Splunk Phantom Integration with Malwarebytes Cloud

Document created by lwei Employee on Nov 12, 2018Last modified by jgolomb on Jun 27, 2019
Version 18Show Document
  • View in full screen mode

 

Introduction

Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. This is a Phantom App that allows Malwarebytes Cloud to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.

 

Video

Watch a 13 minute video installing the app, creating a Playbook, and sending events for processing.
Video on YouTube

 

Requirements

  • An account on the Malwarebytes Cloud server (https://cloud.malwarebytes.com).
  • Malwarebytes Public API credentials consisting of an Account ID, Client ID, and Client Secret. You can generate authorization credentials in this Malwarebytes Cloud Console link. See the Configuration section of this article for steps.
  • Access to a Splunk Phantom server.
    • The Malwarebytes Cloud Phantom App is developed and tested using both 4.1.x and 4.5.x of Phantom.

 

How To Install Phantom

This section is provided as a convenience and cheat sheet to install Splunk Phantom.

  • Request an account (free) from the Splunk Phantom home page.
  • Download the .OVA template from the Product menu after signing in.
  • Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.
  • Once the Phantom OVA has been installed, it is accessed from a browser against the installed IP using https://ip_address.
  • The default administrative account is "admin", and password "password".

 

Installation

Download and install the App in Phantom.
download icon Download the latest Malwarebytes App for Splunk Phantom

 

  • Within the Phantom console, select the Apps item in the drop-down menu in the top left-hand corner.
  • Click the "INSTALL APP" button to upload the tgz file module.

 

Image of Install apps in the Splunk Phantom console.

 

Configuration

  • Search and locate the imported Malwarebytes app.
  • Click the "CONFIGURE NEW ASSET" button.
  • The only configuration needed is to provide the credentials to access the Malwarebytes Cloud instance.

 

Image of configure new asset in Splunk Phantom console.

 

Image of configure new asset in Splunk Phantom console.

To get your Malwarebytes Cloud Account Id:

  1. Log into the Malwarebytes Cloud Console.
  2. Copy the following string of characters found in the url.
    Image of Malwarebytes Cloud Console web url.
  3. In Splunk Phantom, paste the characters into the Malwarebytes Cloud Account Id field.

 

To get your Malwarebytes Cloud Client Id and Malwarebytes Cloud Client Secret:

  1. Click this Malwarebytes Cloud Console link.
  2. Enter your Malwarebytes Cloud Console administrator credentials.
  3. Click LOG IN > Generate Credentials > YES, GENERATE.
  4. Copy the generated Client Id and paste the Client Id into the Cloud Console Client Id field.
  5. Copy the generated Client Secret and paste the Client Secret in the Cloud Console Client Secret field.
    Image of Client Credentials page in the Malwarebytes Cloud Console.

 

Features

Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App for Phantom.

  • get scan info - Get information about a scan job.
  • get endpoint info - Get information about an endpoint.
  • list endpoints - List all the endpoints/sensors configured on the device.
  • scan and report - Scan an endpoint and report threats found.
  • scan and remediate - Scan an endpoint and remediate threats found.
  • test connectivity - Validate the asset configuration for connectivity using supplied configuration.

 

Support

The best way to get official support help is to create a ticket online at the Malwarebytes business support site.

Create support ticket.

 

Screenshots

  1. An example Playbook showing events coming in and a decision is being made to determine the next steps. If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint. If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.

    Image of example playbook in Splunks Phantom.

Outcomes