Splunk® AR for iOS

Administer Splunk AR

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of AR. Click here for the latest version.
Acrobat logo Download topic as PDF

Workflow Automation Security

Mobile devices securely communicate with Phantom instances through Spacebridge and Splunk Cloud Gateway. After an admin configures Phantom in Splunk Cloud Gateway, users can authenticate their devices. After device authentication, devices communicate with Phantom through Spacebridge.

To learn more about Spacebridge, see About the Splunk Cloud Gateway security process.

Workflow Automation Device Authentication

Spacebridge is an end-to-end encrypted intermediary component between the mobile device, your Splunk instance, and Phantom. By using Spacebridge and Splunk Cloud Gateway, mobile devices never directly connect to your Phantom instance.

Because your Splunk instance communicates with Phantom through HTTP, your Splunk instance and Phantom must be on the same network or VPC. Or, you must allow traffic between your Splunk instance and Phantom in your network security group settings.

AR Phantom Registration Flow (1).png

Here's how mobile devices authenticate to Splunk Phantom:

  1. An admin configures Splunk Phantom in Splunk Cloud Gateway to enable Workflow Automation. See Enable Workflow Automation.
  2. The device gets an authentication code from Spacebridge.
  3. The device sends its public keys and device ID to Spacebridge.
  4. The user enters their Splunk Phantom credentials in the Splunk AR mobile app.
  5. The client device makes a device registration request to Splunk Cloud Gateway through Spacebridge.
  6. Spacebridge propagates the authentication request to Splunk Cloud Gateway.
  7. Splunk Cloud Gateway validates the Splunk Phantom configuration.
  8. Splunk Cloud Gateway makes a registration request on behalf of the client device to Splunk Phantom using the device authentication code.
  9. Splunk Phantom sends a confirmation code to Splunk Cloud Gateway.
  10. Splunk Cloud Gateway confirms registration using the confirmation code and Splunk Phantom credentials.
  11. Splunk Phantom sends its client ID to Splunk Cloud Gateway.
  12. Splunk Cloud Gateway sends the Splunk Phantom Client ID to Spacebridge.
  13. Spacebridge sends the Splunk Phantom client ID to the device. This completes authentication.

Workflow Automation Message Exchange

Mobile devices communicate with Splunk Phantom using Spacebridge, the same way Splunk AR users register to a Splunk instance. Splunk AR users must authenticate to a Splunk instance during initial device registration. Workflow automation uses this existing connection to facilitate device authentication to Splunk Phantom. Using the existing connection means that users and Phantom admins don't need to exchange authentication codes. It also doesn't require the user to be on a network that can directly access Splunk Phantom, which allows you to maintain a more secure set of networking rules.


AR Phantom Message Flow.png

These are the steps that occur during a message exchange between the client device and Splunk Phantom:

  1. When the user makes a message request, loading a list of playbooks, the client encrypts and signs the message.
  2. The client routes the encrypted and signed message to Spacebridge.
  3. Spacebridge validates the message signature.
  4. Spacebridge routes the encrypted and signed message to Phantom.
  5. Phantom validates the signature and decrypts the message.
  6. Phantom processes the message and creates a response.
  7. Phantom signs and encrypts the response.
  8. Phantom sends the encrypted and signed response to Spacebridge.
  9. Spacebridge validates the response signature.
  10. Spacebridge routes the encrypted and signed response to the client.
  11. The client validates the response signature and decrypts the response.
  12. The client processes the response.
Last modified on 09 October, 2020
PREVIOUS
Add Phantom playbooks to AR workspaces in Splunk AR (beta)
  NEXT
Create a playbook in Splunk Phantom to use in the Splunk AR Workflow Automation feature

This documentation applies to the following versions of Splunk® AR for iOS: 2.1.0, 2.2.0, 2.3.0, 2.4.1, 2.5.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters