About The Integration
Security teams face many alerts from their endpoint protection solution. The teams lack context on these alerts: Are these indicate a real incident or not? What is the risk and the impact? How to respond? The alerts can be on a specific file, hash, or on the endpoint itself.
Utilizing Intezer’s technology, can gain additional unique information about alert, such as: malware family, threat actor, similarities to other known malware and more.
This information can help not only get a malicious verdict but much more context for accelerating and tailoring incident response.
Integration Overview
This app provides a three actions that can be used in Splunk SOAR (Phantom):
- File Reputation - Analyze a hash with Intezer Analyze
- Get Report - Get the analysis report by analysis ID
- Detonate file - Analyze a file with Intezer Analyze
File Reputation
Analyze a hash with Intezer Analyze
Input:
- File hash - SHA256/SHA1/MD5 (e.g "0a87cb36290d3aeb0f7a0702ced09e3b10bc41e260923fe7908db4d2b7fec287")
Output:
- File verdict - Indicates the verdict of the Intezer Analyze file analysis, which is based on code reuse and other artifacts. The verdict indicates whether a file is malicious, trusted, unknown or suspicious.
- Malware Family - Specifies the classification of the file based on the code reuse findings (e.g WannaCry, Lazarus, Magic Hound, zlib)
Get Report
Get the analysis report by analysis ID
Input:
- Analysis ID (e.g "8ebfdf27-399b-4f63-8346-cc4dbddb267b")
Output:
- File verdict - Indicates the verdict of the Intezer Analyze file analysis, which is based on code reuse and other artifacts. The verdict indicates whether a file is malicious, trusted, unknown or suspicious.
- Malware Family - Specifies the classification of the file based on the code reuse findings (e.g WannaCry, Lazarus, Magic Hound, zlib)
Detonate File
Analyze a file with Intezer Analyze
Input:
- Suspicious File
Output:
- File verdict - Indicates the verdict of the Intezer Analyze file analysis, which is based on code reuse and other artifacts. The verdict indicates whether a file is malicious, trusted, unknown or suspicious.
- Malware Family - Specifies the classification of the file based on the code reuse findings (e.g WannaCry, Lazarus, Magic Hound, zlib)
Using the Manual Integration
1. Click on the menu button -> Events
2. Click on the "ACTION" button
3. Choose Intezer Analyze app, and selecet the relevant action from the list
4. Insert the relevant input, and click "SAVE"
Using the Playbook
Installation
1. Click on the menu button -> Apps
2. Click on "INSTALL APP"
3. Drag the .tgz file that you have downloaded
4. Click the "INSTALL" button
5. Intezer Analyze App is now in the Apps list
6. Click the "CONFIGURE NEW ASSET" button
7. In the Asset Info section fill the Asset name
8. In the Asset Settings section fill up the fields:
- "API key for submitting samples" - you can find your API Key here - https://analyze.intezer.com/account-details
- "Base URL for api request" - https://analyze.intezer.com/api/v2-0/
9. Click "SAVE" and then "TEST CONNECTIVITY"
10. Make sure that the connectivity test has passed