Workflow Automation Security

Mobile devices securely communicate with Phantom instances through Spacebridge and Splunk Cloud Gateway. After an admin configures Phantom in Splunk Cloud Gateway, users can authenticate their devices. After device authentication, devices communicate with Phantom through Spacebridge.

To learn more about Spacebridge, see About the Splunk Cloud Gateway security process.

Workflow Automation Device Authentication

Spacebridge is an end-to-end encrypted intermediary component between the mobile device, your Splunk instance, and Phantom. By using Spacebridge and Splunk Cloud Gateway, mobile devices never directly connect to your Phantom instance.

Because your Splunk instance communicates with Phantom through HTTP, your Splunk instance and Phantom must be on the same network or VPC. Or, you must allow traffic between your Splunk instance and Phantom in your network security group settings.

Here's how mobile devices authenticate to Splunk Phantom:

1. An admin configures Splunk Phantom in Splunk Cloud Gateway to enable Workflow Automation. See Enable Workflow Automation.
2. The device gets an authentication code from Spacebridge.
3. The device sends its public keys and device ID to Spacebridge.
4. The user enters their Splunk Phantom credentials in the Splunk AR mobile app.
5. The client device makes a device registration request to Splunk Cloud Gateway through Spacebridge.
6. Spacebridge propagates the authentication request to Splunk Cloud Gateway.
7. Splunk Cloud Gateway validates the Splunk Phantom configuration.
8. Splunk Cloud Gateway makes a registration request on behalf of the client device to Splunk Phantom using the device authentication code.
9. Splunk Phantom sends a confirmation code to Splunk Cloud Gateway.
10. Splunk Cloud Gateway confirms registration using the confirmation code and Splunk Phantom credentials.
11. Splunk Phantom sends its client ID to Splunk Cloud Gateway.
12. Splunk Cloud Gateway sends the Splunk Phantom Client ID to Spacebridge.
13. Spacebridge sends the Splunk Phantom client ID to the device. This completes authentication.

Workflow Automation Message Exchange

Mobile devices communicate with Splunk Phantom using Spacebridge, the same way Splunk AR users register to a Splunk instance. Splunk AR users must authenticate to a Splunk instance during initial device registration. Workflow automation uses this existing connection to facilitate device authentication to Splunk Phantom. Using the existing connection means that users and Phantom admins don't need to exchange authentication codes. It also doesn't require the user to be on a network that can directly access Splunk Phantom, which allows you to maintain a more secure set of networking rules.

These are the steps that occur during a message exchange between the client device and Splunk Phantom:

1. When the user makes a message request, loading a list of playbooks, the client encrypts and signs the message.
2. The client routes the encrypted and signed message to Spacebridge.
3. Spacebridge validates the message signature.
4. Spacebridge routes the encrypted and signed message to Phantom.
5. Phantom validates the signature and decrypts the message.
6. Phantom processes the message and creates a response.
7. Phantom signs and encrypts the response.
8. Phantom sends the encrypted and signed response to Spacebridge.
9. Spacebridge validates the response signature.
10. Spacebridge routes the encrypted and signed response to the client.
11. The client validates the response signature and decrypts the response.
12. The client processes the response.