linessite.blogg.se - Install splunk phantom

#Install splunk phantom password

#Install splunk phantom password

Note: If using Splunk App version 2.11.0 or newer, use token authentication rather than password authentication for increased security. Replace carbonblackcloud if non default index is configured in Splunk Enterprise to store Carbon Black Cloud events.

The Command for query to use with On Poll setting needs to be set to search and the Query to use with On Poll setting needs to be set to index="*carbonblackcloud".

Go back to Unconfigured Apps, confirm that `Splunk` is present in the section.įor information about configuring the app refer to the README in the project documentation.

Navigate to the New Apps menu and find `Splunk`, click Install.

Open your Splunk SOAR console, go to Apps.

The following section has steps for the recommended installation method via Apps within Splunk SOAR. The Splunk App for Splunk SOAR is required to ingest data from Splunk into Splunk SOAR.

Custom Type API Key for data inputs and SOAR Actions.

Splunk Enterprise with Carbon Black Cloud App configured.

After the events have been processed by the playbook, all the containers ingested from Splunk Enterprise will be converted to the same format as the events ingested directly from Carbon Black Cloud with support for all the Carbon Black Cloud contextual actions. In order to operate on the Carbon Black Cloud events, the user needs to create a normalize artifact playbook. Artifacts pulled in from Splunk Enterprise have all the Carbon Black Cloud alert data packed into a single value and lack the necessary mappings. The Splunk App for Splunk SOAR is used to pull event data from Splunk Enterprise.

Go back to "Asset Settings" tab and click "Test Connectivity" to ensure successful connection.

The suggested Polling interval is 3 minutes.

Select a polling interval or schedule to configure polling on this asset. Go to "Ingest Settings" Tab and enable polling on the asset.Set Minimum Alert Severity to the lowest severity to be ingested to Splunk SOAR. Click on the corresponding checkbox to enable fetching a specific type of alerts (CB_ANALYTICS alerts, DEVICE_CONTROL alerts, WATCHLIST alerts (requires Enterprise EDR), CONTAINER_RUNTIME alerts (requires Container Security)). Go to "Asset Settings" Tab and add Carbon Black Cloud instance URL, Carbon Black Cloud Org Key, API ID and API Secret Key to their respective fields.Go to "Asset Info" Tab and enter "Asset name".Go to Apps > Unconfigured Apps > Carbon Black Cloud click Configure New Asset. Copy Carbon Black Cloud console URL(including the " and ORG KEY.Copy the API Secret Key and API ID from the pop-up modal.Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.

Go to the "API Keys" tab and click "Add API Key"._Note: Refer to the SOAR actions table to determine permissions for the actions you want to enable._ Live Response Session () - CREATE, READ, DELETE Live Response Process () - EXECUTE, READ, DELETE Fill in the "Name" and "Description" fields, grant the new Access Level with the following RBAC permissions and click Save.Īpplications (org.reputations) - CREATE, DELETEĬustom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETEĬustom Detections (org.feeds) - CREATE, READ, UPDATE, DELETE.Open your Carbon Black Cloud console, go to Settings > API Access, select "Access Levels" and click "Add Access Level".Note: For VMware Carbon Black Cloud customers who use VMware Cloud Services Platform for Identity and Access Management, OAuth App Id and OAuth App Secret can be used.