The team at Cyderes is made up of best-in-class, global talent and some of the most highly respected professionals in cybersecurity. With decades of experience and lessons learned, we want to share our insights with you. From the Cyber Playbook is a blog series where our diverse, specialized thought leaders will discuss all things cybersecurity. Every month one of HG’s experts will provide advice and insights based on their extensive experience in the infosec industry. Make sure to subscribe below and feel free to connect with us about topics and questions you would like to see covered.
Contributed By: Mike Kramer, Sr. Security Consultant
As more organizations settle into remote or hybrid work environments, there is often confusion about how to integrate cloud platforms with technology that remains on-premise. One example of this is fully integrating Splunk Cloud with Splunk’s own on-prem SOAR solution, Phantom.
From the list of network ports, to the multiple Splunk apps, to knowing what’s even possible between the two technologies, many security teams are left wondering how to integrate Phantom with Splunk Cloud.
Breaking Down the Concepts
To make sense of it all, let’s break it down into the 4 main functions that are possible between Splunk Cloud and Phantom.
- Ingest Phantom Event Data (Phantom Reporting)
- Sending Events from Splunk Cloud to Phantom
- Remote Search – Query Splunk from Phantom Playbooks
- Ingest Log Files from Phantom
Some organizations may not want or need all four of these integrations, though to get the most out of the products, it is highly recommended. Each integration requires one or more Splunk apps as well as ports to be opened between Splunk Cloud and Phantom on-prem.
Before we proceed, it should be noted that Phantom should exist in the DMZ, as it needs to allow TCP 443 traffic in from Splunk Cloud, specifically to receive events from Splunk Cloud, for integration #2 – sending events from Splunk Cloud to Phantom.
Another best practice that is often missed is enabling SSL for Remote Search, which fails without taking the proper steps with Splunk Support. In order to enable it, the SSL cert for Splunk’s management port (8089) must be replaced on the Cloud Search Heads with one that is signed by a Public CA that the Phantom Server can verify. This can be completed with a Splunk Support request.
Step 1 – Installing the Apps
To proceed with the integration, install the relevant Splunk Apps and Add-Ons (also known as Technical Addons or TA’s). Splunk Support will be required to complete installing most of the TA’s. Make sure to specify that you need the Phantom TA and Phantom Remote Search installed on the Cloud Indexers as well as on the ES Search Head. If your organization does not have ES (Enterprise Security), these can be installed on the main Cloud Search Head.
The following four apps should be installed:
- Phantom App for Splunk (sends alerts from Splunk → Phantom on TCP 443) https://splunkbase.splunk.com/app/3411/
- Splunk Add-on for Phantom (sends logs from Phantom → Splunk on TCP 9997) https://splunkbase.splunk.com/app/4726/
- Phantom Remote Search (API requests from Phantom → Splunk on TCP 8089) https://splunkbase.splunk.com/app/4153/
- Splunk App for Phantom Reporting (sends HEC data for reporting from Phantom → Splunk on TCP 443) https://splunkbase.splunk.com/app/4399/
Each app needs to be installed in the following manner:
|App Name||Splunk Cloud ES Search Head||Splunk Cloud Indexers||Phantom Instance|
(Splunk add-on for Phantom)
|Phantom Reporting (Splunk App for Phantom Reporting)||X|
The Phantom server will also need a Splunk Universal Forwarder installed and configured to send outputs the same way as the rest of the Splunk deployment.
Step 2 – Allow the Network Communications
To enable the network communications between Phantom and Splunk Cloud, the following ports need to be allowed:
- TCP 443 inbound – listening to receive alerts from Splunk Cloud
- TCP 9997 outbound – to send Phantom logs to Splunk Cloud
- TCP 8089 outbound – to run remote searches on Splunk Cloud
- TCP 443 outbound – to send Phantom Reporting Data via HEC (HTTP Event Collector) tokens to Cloud.
The endpoint will be: https://http-inputs-<org_name>.splunkcloud.com/services/collector
“Herjavec Group’s Splunk expertise as a service delivery partner is highly valued by Splunk and many of our joint clients. As both a customer and top global partner of Splunk’s, HG is uniquely positioned to deploy and operationalize Splunk security environments.”
-Splunk President & CEO, Doug Merritt
Step 3 – Additional Requirements by Function
There are additional requirements for each of the four main functions that are part of the Phantom integration with Splunk Cloud. They are listed below by function.
1. Ingest Phantom Event Data (Phantom Reporting)
- Create HEC token in Splunk Cloud
- Create Splunk users to search and delete Phantom data
- Configure Phantom to send data to Splunk Cloud
2. Sending Events from Splunk Cloud to Phantom
- Configure Splunk to send specific events to Phantom as needed
- Create Phantom users for automation and enable role-based permissions
3. Remote Search – Query Splunk from Phantom Playbooks
- Configure playbooks to run Splunk functions from Phantom
- Splunk Support to allow TCP 8089 in from Phantom instance
4. Ingest Log Files from Phantom
- Enable the inputs in the TA
Cyderes partners with best-of-breed technology partners, like Splunk, to deliver industry leading security services to enterprise customers across the globe. We successfully implement and manage Splunk in the world’s largest, most complex technology environments. For additional assistance with any of the requirements here, connect with a security specialist to discuss your specific cybersecurity journey and needs.
Splunk Resources and Documentation
Splunk Documentation on Phantom App for Splunk: https://docs.splunk.com/Documentation/PhantomApp/4.0.35/Install/Introduction
Additional information on configuring certs: https://docs.splunk.com/Documentation/PhantomApp/4.0.10/Install/ConfigureCerts
Additional technical documentation also available at the Phantom community portal: https://my.phantom.us/4.5/docs/admin/splunk
Take the first step in transforming your cybersecurity program
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.