Introduction
Splunk Phantom is a security orchestration platform. Phantom allows you to automate security tasks, as well as integrate many security technologies. The Malwarebytes App for Splunk Phantom is a Phantom App that enables Nebula to be automated using Playbook (i.e. workflow, or run-book) from within Phantom.
Requirements
- An active Nebula subscription.
- Malwarebytes Public API credentials consisting of an Account ID, Client ID, and Client Secret. You can generate authorization credentials in Nebula. See the Configuration section of this article for steps.
- Access to a Splunk Phantom server.
- The Malwarebytes App is developed and tested using both 4.1.x and 4.5.x of Phantom.
How to Install Splunk Phantom
This section provides a convenient cheat sheet to install Splunk Phantom.
- Request a free account from the Splunk Phantom home page.
- Log into your Splunk account and download the .OVA image from the Product menu.
- Open the .OVA image using a virtual machine manager such as VMware or VirtualBox.
- Install the Phantom OVA using your virtual machine manager.
- After installation, you may access Phantom from your web browser at the installed IP address using HTTPS.
- The default Phantom administrative account username is "admin", and the default password is "password".
Installation
- Download the Malwarebytes App for Splunk Phantom .tgz file here.
- Log into the Phantom console.
- In the top left of the screen, select Apps from the drop-down menu.
- Click INSTALL APP to install the downloaded .tgz module into Phantom.
Configuration
- In Phantom's Configured Apps, locate the Malwarebytes app, displayed as Malwarebytes Cloud.
- Next to Malwarebytes Cloud, click CONFIGURE NEW ASSET. To configure the Malwarebytes App, we only need to provide your Nebula access credentials.
- To get your Cloud Console Account ID:
- Log into Nebula.
- In the address bar of your browser, copy your Cloud Console Account ID. This is the string of alphanumeric characters and dashes found in your logged-in Nebula platform URL between "malwarebytes.com/" and "/dashboard".
- In Phantom, paste the copied characters into the Malwarebytes Cloud Account ID field.
- To get your Cloud Console Client ID and Cloud Console Client Secret:
- Click this Nebula link.
- Enter your Nebula administrator credentials and click LOG IN.
- Click Add, then provide the Application name and select the required access, then Save.
- Copy the generated Client ID.
- In Splunk Phantom, paste the Client Id in the Cloud Console Client ID field.
- Return to the Malwarebytes Cloud Console, copy the generated Client Secret.
- In Splunk Phantom, paste the Client Secret in the Cloud Console Client Secret field.
Configuration variables
The configuration variables below are required for the Malwarebytes App to operate in conjunction with Endpoint Protection. These variables are specified when configuring an asset in Phantom.
Variable | Required | Type | Description |
clientsecret | required | password | Nebula Client Secret |
clientid | required | string | Nebula Client ID |
accountid | required | string | Nebula Account ID |
Action: 'get scan info'
Get information about a scan job.
- Type: investigate
- Read only: False
Action parameters
Parameter | Required | Description | Type | Contains |
scan_id | required | Scan ID for the job | string | scan id |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.scan_id | string | scan id | 0f03a753-555e-4dbd-a3d6-94b19a96799b |
action_result.status | string | success | |
action_result.message | string | Message from action | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 | |
action_result.data.*.total_count | numeric | 2 | |
action_result.data.*.id | string | fd47c2e9-83a3-4675-bac4-0133ab3a4f65 | |
action_result.data.*.machine_id | string | ebc10d20-7a2e-4f69-8313-97a472bc712b | |
action_result.data.*.from_cloud | boolean |
True False |
|
action_result.data.*.ondemand | boolean |
True False |
|
action_result.data.*.scan_type | string | ThreatScan | |
action_result.data.*.started_at | string | 2019-04-25T16:01:01Z | |
action_result.data.*.started_at_local | string | 2019-04-25T09:01:01-07:00 | |
action_result.data.*.reported_at | string | 2019-04-25T16:01:39.093722Z | |
action_result.data.*.duration_seconds | numeric | 90 | |
action_result.data.*.found_count | numeric | 2 | |
action_result.data.*.quarantined_count | numeric | 2 | |
action_result.data.*.deleted_count | numeric | 0 | |
action_result.data.*.machine_name | string | desktop7771.domain.com | |
action_result.data.*.os_platform | string | WINDOWS | |
action_result.summary | string |
Action: 'get endpoint info'
Get information about an endpoint.
