Splunk Phantom Integration with Malwarebytes Cloud

Document created by lwei Employee on Nov 12, 2018Last modified by jgolomb on Oct 16, 2019
Version 26Show Document
  • View in full screen mode

Introduction

Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. The Malwarebytes App for Splunk Phantom is a Phantom App that enables Malwarebytes Cloud to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.

 

Video

For a video walk through on this integration, see Integrating Splunk Phantom with the Malwarebytes cloud platform.

 

Requirements

  • An active subscription to Malwarebytes Cloud.
  • Malwarebytes Public API credentials consisting of an Account ID, Client ID, and Client Secret. You can generate authorization credentials in this Malwarebytes Cloud Console link. See the Configuration section of this article for steps.
  • Access to a Splunk Phantom server.
    • The Malwarebytes App is developed and tested using both 4.1.x and 4.5.x of Phantom.

 

How to Install Splunk Phantom

This section provides a convenient cheat sheet to install Splunk Phantom.

  1. Request a free account from the Splunk Phantom home page.

  2.  Log into your Splunk account and download the .OVA image from the Product menu.

  3. Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.

  4. Install the Phantom OVA using your virtual machine manager.

  5. After installation, you may access Phantom from your web browser at the installed IP address using HTTPS.
  6. The default Phantom administrative account username is "admin", and the default password is "password".

 

Installation

  1. Download the Malwarebytes App for Splunk Phantom .tgz file here.

  2. Log into the Phantom console.

  3. In the top left of the screen, select Apps from the drop-down menu.

  4. Click INSTALL APP to install the downloaded .tgz module into Phantom.

Image of Install apps in the Splunk Phantom console.

 

Configuration

  1. In Phantom's Configured Apps, locate the Malwarebytes app, displayed as Malwarebytes Cloud.

  2. Next to Malwarebytes Cloud, click CONFIGURE NEW ASSET. To configure the Malwarebytes App, we only need to provide your Malwarebytes Cloud access credentials.

  3. To get your Cloud Console Account ID:
    1. Log into the Malwarebytes Cloud Console.
    2. In the address bar of your browser, copy your Cloud Console Account ID. This is the string of alphanumeric characters and dashes found in your logged-in Cloud Console URL between "malwarebytes.com/" and "/dashboard".
      Image of the Cloud Console Account ID are of the browser address bar after logging into the Malwarebytes Cloud Console.
    3. In Phantom, paste the copied characters into the Malwarebytes Cloud Account ID field.

  4. To get your Cloud Console Client ID and Cloud Console Client Secret:
    1. Click this Malwarebytes Cloud Console link.
    2. Enter your Malwarebytes Cloud Console administrator credentials and click LOG IN.
    3. On the Client Credentials screen, click Generate Credentials > YES, GENERATE.
      Image of Generate Client Credentials screen on the Malwarebytes Cloud Console login page.
    4. Copy the generated Client ID.
    5. In Phantom, paste the Client ID in the Cloud Console Client ID field.
    6. Return to the Malwarebytes Cloud Console and copy the generated Client Secret.
    7. In Phantom, paste the Client Secret in the Cloud Console Client Secret field.

 

Image of configure new asset in Splunk Phantom console.

 

Image of configure new asset in Splunk Phantom console.

 

Configuration variables

The configuration variables below are required for the Malwarebytes App to operate in conjunction with Malwarebytes Endpoint Protection. These variables are specified when configuring an asset in Phantom.

VariableRequiredTypeDescription
clientsecretrequiredpasswordMalwarebytes Cloud Client Secret
clientidrequiredstringMalwarebytes Cloud Client ID
accountidrequiredstringMalwarebytes Cloud Account ID

 

Action: 'get scan info'

Get information about a scan job.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
scan_idrequiredScan ID for the jobstringscan id

 

Action output

Data pathTypeContainsExample values
action_result.parameter.scan_idstringscan id0f03a753-555e-4dbd-a3d6-94b19a96799b
action_result.statusstringsuccess
action_result.messagestringMessage from action
summary.total_objectsnumeric1
summary.total_objects_successfulnumeric1
action_result.data.*.total_countnumeric2
action_result.data.*.idstringfd47c2e9-83a3-4675-bac4-0133ab3a4f65
action_result.data.*.machine_idstringebc10d20-7a2e-4f69-8313-97a472bc712b
action_result.data.*.from_cloudboolean

True

False

action_result.data.*.ondemandboolean

True

False

action_result.data.*.scan_typestringThreatScan
action_result.data.*.started_atstring2019-04-25T16:01:01Z
action_result.data.*.started_at_localstring2019-04-25T09:01:01-07:00
action_result.data.*.reported_atstring2019-04-25T16:01:39.093722Z
action_result.data.*.duration_secondsnumeric90
action_result.data.*.found_countnumeric2
action_result.data.*.quarantined_countnumeric2
action_result.data.*.deleted_countnumeric0
action_result.data.*.machine_namestringdesktop7771.domain.com
action_result.data.*.os_platformstringWINDOWS
action_result.summarystring

