StreamAlert & Phantom – Part 1

I’m going to continue with the osquery & StreamAlert scenario found here.

I went ahead and created a StreamAlert output handler for Phantom: link

Phantom Configuration

The phantom configuration is pretty straightforward.  A “REST Asset” needs to be created in order for events to be consumed.

1. Define the asset name, product vendor, and product name.

2. Define the host that will be making the API calls.

3. Define where you want the StreamAlert alerts to appear.  Think of these labels as a type of queue.

4. After you save the asset, you should be able to grab the auth token from the “Ingest Settings” tab.

StreamAlert Configuration


Within stream alert, you need to create your encrypted credentials similar to how it was done for Slack.  The temporary file should be formated like:


Make sure to name the file “phantom”.

aws kms encrypt \
–region us-east-1 \
–key-id alias/stream_alert_secrets \
–plaintext fileb://<tmp-credential-filepath> \
–query CiphertextBlob –output text | base64 -d > stream_alert_output/encrypted_credentials/phantom

Also, you’ll need to set a rule output as “phantom”:

Now, we can trigger the alert and see the results!

Phantom Interface

1. Navigate to the “queue” that was setup earlier.

2. You should see some alerts.

3.  This is the “container” view.  Within a container, you can have multiple artifacts.

4.  This is the artifact (StreamAlert alert) expanded.


Leave a Reply

Your email address will not be published. Required fields are marked *