The new Phantom Cyber + SecurityTrails integration was written in python by our friend Mickey Perre and will allow you to use the SecurityTrails ForensicAPI inside the Phantom Cyber security platform.
Phantom is an all in one security solution that allows you to automate security tasks, as well as to integrate security technologies, letting you to analyze infosec events like phishing attacks, hacking attempts and allows you to collaborate with your team and generate security reports easily.
How can I use the new SecurityTrails + Phantom integration?
October 2019 update: the latest Phantom OVA versions already include the SecurityTrails addon by default, so there is no need to add the module manually anymore.
- Grab a free account at phantom.us
- Download the .ova image from the product area
- Open the .ova file with your favorite virtual machine manager (VMware, VirtualBox, etc).
- Once the Phantom OVA has been installed, launch it from your browser, in our case assigned IP is:
- On new installations, default admin is "admin", and password is "password".
Running the first test
Login to Phantom from your browser.
Once logged in: Click Homeand Sources.
Then click Eventsand My events.
Let's add a new event by clicking "+ Event".
We called our test "LookupDomain" and then pressed save.
Now you will notice the new event is imported. The assigned ID is "4". This is important. Keep it as you will need it in the next step.
Click on the drop-down menu and then "Playbooks", as you see below:
Create a new playbook by clicking "+ Playbook".
Then, set a name for your new Playbook, we named ours "Lookup Playbook".
Drag out the line and select "Call an action" like so.
Search for SecurityTrails app on your left side and click on it.
Add only one action. We are selecting "lookup domain" for now.
Click "Configure all" and enter a test domain, in our case, it was google.com, and click Save.
Now click "Save" in the top right-hand corner and make sure operates on "*" is selected for now, as you see below:
Enter a comment and click "Save".
Now it's time to test it: click "Playbook Debugger".
Enter the event id that we created from above. Our was "4".
As you see, the Playbook Debugger tool did run the test and confirmed it was finished successfully.
Checking the results
Now, it's time to check out the results from this domain lookup.
- Go to the main Phantom home page, and click on "My Events".
- Click on the name of your last Event
- At this point you should see the results inside the Widgets area, as you see in the following screenshot:
You can explore more options by clicking on the left side of the screen, under "Recent Activity", click on the last link at the bottom to expand the details about this test. In our case we had to click the last "lookup domain" link:
Now you will be taken to the "Lookup Domain" test, where you will see the full results from the Phantom query against our API.
In this case, it was a domain lookup against google.com, and therefore you will notice Domain, Status, DNS Record, Type, and the IP results for both ipv4 and ipv6. You will also be able to export results to a JSON file.
This is just a quick example of all the things that you can do using our Phantom integration. Go ahead and start playing with it, there are many more actions available like:
- domain category
- domain history
- domain searcher
- domain subdomain
- whois domain
- whois history
The SecurityTrails Phantom integration is here to make your life easier, letting you retrieve valuable intel information about any domain names, IP addresses or DNS records.