 

Action: 'get endpoint info'

Get information about an endpoint.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of the endpoint to get informationstringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost namefirmino
action_result.statusstringsuccess
action_result.messagestringMessage from action
summary.total_objectsnumeric1
summary.total_objects_successfulnumeric1
action_result.data.*.idstring6013e073d5a384b4bc1b494f9258a43a6af11a50
action_result.data.*.namestringWIN-V9TNRP1M0G4
action_result.data.*.created_atstring2019-05-01T22:03:31.019437Z
action_result.data.*.onlineboolean

True

False

action_result.data.*.os_release_namestringMicrosoft Windows 10 Pro
action_result.data.*.os_architecturestringAMD64
action_result.data.*.os_platformstringWINDOWS
action_result.data.*.last_seen_atstring2019-05-04T17:28:00.211005Z
action_result.summarystring

 

Action: 'list endpoints'

List all the endpoints/sensors configured on the device.

  • Type: investigate
  • Read only: True

 

Action parameters

No parameters are required for this action.

 

Action output

Data pathTypeContainsExample values
action_result.statusstringsuccess
action_result.messagestringfailed
summary.total_objectsnumeric

1

2

summary.total_objects_successfulnumeric

1

0

action_result.data.*.total_countnumeric7
action_result.data.*.machines.*.namestringwijnaldum
action_result.data.*.machines.*.os_release_namestringMicrosoft Windows 10 Pro
action_result.data.*.machines.*.created_atstring2018-10-19T17:59:32.877626Z
action_result.data.*.machines.*.onlineboolean

True

False

action_result.data.*.machines.*.last_seen_atstring2018-11-05T05:23:18.615218Z
action_result.data.*.machines.*.os_architecturestringAMD64
action_result.data.*.machines.*.os_platformstringWINDOWS
action_result.data.*.machines.*.idstring9c3999cb-bdd0-4b01-b7f3-42a2f17ec429
action_result.summarystring

 

Action: 'isolate endpoints'

Isolate an endpoint when threats are found.

  • Type: investigate
  • Read only: True

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to isolate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring

Success

Failed

action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'isolate desktop'

Isolate the desktop of an endpoint when threats are found.

  • Type: investigate
  • Read only: True

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to isolate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring

Success

Failed

action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'isolate network'

Isolate the network on an endpoint when threats are found.

  • Type: investigate
  • Read only: True

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to isolate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring

Success

Failed

action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'isolate process'

Isolate a process on an endpoint when threats are found.

  • Type: investigate
  • Read only: True

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to isolate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring

Success

Failed

action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'deisolate endpoints'

Removes isolation on the endpoint after threats are removed. The endpoint must be rebooted after de-isolation for the action to take effect.

  • Type: investigate
  • Read only: True

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to deisolate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring

 

action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'scan and report'

Scan an endpoint and report any threats found.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to scan and report.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring
action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'scan and remediate'

Scan an endpoint and remediate any threats found.

  • Type: investigate
  • Read only: False

 

Action parameters

ParameterRequiredDescriptionTypeContains
hostnamerequiredHostname of endpoint to scan and remediate.stringhost name

 

Action output

Data pathTypeContainsExample values
action_result.parameter.hostnamestringhost name
action_result.statusstring
action_result.messagestring
summary.total_objectsnumeric
summary.total_objects_successfulnumeric
action_result.summarystring
action_result.datastring

 

Action: 'test connectivity'

Validate the asset configuration for connectivity using the supplied configuration.

  • Type: test
  • Read only: True

 

Action parameters

No parameters are required for this action.

 

Action output

No output.

 

Features

Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App.

  • get scan info - Get information about a scan job.
  • get endpoint info - Get information about an endpoint.
  • list endpoints - List all the endpoints/sensors configured on the device.
  • scan and report - Scan an endpoint and report any threats found.
  • scan and remediate - Scan an endpoint and remediate threats found.
  • isolate endpoint - Isolate an endpoint when threats are found.
  • isolate desktop - Desktop Isolation on an endpoint when threats are found.
  • isolate network - Network Isolation on an endpoint when threats are found.
  • isolate process - Process Isolation on an endpoint when threats are found.
  • deisolate endpoint - Deisolate the endpoint when threats are removed.
  • test connectivity - Validate the asset configuration for connectivity using supplied configuration.

 

Support

Visit the Malwarebytes Business Support page to contact our Support team or create a ticket online.

 

 

Playbook example

Below is an example Playbook with events coming in and a decision being made to determine the next steps.

  • If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint.
  • If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.

    Image of example playbook in Splunks Phantom.

Attachments

    Outcomes