Meraki Virtual Hackathon: app for Splunk Phantom
•
0 gostou•306 visualizações
The Meraki app for Splunk Phantom uses the Meraki dashboard API to locate end-user devices within one or more organizations, networks / devices, and to bind a configuration template to a specified network.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Meraki Virtual Hackathon: app for Splunk Phantom
Semelhante a Meraki Virtual Hackathon: app for Splunk Phantom (20)
Mais de Joel W. King
Mais de Joel W. King (19)
Último
Último (20)
Meraki Virtual Hackathon: app for Splunk Phantom
- 1. The Details 1 Presenter: Joel W. King – World Wide Technology May 26-28, 2020
- 2. Meraki app for Splunk Phantom 2 Retail/Hospitality Smart Spaces Manufacturing/Healthcare Operations Problem Statement An investment management financial services company has increased their remote workers from 400 to 2,700 agents supported primarily by the Cisco Meraki Z3 Cloud Managed Teleworker Gateway. The firm requires stringent access controls of the devices (only corporate IP Phones and laptops) connected to the gateway. The security analyst(s) must quarantine the teleworker if unauthorized devices are discovered on the teleworker gateway. The Meraki app for Phantom Cyber was enhanced to include a 'bind network' function, allowing the security operations team to specify the target network and the name of the quarantine template to apply to the teleworker.
- 3. Features and functionality The Meraki app for Splunk Phantom uses the Meraki dashboard API to locate end-user devices within one or more organizations, networks / devices, and to bind a configuration template to a specified network. By using the REST API of Splunk Phantom, security incidents (containers and artifacts) can be created and playbooks are programmatically initiated invoking the Meraki app functionality. It is assumed the organization can identify the presence of unauthorized devices by way of log analysis or a host PC agent distributed scan. From these tools, the source MAC address and other supporting information are populated into a Common Event Format (CEF) record. The CEF data is part of the Phantom container and artifact generated by a program using the Phantom Ingest SDK. Splunk Phantom will invoke a playbook which executes the Meraki app after the container is created on Splunk Phantom. The first step is to locate the name of the network where the source MAC address is found. The second step is to bind a quarantine network template to the targeted network name. The results of these operations are returned to Splunk Phantom and logged. This workflow can execute without human intervention to the point of end-user notification and remediation. 3
- 4. Resources How Agile Is Your Managed SD-WAN Solution? https://www.wwt.com/article/how-agile-is-your-managed-sd-wan-solution Source code and app deployment tarball https://github.com/joelwking/Phantom-Cyber/tree/master/meraki Phantom Ingest SDK https://github.com/joelwking/Phantom-Cyber/tree/master/REST_ingest Video Clip https://vimeo.com/423587585 4
- 5. Workflow
- 8. Workflow 8 TELEWORKER TELEWORKER TELEWORKER b8:27:eb:08:07:24 203.0.113.2 b8:27:eb:08:07:24 203.0.113.2 Common Event Format SECURITY ANALYSTS
- 9. Workflow 9 TELEWORKER TELEWORKER TELEWORKER b8:27:eb:08:07:24 203.0.113.2 b8:27:eb:08:07:24 203.0.113.2 Common Event Format CEF artifact container SECURITY ANALYSTS
- 10. Workflow 10 TELEWORKER TELEWORKER TELEWORKER b8:27:eb:08:07:24 203.0.113.2 b8:27:eb:08:07:24 203.0.113.2 Common Event Format CEF artifact container playbook SECURITY ANALYSTS
- 11. Workflow 11 TELEWORKER TELEWORKER TELEWORKER b8:27:eb:08:07:24 203.0.113.2 b8:27:eb:08:07:24 203.0.113.2 Common Event Format CEF artifact container playbook locate SECURITY ANALYSTS
- 12. Workflow 12 TELEWORKER TELEWORKER TELEWORKER b8:27:eb:08:07:24 203.0.113.2 b8:27:eb:08:07:24 203.0.113.2 Common Event Format CEF artifact container playbook locate bind network SECURITY ANALYSTS
- 13. Workflow 13 TELEWORKER TELEWORKER TELEWORKER b8:27:eb:08:07:24 203.0.113.2 b8:27:eb:08:07:24 203.0.113.2 Common Event Format CEF artifact container playbook locate bind network MAC_VIOLATION SECURITY ANALYSTS
- 15. Phantom Ingest SDK 15 b8:27:eb:08:07:24 203.0.113.2 Common Event Format CEF artifact container https://github.com/joelwking/Phantom-Cyber/tree/master/REST_ingest import PhantomIngest as ingest p = ingest.PhantomIngest("ec2-3-89-150-247.compute-1.amazonaws.com", "pN2MZMRq") meta_data = dict() cdata = {"name": "Meraki_Hackathon_demo", "description": "Voltair, a French Enlightenment writer, historian, and philosopher." } container_id = p.add_container(**cdata) cef = {'sourceAddress': '203.0.113.2', 'sourcePort': '6553', 'sourceUserId': 'voltaire@example.net', 'smac': 'b8:27:eb:08:07:24'} artifact = {"name": "Teleworker_alert", "source_data_identifier": "IR_3458579" } print "artifact ID: {}".format(p.add_artifact(container_id, cef, meta_data, **artifact))
- 16. Screen Captures
- 17. 17 Normal State – Configuration template TELEWORKER applied to all call center agent gateways
- 18. 18 Phantom apps are self documenting in the GUI
- 19. 19 onstration playbook locates the network name where the MAC address has been observed – passes etwork name to the ‘bind network’ action to quarantine the gateway
- 20. 20 The MAC address has been located on the network ‘JOEL’ associated with device ‘Teleworker Z1’
- 21. 21 The quarantine template MAC_VIOLATION is bound to the network JOEL, replacing the existing template
- 22. 22 The Analyst view of the container | artifact shows the actions taken by the associated playbook and the timespan when executed.
- 23. 23 Following the playbook execution, the template MAC_VIOLATION is associated with network JOEL
- 24. Team Members Joel W. King : Joel.King@wwt.com Gene Geddes : Gene.Geddes@wwt.com Rita Younger : Rita.Younger@wwt.com Jeff Andiorio : Jeff.Andiorio@wwt.com Tafsir Thiam : Tafsir.Thiam@wwt.com Nick Thompson : Nick.Thompson@wwt.com 24