This can also be used to split queries to Splunk between the security and operations teams.Ĭreate Phantom Integration user in Splunk: It is recommended that each Splunk asset (endpoint) within Phantom be setup with a separate service account. An internal Splunk account will suffice for this purpose. This account will execute REST commands against the Search Head, to initiate searches and retrieve results. On Splunk, we require a “ service account” that Phantom can use to authenticate with. OpenSSL routines in Phantom will now be able to verify the certificate on Splunk. Update the system CA trust store update-ca-trust To install these certificates on the Phantom instance, do the following (as root):Ĭopy your CA public key (PEM format) to the system PKI store: cp /home/myuser/my_org_root_ca.pem /etc/pki/ca-trust/source/anchors This certificate also needs to be validated by the Phantom client, so any required CA certs also need to be present on the certificate store of the Phantom machine. If the authenticity of the data cannot be guaranteed, an attacker could direct the query to rogue infrastructure, returning malicious search results that will be operated on automatically. It is recommended that a valid TLS certificate is installed on the Search Head or cluster that is to be queried by Phantom. Valid TLS certificates on Splunk Web and Phantom There are a number of security considerations we need to keep in mind when setting up the integration between Splunk and Phantom as well as when executing security playbooks. This could indicate compromise on a client machine that needs to be re-mediatedįor the example in this article, we will look at finding users in the organisation that clicked on a malicious link in a Phishing email Security Considerations Querying firewall logs to determine if a call-out was made to a C&C server.Querying the email logs to determine which other users were the target of a Phishing campaign.These users could undergo an automatic password reset or a full malware scan of their machine can be initiated Querying the proxy logs to find other users that clicked on a malicious link.These could include functionalities such as: There are a number of use-cases or playbooks with Phantom that requires information within Splunk to be queried. Often it is required to act upon data within Splunk, or to augment case details in Phantom by querying Splunk for additional information. Once access has been granted, you can download the file from the Splunk Phantom community website.This article deals with querying Splunk from within Phantom to enable automation of security use-cases. Contact Splunk Phantom Support to get access to the offline installer tar file.Update the operating system and dependenciesĭo these tasks with root permissions, either by logging in as root or as a user with sudo permission. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)? Operating System On Red Hat Enterprise Linux, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. Red Hat Enterprise Linux 7.6 through 7.9.Supported operating systems for this method: International Splunk Support numbers are found in the Contact Us section of the Splunk website. You can open a support case at Splunk Support and Services or by calling +1(855)SPLUNK-S or +1(855)775-8657. Use a tar file to install Splunk Phantom without an internet connection.Ĭontact Phantom support to get this installation file. Install Splunk Phantom on a system with limited internet access
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |