The team at Cyderes is made up of best-in-class, global talent and some of the most highly respected professionals in cybersecurity. With decades of experience and lessons learned, we want to share our insights with you. From the Cyber Playbook is a blog series where our diverse, specialized thought leaders will discuss all things cybersecurity. Every month one of HG’s experts will provide advice and insights based on their extensive experience in the infosec industry. Make sure to subscribe below and feel free to connect with us about topics and questions you would like to see covered.
Contributed By: Mike Kramer, Sr. Security Consultant
As more organizations settle into remote or hybrid work environments, there is often confusion about how to integrate cloud platforms with technology that remains on-premise. One example of this is fully integrating Splunk Cloud with Splunk’s own on-prem SOAR solution, Phantom.
From the list of network ports, to the multiple Splunk apps, to knowing what’s even possible between the two technologies, many security teams are left wondering how to integrate Phantom with Splunk Cloud.
To make sense of it all, let’s break it down into the 4 main functions that are possible between Splunk Cloud and Phantom.
Some organizations may not want or need all four of these integrations, though to get the most out of the products, it is highly recommended. Each integration requires one or more Splunk apps as well as ports to be opened between Splunk Cloud and Phantom on-prem.
Before we proceed, it should be noted that Phantom should exist in the DMZ, as it needs to allow TCP 443 traffic in from Splunk Cloud, specifically to receive events from Splunk Cloud, for integration #2 – sending events from Splunk Cloud to Phantom.
Another best practice that is often missed is enabling SSL for Remote Search, which fails without taking the proper steps with Splunk Support. In order to enable it, the SSL cert for Splunk’s management port (8089) must be replaced on the Cloud Search Heads with one that is signed by a Public CA that the Phantom Server can verify. This can be completed with a Splunk Support request.
To proceed with the integration, install the relevant Splunk Apps and Add-Ons (also known as Technical Addons or TA’s). Splunk Support will be required to complete installing most of the TA’s. Make sure to specify that you need the Phantom TA and Phantom Remote Search installed on the Cloud Indexers as well as on the ES Search Head. If your organization does not have ES (Enterprise Security), these can be installed on the main Cloud Search Head.
The following four apps should be installed:
Each app needs to be installed in the following manner:
| App Name | Splunk Cloud ES Search Head | Splunk Cloud Indexers | Phantom Instance |
|---|---|---|---|
| Phantom App for Splunk |
X | X | |
| Phantom TA (Splunk add-on for Phantom) |
X | X | X |
| Phantom Remote Search |
X | X | |
| Phantom Reporting (Splunk App for Phantom Reporting) | X |
The Phantom server will also need a Splunk Universal Forwarder installed and configured to send outputs the same way as the rest of the Splunk deployment.
To enable the network communications between Phantom and Splunk Cloud, the following ports need to be allowed:
“Herjavec Group’s Splunk expertise as a service delivery partner is highly valued by Splunk and many of our joint clients. As both a customer and top global partner of Splunk’s, HG is uniquely positioned to deploy and operationalize Splunk security environments.”
-Splunk President & CEO, Doug Merritt
There are additional requirements for each of the four main functions that are part of the Phantom integration with Splunk Cloud. They are listed below by function.
1. Ingest Phantom Event Data (Phantom Reporting)
2. Sending Events from Splunk Cloud to Phantom
3. Remote Search – Query Splunk from Phantom Playbooks
4. Ingest Log Files from Phantom
Cyderes partners with best-of-breed technology partners, like Splunk, to deliver industry leading security services to enterprise customers across the globe. We successfully implement and manage Splunk in the world’s largest, most complex technology environments. For additional assistance with any of the requirements here, connect with a security specialist to discuss your specific cybersecurity journey and needs.
Splunk Documentation on Phantom App for Splunk: https://docs.splunk.com/Documentation/PhantomApp/4.0.35/Install/Introduction
Additional information on configuring certs: https://docs.splunk.com/Documentation/PhantomApp/4.0.10/Install/ConfigureCerts
Additional technical documentation also available at the Phantom community portal: https://my.phantom.us/4.5/docs/admin/splunk
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.