It is recommended that a valid TLS certificate is installed on the Search Head or cluster that is to be queried by Phantom. Valid TLS certificates on Splunk Web and Phantom There are a number of security considerations we need to keep in mind when setting up the integration between Splunk and Phantom as well as when executing security playbooks. This could indicate compromise on a client machine that needs to be re-mediatedįor the example in this article, we will look at finding users in the organisation that clicked on a malicious link in a Phishing email Security Considerations Querying firewall logs to determine if a call-out was made to a C&C server.Querying the email logs to determine which other users were the target of a Phishing campaign.These users could undergo an automatic password reset or a full malware scan of their machine can be initiated Querying the proxy logs to find other users that clicked on a malicious link.These could include functionalities such as: There are a number of use-cases or playbooks with Phantom that requires information within Splunk to be queried. Often it is required to act upon data within Splunk, or to augment case details in Phantom by querying Splunk for additional information. This article deals with querying Splunk from within Phantom to enable automation of security use-cases.
0 Comments
Leave a Reply. |