Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. This is a Phantom App that allows Malwarebytes Cloud to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.
Watch a 13 minute video installing the app, creating a Playbook, and sending events for processing.
Video on YouTube
- An account on the Malwarebytes Cloud server (https://cloud.malwarebytes.com).
- Access to a Splunk Phantom server.
- The Malwarebytes Cloud Phantom App is developed and tested using version 4.1.94 of Phantom.
How To Install Phantom
This section is provided as a convenience and cheat sheet to install Splunk Phantom.
- Request an account (free) from the Splunk Phantom home page.
- Download the .OVA template from the Product menu after signing in.
- Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.
- Once the Phantom OVA has been installed, it is accessed from a browser against the installed IP using https://ip_address.
- The default administrative account is "admin", and password "password".
Download and install the App in Phantom.
Download the latest Malwarebytes App for Splunk Phantom
- Within the Phantom console, select the Apps item in the drop-down menu in the top left-hand corner.
- Click the "INSTALL APP" button to upload the tgz file module.
- Search and locate the imported Malwarebytes app.
- Click the "CONFIGURE NEW ASSET" button.
- The only configuration needed is to provide the credentials to access the Malwarebytes Cloud instance.
Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App for Phantom.
- endpoint info - Get information about an endpoint.
- list endpoints - List all the endpoints/sensors configured on the device.
- quarantine device - Quarantine (isolate) the endpoint.
- scan endpoint - Scan an endpoint for threats.
- test connectivity - Validate the asset configuration for connectivity using supplied configuration.
- unquarantine device - Unquarantine (remove isolation) the endpoint.
This is a user community shared utility. Please send questions, comments, and support request to the author directly.
- An example Playbook showing events coming in and a decision is being made to determine the next steps. If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint. If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.