In order to do this we need to configure the apps in the Phantom that we would like to use the actions from. Once the events are within a Phantom “container” we can then begin to carry out some actions against them. After installing and configuring the app (A simple process that is carried out via a configuration page) we are ready to write a search to capture events to be forwarded to Phantom.īut what events shall we send? What would be a suitable use case for testing? Are there any practical home-based used cases available? To begin with, I recommend installing the Phantom app for Splunk and get some events sent over to Phantom for further actions. The Latter allows for polling of events, pushing searches to Splunk as well as actions like updating a notable event in Enterprise Security, Splunk’s premium SIEM-like capability. The former allows you to carry out searches within Splunk and push the resultant events to Phantom for further actioning. For Splunk there is the “Phantom App for Splunk” and for Phantom…you guessed it… the “Splunk” app for Phantom. Both products have an app available that allows integration with each other. Once we have both in a state were we can access the Web GUI for both, we are ready to start integrating the products. Next we need to install and configure both as per the Splunk and Phantom installation documentation respectively. This is straightforward, with Splunk offering a free version for download (all you need to do is sign up for a free Splunk account) for various platforms, as well as a free Phantom Community Edition offering in the form on an OVA. I had seen Phantom in action previously, and I was impressed by the capability to easily build digitised playbooks which, at their heart are powerful and flexible python elements, but can be built quickly and easily using a graphical drag-and-drop interface.Īnother factor also happens to be that, Like Splunk, Phantom offers a free version!Īfter attending a Phantom familiarisation session, I was keen to better understand how Splunk and Phantom integrate – Which gave me the perfect excuse…err…reason to integrate Phantom into my Splunk instance at Home.įirst things first, we will need a copy of both Splunk and Phantom. To start using Kaspersky Threat Intelligence Portal for Splunk Phantom, you have to configure it.Having worked with Splunk for over 7 years, I was excited to learn that Splunk was acquiring Phantom.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |