Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. This is a Phantom App that allows Malwarebytes Cloud to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.
Watch a 13 minute video installing the app, creating a Playbook, and sending events for processing.
Video on YouTube
- An account on the Malwarebytes Cloud server (https://cloud.malwarebytes.com).
- Malwarebytes Public API credentials consisting of an Account ID, Client ID, and Client Secret. You can generate authorization credentials in this Malwarebytes Cloud Console link. See the Configuration section of this article for steps.
- Access to a Splunk Phantom server.
- The Malwarebytes Cloud Phantom App is developed and tested using both 4.1.x and 4.5.x of Phantom.
How To Install Phantom
This section is provided as a convenience and cheat sheet to install Splunk Phantom.
- Request an account (free) from the Splunk Phantom home page.
- Download the .OVA template from the Product menu after signing in.
- Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.
- Once the Phantom OVA has been installed, it is accessed from a browser against the installed IP using https://ip_address.
- The default administrative account is "admin", and password "password".
Download and install the App in Phantom.
Download the latest Malwarebytes App for Splunk Phantom
- Within the Phantom console, select the Apps item in the drop-down menu in the top left-hand corner.
- Click the "INSTALL APP" button to upload the tgz file module.
- Search and locate the imported Malwarebytes app.
- Click the "CONFIGURE NEW ASSET" button.
- The only configuration needed is to provide the credentials to access the Malwarebytes Cloud instance.
To get your Malwarebytes Cloud Account Id:
- Log into the Malwarebytes Cloud Console.
- Copy the following string of characters found in the url.
- In Splunk Phantom, paste the characters into the Malwarebytes Cloud Account Id field.
To get your Malwarebytes Cloud Client Id and Malwarebytes Cloud Client Secret:
- Click this Malwarebytes Cloud Console link.
- Enter your Malwarebytes Cloud Console administrator credentials.
- Click LOG IN > Generate Credentials > YES, GENERATE.
- Copy the generated Client Id and paste the Client Id into the Cloud Console Client Id field.
- Copy the generated Client Secret and paste the Client Secret in the Cloud Console Client Secret field.
Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App for Phantom.
- get scan info - Get information about a scan job.
- get endpoint info - Get information about an endpoint.
- list endpoints - List all the endpoints/sensors configured on the device.
- scan and report - Scan an endpoint and report threats found.
- scan and remediate - Scan an endpoint and remediate threats found.
- test connectivity - Validate the asset configuration for connectivity using supplied configuration.
The best way to get official support help is to create a ticket online at the Malwarebytes business support site.
- An example Playbook showing events coming in and a decision is being made to determine the next steps. If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint. If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.