With Phantom, you can automate tasks through security playbooks, orchestrate workflows and support a broad range of SOC (Security Operations Center) functions including events, case management, collaboration and reporting. Phantom collects security events and reports from different sources, providing a unified security operations engine on top of them. Phantom is a security orchestration platform, part of Splunk product portfolio. This is how Falco and Splunk Phantom can be integrated together to do this.
Splunk phantom software#
This way, you can define and orchestrate multiple workflows involving different software both for sourcing and responding. These responses can be automated in what is called security playbooks. Note that the integration relies on forwarding events from the Security Hub to the SQS queue, so the app will only know about any findings that were created after the Cloud Formation template was run in Step 1.Container security orchestration allows to define within your security policy how you are going to respond to your different container security incidents. You are now ready to start consuming Security Hub Findings in Phantom!Īny new Security Hub Findings will now appear on your Phantom "Events" page according to your polling interval. Once you have configured the Asset Info, Ingest Settings, and Asset Settings select Save to finalize your app configuration. SQS URL - The URL provided by the Cloud Formation template from part 1 of this guide.
Setting up the Security Hub Phantom app requires input on 3 configuration tabs. Impoprtant These instructions require the Phantom Security Hub app v1.1 or higher - if you are running an older version, be sure to upgraded it by selecting "Upgrade Apps" in your phantom instance or downloading the latest version of the app from my./apps and manually installing it. Select "Configure New Asset" for the v1.1+ Security Hub App.
Splunk phantom install#
Search for the Security Hub app - if you don't find it in your search results, you may need to select the New Apps and install the app before proceeding. If you are new to Phantom you can easily launch the Phantom Communinity Edition availabile in the AWS Marketplace.
Next, login to your Splunk Phantom instance. The template will generate a new CloudWatch Event Rule which will forward all new Security Hub findings to an SQS Queue.Īfter the Cloud Formation stack has been created be sure to take note of the securityHubToPhantomSQSURL field in the output - you will need it later. Start by navigating to the CloudFormation page on your AWS console and running CloudFormation template linked below. Instructions 1 - Forward Security Hub Alerts to a SQS Queue Phantom in turn uses a standard IAM access credentials to communicate with Security Hub. The integration is built on leveraging AWS Cloud Watch Events to forward Findings into a SQS Queue, from which they are picked up and consumed by Phantom.
Splunk phantom how to#
This document explains how to configure a bi-direction integration between Splunk Phantom and AWS Security Hub. Connecting Splunk Phantom to AWS Security Hub
0 kommentar(er)
