![]() In your playbooks, to retrieve the results of alert triage, utilize the "get_alert" action from Intezer. ![]() This ensures that your playbook runs every time Intezer generates a container/artifacts event. This label will be pivotal in automating playbook execution based on Intezer's container/artifacts events.Ĭonfigure your automation by linking it to the "intezer_alerts" label. In the Splunk SOAR admin menu, add label named " intezer_alerts". Send this information to Label Configuration: Obtain the REST API authorization configuration, including the " ph-auth-token" and " server" details. To set it up, follow the following steps: ![]() Intezer can populate Splunk SOAR’s events with all relevant alert triage information so you can take action when Intezer triages a new alert in your environment. Receive Intezer Alert Triage Results as Events to Splunk SOAR Install the "Intezer" app from Splunkbase.submit_new_alert: Submit a new alert to Intezer for analysis.submit_raw_suspicious_email: Submit a raw suspicious email for analysis by Intezer.unset_index_file - Unset file's indexing.index_file - Index the file's genes into the organizational database.get_alert - Get an ingested alert triage and response information using alert ID.get_url_report - Get a URL analysis report based on a URL analysis ID.detonate_url - Analyze a suspicious URL with Intezer.get_file_report - Get a file analysis report based on an analysis ID or a file hash.detonate_hash - Analyze a file hash (SHA1, SHA256, or MD5) with Intezer.detonate_file - Analyze a file from Splunk vault with Intezer.test_availability - Test connection to Intezer.Remediation: Leverage Intezer's recommended remediation actions like blocking IOCs or resetting user credentials.įor more information, refer to the " Leveraging Intezer's Smart Decision Making in Your SOAR" article. ![]() Non-escalated alerts can be reviewed periodically. Escalation of Urgent Incidents: If Intezer determines an incident as high urgency (e.g., ransomware, potentially targeted), you can trigger immediate notifications to ensure prompt team alerting.Resolving False Positives: Intezer's assessment helps automatically resolve or de-prioritize tickets identified as false positives, reducing noise and allowing your team to focus on genuine threats.Enrichment: Intezer's assessment provides valuable information to enrich your existing tickets or cases, adding deeper context to the investigation and response process.Intezer's investigation data can enhance your workflows in the following ways: Utilizing Intezer Automated Triage in SOAR Workflows See Install using the Amazon Marketplace Image.Intezer connector for Splunk SOAR enables security teams to automate the analysis, detection, and response of threats by integrating Intezer's technology into their Splunk workflows. Install for AWS from the AWS Marketplace in the security category. Purchase an AWS Marketplace machine image See Install on a system with limited internet access. On a system with limited or no internet access.Download the unprivileged tarball to install in either of the following ways:.Download the offline RPM to install on a local server or managed cloud service.Download the OVA image to install as a virtual machine.If you don't see the installation package you need, contact your sales or delivery team representative.Īfter you download the software, install by following the appropriate set of instructions. After your account is approved, you can download virtual machine images or other installation packages from the Product link. Visit the community website to register and create an account. Purchase an AWS Marketplace machine image.Register and create a community account.To get, you must do one of the following:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |