Splunk Phantom Integration with Malwarebytes Cloud

Document created by lwei Employee on Nov 12, 2018Last modified by jgolomb on Nov 19, 2018
Version 5Show Document
  • View in full screen mode

 

Introduction

Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. This is a Phantom App that allows Malwarebytes Cloud to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.

 

Video

Watch a 13 minute video installing the app, creating a Playbook, and sending events for processing.
Video on YouTube

 

Requirements

  • An account on the Malwarebytes Cloud server (https://cloud.malwarebytes.com).
  • Access to a Splunk Phantom server.
    • The Malwarebytes Cloud Phantom App is developed and tested using version 4.1.94 of Phantom.

 

How To Install Phantom

This section is provided as a convenience and cheat sheet to install Splunk Phantom.

  • Request an account (free) from the Splunk Phantom home page.
  • Download the .OVA template from the Product menu after signing in.
  • Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.
  • Once the Phantom OVA has been installed, it is accessed from a browser against the installed IP using https://ip_address.
  • The default administrative account is "admin", and password "password".

 

Installation

Download and install the App in Phantom.

 

  • Within the Phantom console, select the Apps item in the drop-down menu in the top left-hand corner.
  • Click the "INSTALL APP" button to upload the tgz file module.

 

Image of Install apps in the Splunk Phantom console.

 

Configuration

  • Search and locate the imported Malwarebytes app.
  • Click the "CONFIGURE NEW ASSET" button.
  • The only configuration needed is to provide the credentials to access the Malwarebytes Cloud instance.

 

Image of configure new asset in Splunk Phantom console.

 

Image of configure new asset in Splunk Phantom console.

 

Features

Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App for Phantom.

  • endpoint info - Get information about an endpoint.
  • list endpoints - List all the endpoints/sensors configured on the device.
  • quarantine device - Quarantine (isolate) the endpoint.
  • scan endpoint - Scan an endpoint for threats.
  • test connectivity - Validate the asset configuration for connectivity using supplied configuration.
  • unquarantine device - Unquarantine (remove isolation) the endpoint.

 

Support

This is a user community shared utility. Please send questions, comments, and support request to the author directly. 

 

Screenshots

  1. An example Playbook showing events coming in and a decision is being made to determine the next steps. If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint. If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.

    Image of example playbook in Splunks Phantom.

Outcomes