Splunk Phantom

Splunk> Phantom is a community-powered security automation and orchestration solution. The Splunk> Phantom Platform integrates existing security technologies, such as Archer, forming a layer of connective tissue between separate products. Manual security-operations tasks codified into Splunk> Phantom Playbooks become software workflows that run at machine-speed to orchestrate complex interactions among Archer and other Splunk> Phantom-connected security products.

On this page

Release notes

Last updated: December 2020

Release 1.1

New and changed features

The integration now supports Archer Domain Users.

Known issues

Shared API / login accounts can result in timing-dependent session errors or dropped connections.
At a minimum REST API use requires the “VRM – Web Service API” role. Archer’s Security Incidents application also requires roles, “IM: Manager” and “System Administrator.”

Overview of the Splunk> Phantom Integration with Archer

Benefits

The integration of Splunk> Phantom with Archer enables Splunk> Phantom to create, list, retrieve, and update Archer tickets. Splunk> Phantom Playbooks can use Archer capabilities to improve efficiency and precision of ticketing, investigation, response, and reporting, so the SOC can work smarter, respond faster, and focus attention onto mission-critical decisions.

Prerequisites

Components	Recommended Software
Archer Solution	Archer IT Security & Risk Management
Archer Use Case	Archer Cyber Security and Breach Response
Archer Application	Security Incidents
Uses Custom Application	No
Requires On – Demand License	No

Applications

Application	Description
Security Incidents	The Security Incidents application provides a central location managing incidents, both those created from aggregated security alerts and those that are manually reported.

Additional resources

The following additional resources are available for this application:

About Splunk> Phantom: https://docs.splunk.com/Documentation/Phantom

Integration components overview

Before you begin

This section provides instructions for configuring the Archer Application on the Splunk> Phantom Platform with Archer. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

Prerequisites:

All Splunk> Phantom and Archer components must be installed and working prior to the integration
Archer Web Services must be enabled for Splunk> Phantom to use Archer REST and SOAP API’s; Network web-services connectivity must exist between Splunk> Phantom and Archer.
A unique Archer account must be assigned to each Archer Asset configured in Splunk> Phantom. The Archer account(s) must have appropriate role-permissions to use the REST and SOAP API’s, as well as the Archer target application.
Perform the necessary tests to confirm that this is true before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

Splunk> Phantom integrates with Archer using the Archer App on Splunk> Phantom to call Archer web services (REST and SOAP) APIs. The Archer App comes pre-installed and runs entirely within Splunk> Phantom—no new code needs be installed on Archer. Once you enable and configure the App, Archer ticketing actions are available within Splunk> Phantom.

The Archer App is deployed by configuring one or more Assets for the App within Splunk> Phantom. Each Asset represents a separate connection to Archer, and each asset connects to a specific application within Archer. Multiple assets are required to connect to different Archer instances or use multiple Archer applications. Each asset can specify different polling frequencies, CEF Archer mappings, or Archer API access credentials.

Splunk> Phantom apps and assets

A Splunk> Phantom App is designed to connect with a matching point product. An Asset is a specific connection-configuration. By default, configuring an App on Splunk> Phantom involves configuring an Asset of that App. Complex deployments, such as multiple instances of a point product, may involve configuring multiple connections (i.e. multiple Assets). It is important to understand how Splunk> Phantom Apps are related to Assets:

Splunk> Phantom App	A module designed to communicate with a point product. Examples: Security Analytics App Archer App NetWitness Logs and Packets App
Splunk> Phantom Asset	A unique product-connection, using the App for that product. Multiple Assets can be configured for an App. Example multiple-asset use-cases include: Connecting to different instances of a product (such as different sandboxes or different physical firewalls) Connecting using different point-product accounts, each account having different permissions Connecting on different ports, or at different polling frequencies.

Splunk> Phantom App

A module designed to communicate with a point product. Examples:

Security Analytics App
Archer App
NetWitness Logs and Packets App

Splunk> Phantom Asset

A unique product-connection, using the App for that product. Multiple Assets can be configured for an App. Example multiple-asset use-cases include:

Connecting to different instances of a product (such as different sandboxes or different physical firewalls)
Connecting using different point-product accounts, each account having different permissions
Connecting on different ports, or at different polling frequencies.

In summary, an Asset is a unique-connection-configuration of an App. In some circumstances, you may choose to configure multiple Assets for an App.

Archer applications, fields and field-types

Archer solutions and application names

Archer offers a large number of applications or solutions that can be accessed through the Splunk> Phantom integration. An example list of Archer applications is shown here.

This guide references Archer’s IT Security Risk Management solution in examples, using the Archer Security Incidents application. This type of Archer application name is used during Splunk> Phantom configuration and is required by the Archer API.

Archer application names can be viewed in Archer by navigating to Administration > Application Builder > Manage Applications, then scrolling through the Applications list until the specific application appears. Here, the Security Incidents application is highlighted:

Archer tracking ID fields

Each Archer application has one field defined as a tracking field, containing a unique ID for each data record. In each Archer application, the tracking field is marked with the field-type Tracking ID.

To locate the name of the tracking field for an Archer application, select the application name in the Applications list shown above, then select the Fields tab. Scroll through the Fields list to locate the one defined as field type Tracking ID. In the example below, the Security Incidents application uses the field Incident ID as the tracking field.

