ali-Ahmad

Wissam Ali-Ahmad is a Lead Solutions Architect for the Global Strategic Alliances group at Splunk (splunk.com). Wissam works closely with technology partners on building Splunk integrations, architectures, and various content. Wissam brings more than fifteen years of technical experience in big data, security, cloud infrastructure and enterprise software. Prior to Splunk, Wissam held various engineering leadership roles at AppSense, Infoblox, Qualys, Vernier Networks, PSS Systems and Verizon Labs. Wissam is also an avid hiker, home cook and a guitar player.

Troy Moore

Troy Moore is a Cyber Security Analyst at Idaho National Laboratory where he has worked in data analytics and cyber security for the last ten years. Troy has created over 150 use cases and reports for the Cyber Security and IT groups at the lab to help in continuous monitoring (ISCM) and the FISMA Certification and Accreditation assessments. He is a Certified Splunk User and Splunk Power User and is responsible for the setup and maintenance of the INL Splunk instance, including Splunk IT Service Intelligence (ITSI) and Splunk Enterprise Security. Troy holds a CISSP and MBA from Idaho State University.

Richard Bejtlich

Richard Bejtlich is an author and Principal Security Strategist at Corelight. He was previously Chief Security Strategist at FireEye, and Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. At General Electric, as Director of Incident Response, he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He has authored, co-authored, and contributed to over a dozen books (listed at www.taosecurity.com). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity).

Mark Overholser

Security Engineer at Corelight where he helps organizations capture, interpret, and connect network security data. Mark brings more than twelve years experience in security, system administration, and infrastructure. Prior to Corelight, Mark was a Systems Engineer Specialist at Palo Alto Networks, a Consulting Engineer at LightCyber, and Information Security Team Lead at Medline Industries.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.