- Type: investigate
- Read only: False
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of the endpoint to get information | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | firmino |
action_result.status | string | success | |
action_result.message | string | Message from action | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 | |
action_result.data.*.id | string | 6013e073d5a384b4bc1b494f9258a43a6af11a50 | |
action_result.data.*.name | string | WIN-V9TNRP1M0G4 | |
action_result.data.*.created_at | string | 2019-05-01T22:03:31.019437Z | |
action_result.data.*.online | boolean |
True False |
|
action_result.data.*.os_release_name | string | Microsoft Windows 10 Pro | |
action_result.data.*.os_architecture | string | AMD64 | |
action_result.data.*.os_platform | string | WINDOWS | |
action_result.data.*.last_seen_at | string | 2019-05-04T17:28:00.211005Z | |
action_result.summary | string |
Action: 'list endpoints'
List all the endpoints/sensors configured on the device.
- Type: investigate
- Read only: True
Action parameters
No parameters are required for this action.
Action output
Data path | Type | Contains | Example values |
action_result.status | string | success | |
action_result.message | string | failed | |
summary.total_objects | numeric |
1 2 |
|
summary.total_objects_successful | numeric |
1 0 |
|
action_result.data.*.total_count | numeric | 7 | |
action_result.data.*.machines.*.name | string | wijnaldum | |
action_result.data.*.machines.*.os_release_name | string | Microsoft Windows 10 Pro | |
action_result.data.*.machines.*.created_at | string | 2018-10-19T17:59:32.877626Z | |
action_result.data.*.machines.*.online | boolean |
True False |
|
action_result.data.*.machines.*.last_seen_at | string | 2018-11-05T05:23:18.615218Z | |
action_result.data.*.machines.*.os_architecture | string | AMD64 | |
action_result.data.*.machines.*.os_platform | string | WINDOWS | |
action_result.data.*.machines.*.id | string | 9c3999cb-bdd0-4b01-b7f3-42a2f17ec429 | |
action_result.summary | string |
Action: 'isolate endpoints'
Isolate an endpoint when threats are found.
- Type: investigate
- Read only: True
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string |
Success Failed |
|
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'isolate desktop'
Isolate the desktop of an endpoint when threats are found.
- Type: investigate
- Read only: True
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string |
Success Failed |
|
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'isolate network'
Isolate the network on an endpoint when threats are found.
- Type: investigate
- Read only: True
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string |
Success Failed |
|
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'isolate process'
Isolate a process on an endpoint when threats are found.
- Type: investigate
- Read only: True
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string |
Success Failed |
|
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'deisolate endpoints'
Removes isolation on the endpoint after threats are removed. The endpoint must be rebooted after de-isolation for the action to take effect.
- Type: investigate
- Read only: True
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'scan and report'
Scan an endpoint and report any threats found.
- Type: investigate
- Read only: False
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'scan and remediate'
Scan an endpoint and remediate any threats found.
- Type: investigate
- Read only: False
Action parameters
Parameter | Required | Description | Type | Contains |
hostname | required | Hostname of endpoint to isolate. | string | host name |
Action output
Data path | Type | Contains | Example values |
action_result.parameter.hostname | string | host name | |
action_result.status | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.summary | string | ||
action_result.data | string |
Action: 'test connectivity'
Validate the asset configuration for connectivity using the supplied configuration.
- Type: test
- Read only: True
Action parameters
No parameters are required for this action.
Action output
No output.
Features
Phantom apps implement a set of Actions, which are the building blocks for creating Playbooks. These are the Actions available from the Malwarebytes App.
- get scan info - Get information about a scan job.
- get endpoint info - Get information about an endpoint.
- list endpoints - List all the endpoints/sensors configured on the device.
- scan and report - Scan an endpoint and report any threats found.
- scan and remediate - Scan an endpoint and remediate threats found.
- isolate endpoint - Isolate an endpoint when threats are found.
- isolate desktop - Desktop Isolation on an endpoint when threats are found.
- isolate network - Network Isolation on an endpoint when threats are found.
- isolate process - Process Isolation on an endpoint when threats are found.
- deisolate endpoint - Deisolate the endpoint when threats are removed.
- test connectivity - Validate the asset configuration for connectivity using supplied configuration.
Support
Visit the Business Support page to contact our Support team or create a ticket online.
Playbook example
Below is an example Playbook with events coming in and a decision being made to determine the next steps.
- If the event is of Medium Severity, an Action is invoked to scan and remediate the endpoint.
- If the event is of High Severity, it will be quarantined, with an email being sent to notify the appropriate people.