Simply fields versus object fields

Scrolling through the Fields list reveals certain field-types that can be considered “simple” (text, date, numeric, IP Address, etc.), and others that can be considered “objects” (sub-form, values list, user or groups list, and more). Simple fields are generally processed correctly by the Splunk> Phantom integration, even if the fields weren’t previously identified, while object fields may result in an error when reading data from Archer. The names of object fields may be helpful in configuring field-exclusions, in the event that ingestion from Archer encounters an object type of data that is not defined or supported in the Splunk> Phantom integration.

Splunk> Phantom configuration

Locating the Archer application

After Signing into the Splunk> Phantom Platform, select Apps on the main navigation menu.

Enter “Archer” in the search field to locate the Archer App. Select Configure New Asset to access the Asset Configuration settings.

Archer asset-configuration

On the Asset Configuration page, select the Asset Info tab then enter an Asset Name and Asset Description for Archer.

Select the Asset Settings tab and enter the Archer connection information: API Endpoint, Instance name, Username, and Password.

Important: The Instance name must match the Archer Instance name configured by the Archer administrator.

When setting up a connection for Domain Users, the User’s Domain field is mandatory in the Asset Settings tab, and the Username field must be that of a Domain User.
Select the Ingest Settings tab and choose a label for data ingested from Archer or select NEW ENTRY in the dropdown list to create a new label. By default, ingest from Archer is triggered through manual polling by a Splunk> Phantom user. Select Enable Polling to configure Splunk> Phantom to poll Archer automatically, then change the polling frequency if desired.

Select Save to save the asset configuration. Switch back to the Asset Settings tab, then select Test Connectivity to verify the asset settings.

The message Archer configuration test SUCCESS indicates that the asset has been correctly configured. Select Close to finish asset-configuration. The Splunk> Phantom integration with Archer is now correctly configured and enabled.

Advanced Archer asset configuration

Understanding the CEF to Archer mapping

When configuring an Asset for the Archer App, the CEF to Archer mapping defines how CEF fields in Splunk> Phantom map to defined application fields in Archer. This mapping is used when ingesting data into Splunk> Phantom from Archer, and when sending updated data to Archer.

Syntax of a CEF to Archer mapping

A CEF to Archer mapping can be created in any text editor, then pasted into the mapping field on the Asset Configuration screen. The following mapping example shows the basic syntax needed to create any mapping.

(This example is fully functional and can be copied into the CEF to Archer mapping field on the Asset Configuration / Asset Settings screen.)

Note: If an action contains any user details for the assignment, then please make sure the user adds the Archer Username in the JSON rather than the first/last name.

{

"application": "Incidents",

"tracking": "Incident ID",

"Status": "status",

"Category": "category",

"Details": "details",

"CEF name": "Archer field name"

}

Required fields in a CEF to Archer mapping

A CEF to Archer mapping must include at least these two fields:

CEF field name	Archer field name (examples)	Notes on Archer field name
Archer application	Security Incidents	The name of the application being used within Archer
tracking	Incident ID	The name of the tracking ID field as defined within Archer

Locating Archer applications and field names

The steps below cover how to locate the Archer field-names that map to CEF application and CEF tracking fields, for use in a CEF to Archer mapping

The specific Archer application name that maps to a CEF application can be found in Archer by navigating to Administration > Application Builder > Manage Applications, then scrolling through the Applications list until the specific application is found. The Security Incidents application used in the mapping example above is shown here, listed in Archer:

Each application within Archer must have one tracking field defined, as this field contains the unique ID for each data record stored in the application.

When creating a Splunk> PhantomCEF to Archer mapping, this Archer tracking field must be mapped to the CEF tracking field. In each Archer application, the tracking field is marked with the field-type Tracking ID.

To locate the name of the tracking field in Archer, select the application name in the Applications list shown above (e.g. Incidents). Next, select the Fields tab, then scroll through the listed fields to locate the one defined as field type Tracking ID. In the Archer instance shown here, the Incidents application uses the field Incident ID as the tracking field.

In summary, the following two mappings show actual Archer field names (on the right) mapped to CEF field names (on the left).

{

"application": "Incidents",

"tracking": "Incident ID"

}

Excluding Archer fields

Certain field types and attachments from Archer are not currently supported. If they result in errors during ingestion, these field names can be added to the Fields to exclude list on Splunk> Phantom’s Asset Configuration screen. Multiple field names are comma-separated. The previous step in this section describes how to find the specific Archer field names.

Using the integration

Incidents reported in the Splunk> Phantom platform can now be accessed in the Archer Security Incidents application for analysis and vice versa. In the Security Incidents application, organizations can do the following:

Assign L1 incident handlers to review and assess the incident
Escalate an incident to an L2 incident handler for further investigation and analysis
Capture the timeline of the incident
Resolve the incident and track root cause analysis and security control efficacy

Splunk> Phantom application features & documentation

Comprehensive documentation for the Archer App is available within the Splunk> Phantom Platform, covering supported actions and general usage of the App. It can be accessed by selecting Documentation from the main Splunk> Phantom menu.

Certification environment

Date tested: December 2020

Product Name	Version Information	Operating System
Archer	6.9 SP1	Windows 2012
Splunk> Phantom	4.9	Archer App 2.0.3

ADDRESS	ABOUT ARCHER	CUSTOMERS
13200 Metcalf Ave	Events	Archer Academy
Suite 300	Resources	Archer Exchange
Overland Park, KS 66213	Services	Support
	About Us	Archer Community