Manage your organization's credentials with a password vault
Use credential vaults to centrally manage and monitor credential usage in your organization. Splunk Phantom supports the following password vaults:
- Hashicorp Vault
- CyberArk Enterprise Password Vault
- Thycotic Secret Server
As an administrator, you can configure Splunk Phantom to retrieve credentials from these vaults and use them in assets or use them as a client to other identity providers such as LDAP and OpenID.
Use Hashicorp Vault with Splunk Phantom
To use Hashicorp Vault with Splunk Phantom, perform the following steps:
- From the main menu, select Administration.
- Select Administration Settings > Password Vault.
- Get the URL and Token from your Hashicorp administrator.
- Select the Verify server certificate checkbox to verify that the HTTPS certificate is trusted. If the certificate is not trusted by default, see Manage the Splunk Phantom certificate store for information about adding your own trusted certificate.
- Click Save Changes.
Once you have Hashicorp access configured, you need to know the paths and names of the secrets you want to use from the Hashicorp Vault. You can use Hashicorp to supply credentials under OpenID and LDAP authentication configuration and with assets.
Use Hashicorp to provide credentials during authentication configuration
You can use Hashicorp to automatically supply credentials under OpenID and LDAP authentication configuration.
- From the main menu, select User Management.
- Select Authentication.
- Select an identity provider such as LDAP.
- Toggle the LDAP switch to enable LDAP authentication.
- Check the Manage password using Hashicorp Vault check box.
- Provide the value and key you want to retrieve from the vault.
- (Optional) Click Test Authentication to verify authentication.
- Click Save Changes.
Use Hashicorp to provide credentials with assets
You can use Hashicorp to automatically supply credentials when working with assets.
- From the main menu, select Apps.
- In the list of apps, find one to configure such as the Palo Alto Networks Firewall and click Configure New Asset.
- Open the Asset Settings tab for that asset.
- Click Advanced to expand the advanced configuration section.
- In the Credential Management section, select the fields you want to get from Hashicorp Vault, and the path and key to use. For example, you can specify /secret/autofocus in the Path field and apikey in the Key field to retrieve an API key used to authenticate to the AutoFocus service.
- Click Save.
Use CyberArk with Splunk Phantom
Integrate Splunk Phantom with CyberArk's Vault feature to retrieve passwords or other fields for assets. This allows you to utilize CyberArk account management features to change passwords on managed products and services without having to manually update Splunk Phantom assets after a password change.
For security purposes, utilizing CyberArk can greatly simplify password management but may not significantly change the security stance of the Splunk Phantom server. Splunk Phantom would no longer be the primary store for CyberArk-managed account passwords, but still has the ability to retrieve the same passwords from CyberArk in order to authenticate itself to other resources. Therefore, someone with administrative control over the Splunk Phantom server can gain access to those passwords.
Installing CyberArk on the Splunk Phantom server must be performed by a CyberArk administrator following the CyberArk documentation. Splunk Phantom was tested with the CARKaim-9.70.0.3.x86_64.rpm
CyberArk installer package.
Perform the following tasks to use CyberArk with Splunk Phantom:
- From the main menu, select Administration.
- Select Administration Settings > Password Vault.
- Select Cyberark from the drop-down list in the Manager field. The CyberArk option in the drop-down list is inactive until the CyberArk components are installed. Splunk Phantom determines the presence of CyberArk in your environment by looking for the
/opt/CARKaim
directory. - Click Save Changes.
After the CyberArk options become visible, check the Enable credential management at startup check box to have the watchdogd
daemon start CyberArk when Splunk Phantom is started. This is useful if you have disabled the system from starting CyberArk by removing the startup file from /etc/init.d
.
To require a Splunk Phantom administrator to log in to perform an action in Splunk Phantom before CyberArk is available after a system restart, uncheck Enable credential management at startup and click Save Changes. In this situation, an administrator is someone who has the specific Administrator role. Click Authorize to require the logged-in administrative user to supply their own password to re-authenticate themselves, and then the credential management service will be started.
To use CyberArk to automatically supply credentials under authentication configuration, perform the following steps:
- From the main menu, select User Management.
- Select Authentication.
- Select an identity provider such as LDAP.
- Toggle the LDAP switch to enable LDAP authentication.
- Check the Manage password using CyberArk check box.
- Fill in the CyberArk Safe, Safe Path, and Object Name fields the same way you do for an Asset to select the CyberArk object that CyberArk is going to use to get the password field value.
- Click Save Changes.
Use Thycotic Secret Server with Splunk Phantom
Splunk Phantom can use Thycotic's API to access secrets managed by Secret Server. Usernames and passwords can be stored in Thycotic Secret Server for both users and assets which require a login to use.
In order for Splunk Phantom to use secrets managed by Thycotic Secret Server you must provide:
- The URL to your organization's Thycotic Secret Server. Depending on your organization's DNS configuration, you may need to include the port number.
https://<your.organization's.secret.server>:<port number>
- The username and password of the account which will retrieve secrets using the API.
- Optional: The Organization ID set in Secret Server for use in the Thycotic Secret Server API.
These values are used to make an oauth2 token for Thycotic Secret Server. Once authenticated, Splunk Phantom uses the SearchSecretsByFolder
API to access the managed secrets.
Set the login secret in Thycotic Secret Server
You will need to set up the login information in Secret Server before it can be used to access Splunk Phantom. For more information on Thycotic Secret Server, see the documentation on the Thycotic website.
- Create the required folders.
- Use the Create Secret widget, selecting the template as Password.
- Enter the required items in the mandatory fields of secret and Password.
Set the Thycotic Secret Server settings in Splunk Phantom
Add the required information to create the oauth2 token for Thycotic Secret Server in Splunk Phantom's administration settings. This token is for connecting to Thycotic Secret Server.
- From the Main Menu, select Administration.
- Select Administration Settings > Password Vault.
- Select Thycotic Secret Server from the drop-down list in the Manager field.
- Set the URL for your Thycotic Secret Server instance.
- Specify the username and password Splunk Phantom will use to access secrets.
- Optional: Set the organization id.
- Click Save Changes.
Add the authentication settings in User Management. These will be the actual secrets for each user or asset. Only LDAP authentication is supported.
- From the Main Menu, select Administration.
- Select User Management > Authentication.
- Select the LDAP tab.
- Set LDAP to ON.
- Add the information for your LDAP provider, server, domain, usernames, and passwords.
- Check Manage password using Thycotic Secret Server.
- Add the Folder, Key, and Thycotic FieldName that store the Splunk Phantom user credentials.
- Test your LDAP integration by clicking Test Authentication.
The values for Key and Thycotic FieldName cannot include spaces.
For more information about configuring LDAP see Configure single sign-on authentication for Splunk Phantom.
If you have assets which require the user to log in and those credentials are managed by Thycotic Secret Server, then you need to set credential management in the asset's configuration, in Apps > <Asset Name> > Asset Settings > Advanced.
Configure Google Maps for visual geolocation data | Set environment variables globally for all apps |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9
Feedback submitted, thanks!