![]() ![]() Go to the Phantom Server configuration tab from the Phantom App for Splunk navbar to specify the server details needed to connect to your Splunk Phantom instance. These apps send Splunk search results to Phantom as an event. Within Splunk, make sure that both the Phantom App for Splunk and the Phantom Remote Search app have been installed. You must have a Splunk account and a current instance of Splunk Enterprise or Splunk Enterprise Security in order to download and use the Phantom App for Splunk. The *.search file can be used with the DarkShield CLI to search for (and optionally remediate) instances of PII in unstructured file types. search file data, which is produced by running the Dark Data Discovery Wizard in IRI Workbench. The Splunk ‘Search’ referred to above is performed subsequent to, and through DarkShield. Note that the use of the word ‘Search’ in this article should be understood in each context in which it occurs. I can even speed that flow through Splunk Universal Forwarder, though Splunk Phantom supports many other data sources. In this case, I will be transferring data from Splunk Enterprise to Splunk Phantom. Install and Configure the Phantom App for Splunk By default, DarkShield uses the $COSORT_HOME environment variable to find its bin directory and use the sortcl executable within. Like most IRI software, DarkShield relies on a core data processing program called SortCL to, in this case, mask data. search/.darkdata files (see the DarkShield Product Overview booklet) Windows / Linux / Mac OS X host running on premise or in the cloud.Using the DarkShield CLI requires the following: The darkshield folder should be added to the system path so that darkshield can run from anywhere, such as in the DarkShield Remediation Phantom Playbook described in this article. Once downloaded, unzip the contents of the darkshield.zip archive. The CLIĭownload the DarkShield CLI, which requires a DarkShield or Voracity license to run. The DarkShield CLI runs DarkShield externally to mask data i.e., it allows the masking jobs to run outside the graphical development and execution environment of IRI Workbench. search file can be any machine in the world running SSH. The host that holds the DarkShield CLI and the DarkShield. While this necessitates more information to run the IRI DarkShield Remediation Playbook, it also makes the playbook more versatile. Because of this, SSH needs to be used to run command line actions on your host machine. Splunk Phantom is a CentOS Linux virtual machine that sets up a server to host Phantom. Access this IP address from your web browser, and sign in to Splunk Phantom. Follow the instructions found on the Phantom Community site, and you should reach a point where you can see what IP the server has been set up on. The Splunk Phantom virtual appliance needs to be running to access the Splunk Phantom server. In this example, I use Oracle VirtualBox. ![]() The virtual appliance can be utilized with a large variety of virtualization software. Once signed into the Phantom Community site, the Splunk Phantom Community Edition virtual appliance is available for download from the “Products” section of the website. To start, create a Splunk Phantom account at if you don’t already have one. Virtualization software such as VMware Fusion®, VMware Fusion Pro®, VMware Workstation Player®, VMware Workstation Pro®, or Oracle® VirtualBox.Here are the underlying components used for this turnkey solution: Compare this to sending an alert email, described in our prior article on using the Splunk Adaptive Response Framework with DarkShield. Specifically, Phantom can automatically run DarkShield to plug those holes through playbooks that used Splunk to evaluate the data that DarkShield found. It is thus now possible to automate security responses to PII vulnerabilities in dark data uncovered in DarkShield PII searches. In v3, a command line interface (CLI) was added, allowing third-party applications to embed or run remediation (masking) jobs configured for DarkShield, including Phantom. IRI DarkShield is a powerful data masking package that can discover, delete, de-identify, and/or deliver PII hidden in a wide range of unstructured data sources. Phantom connects to Splunk Enterprise using the Phantom App for Splunk, so that actions can be taken on knowledge derived from data indexed in Splunk. Splunk Phantom is an orchestration, automation, and response technology for running “Playbooks” to respond to various conditions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |