About Splunk Phantom
Splunk Phantom is a security automation and orchestration product. The purpose of the integration is to make threat intelligence data from Recorded Future available to playbooks in Splunk Phantom.
The integration is packaged as Splunk Phantom app, and delivered as a tarball file. It is available through the Phantom App store.
The integration was built and tested using Splunk Phantom v2.0. It is expected to be backward compatible to Phantom v1.
To use this app, you will need API access to Recorded Future.
Install and Configure the Integration
After you have received the app tarball (tgz file) and an API token from Recorded Future, install and configure the app as follows:
- Place the app tarball in a locally accessible folder, like Downloads
- Log in to Phantom Cyber as an administrator
- Navigate to Administration > Apps
- Click the + APP button
- Locate the tarball file and click Install
- Navigate to Administration > Assets
- Click the + ASSET button
- Name the new asset Recorded Future API or similar.
- Select Recorded Future as the vendor and as the Product.
- Navigate to the Asset Settings tab
- Enter your Recorded Future API Token
- Save the Asset
- Run the connectivity test
Install and configuration is complete. Your asset should look like this:
A successful connectivity test looks like this:
Documentation is packaged with the app. To find this documentation, navigate to Administration > Apps and click on the Recorded Future app.
The app currently supports these actions:
- enrich vulnerability - Execute vulnerability enrichment on the given vulnerability
- enrich hash - Execute hash enrichment on the given hash
- enrich ip - Execute ip address enrichment on the given ip address
- enrich domain - Execute domain enrichment on the given domain
- test connectivity - Validate the asset configuration for connectivity
Each action corresponds to an Intelligence Card in Recorded Future. The action retrieves the current threat intelligence information for the input value, and returns that information to Splunk Phantom. The detailed threat data is returned as a JSON dictionary, and selected data values are highlighted in the Phantom action results table.
Here is an example of enrichment output for an IP Address.