Splunk Phantom Integration with Malwarebytes Cloud

Document created by lwei Employee on Nov 12, 2018Last modified by jgolomb on Aug 13, 2019
Version 22Show Document
  • View in full screen mode

Introduction

Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. This is a Phantom App that allows Malwarebytes Cloud to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.

 

Video

Watch a 13 minute video installing the app, creating a Playbook, and sending events for processing.
Video on YouTube

 

Requirements

  • An account on the Malwarebytes Cloud server (https://cloud.malwarebytes.com).
  • Malwarebytes Public API credentials consisting of an Account ID, Client ID, and Client Secret. You can generate authorization credentials in this Malwarebytes Cloud Console link. See the Configuration section of this article for steps.
  • Access to a Splunk Phantom server.
    • The Malwarebytes Cloud Phantom App is developed and tested using both 4.1.x and 4.5.x of Phantom.

 

How To Install Phantom

This section is provided as a convenience and cheat sheet to install Splunk Phantom.

  • Request an account (free) from the Splunk Phantom home page.
  • Download the .OVA template from the Product menu after signing in.
  • Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.
  • Once the Phantom OVA has been installed, it is accessed from a browser against the installed IP using https://ip_address.
  • The default administrative account is "admin", and password "password".

 

Installation

Click the following link to download the integration app:

Download the latest Malwarebytes App for Splunk Phantom

 

  • Within the Phantom console, select the Apps item in the drop-down menu in the top left-hand corner.
  • Click the "INSTALL APP" button to upload the tgz file module.

 

Image of Install apps in the Splunk Phantom console.

 

Configuration

  • Search and locate the imported Malwarebytes app.
  • Click the "CONFIGURE NEW ASSET" button.
  • The only configuration needed is to provide the credentials to access the Malwarebytes Cloud instance.

 

Image of configure new asset in Splunk Phantom console.

 

Image of configure new asset in Splunk Phantom console.

To get your Malwarebytes Cloud Account Id:

  1. Log into the Malwarebytes Cloud Console.
  2. Copy the following string of characters found in the url.
    Image of Malwarebytes Cloud Console web url.
  3. In Splunk Phantom, paste the characters into the Malwarebytes Cloud Account Id field.

 

To get your Malwarebytes Cloud Client Id and Malwarebytes Cloud Client Secret:

  1. Click this Malwarebytes Cloud Console link.
  2. Enter your Malwarebytes Cloud Console administrator credentials.
  3. Click LOG IN > Generate Credentials > YES, GENERATE.
  4. Copy the generated Client Id and paste the Client Id into the Cloud Console Client Id field.
  5. Copy the generated Client Secret and paste the Client Secret in the Cloud Console Client Secret field.
    Image of Client Credentials page in the Malwarebytes Cloud Console.

 

Configuration variables

The below configuration variables are required for this app to operate on Malwarebytes Endpoint Protection. These are specified when configuring an asset in Phantom.

 

VariableRequiredTypeDescription
clientsecretrequiredpasswordMalwarebytes Cloud Client Secret
clientidrequiredstringMalwarebytes Cloud Client ID
accountidrequiredstringMalwarebytes Cloud Account ID

 

Action: 'get scan info'

Get information about a scan job.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
scan_idrequiredScan ID for the jobstringscan id

 

Action output

Data pathTypeContainsExample values
action_result.parameter.scan_idstringscan id0f03a753-555e-4dbd-a3d6-94b19a96799b
action_result.statusstringsuccess
action_result.messagestringMessage from action
summary.total_objectsnumeric1
summary.total_objects_successfulnumeric1
action_result.data.*.total_countnumeric2
action_result.data.*.idstringfd47c2e9-83a3-4675-bac4-0133ab3a4f65
action_result.data.*.machine_idstringebc10d20-7a2e-4f69-8313-97a472bc712b
action_result.data.*.from_cloudboolean

True

False

action_result.data.*.ondemandboolean

True

False

action_result.data.*.scan_typestringThreatScan
action_result.data.*.started_atstring2019-04-25T16:01:01Z
action_result.data.*.started_at_localstring2019-04-25T09:01:01-07:00
action_result.data.*.reported_atstring2019-04-25T16:01:39.093722Z
action_result.data.*.duration_secondsnumeric90
action_result.data.*.found_countnumeric2
action_result.data.*.quarantined_countnumeric2
action_result.data.*.deleted_countnumeric0
action_result.data.*.machine_namestringdesktop7771.domain.com
action_result.data.*.os_platformstringWINDOWS
action_result.summarystring

 

Action: 'get endpoint info'

Get information about an endpoint.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of the endpoint to get informationstringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost namefirmino
action_result.statusstringsuccess
action_result.messagestringMessage from action
summary.total_objectsnumeric1
summary.total_objects_successfulnumeric1
action_result.data.*.idstring6013e073d5a384b4bc1b494f9258a43a6af11a50
action_result.data.*.namestringWIN-V9TNRP1M0G4
action_result.data.*.created_atstring2019-05-01T22:03:31.019437Z
action_result.data.*.onlineboolean

True

False

action_result.data.*.os_release_namestringMicrosoft Windows 10 Pro
action_result.data.*.os_architecturestringAMD64
action_result.data.*.os_platformstringWINDOWS
action_result.data.*.last_seen_atstring2019-05-04T17:28:00.211005Z
action_result.summarystring

 

Action: 'list endpoints'

List all the endpoints/sensors configured on the device.

  • Type: investigate
  • Read only: True

 

Action parameters

No parameters are required for this action.

 

Action output

Data pathTypeContainsExample values
action_result.statusstringsuccess
action_result.messagestringfailed
summary.total_objectsnumeric

1

2

summary.total_objects_successfulnumeric

1

0

action_result.data.*.total_countnumeric7
action_result.data.*.machines.*.namestringwijnaldum
action_result.data.*.machines.*.os_release_namestringMicrosoft Windows 10 Pro
action_result.data.*.machines.*.created_atstring2018-10-19T17:59:32.877626Z
action_result.data.*.machines.*.onlineboolean

True

False

action_result.data.*.machines.*.last_seen_atstring2018-11-05T05:23:18.615218Z
action_result.data.*.machines.*.os_architecturestringAMD64
action_result.data.*.machines.*.os_platformstringWINDOWS
action_result.data.*.machines.*.idstring9c3999cb-bdd0-4b01-b7f3-42a2f17ec429
action_result.summarystring

 

Action: 'scan and report'

Scan an endpoint and report threats found.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to scan and report.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring
action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'scan and remediate'

Scan an endpoint and remediate threats found.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to scan and remediate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring
action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration.

  • Type: test
  • Read only: True

 

Action parameters

No parameters are required for this action.

 

Action output

No output.

 

Features

Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App for Phantom.

  • get scan info - Get information about a scan job.
  • get endpoint info - Get information about an endpoint.
  • list endpoints - List all the endpoints/sensors configured on the device.
  • scan and report - Scan an endpoint and report threats found.
  • scan and remediate - Scan an endpoint and remediate threats found.
  • test connectivity - Validate the asset configuration for connectivity using supplied configuration.

 

Support

The best way to get official support help is to create a ticket online at the Malwarebytes business support site.

Create support ticket.

 

Screenshots

  1. An example Playbook showing events coming in and a decision is being made to determine the next steps. If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint. If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.

    Image of example playbook in Splunks Phantom.

Attachments

    Outcomes