Splunk SOAR (Phantom)

About The Integration

Intezer connector for Splunk SOAR enables security teams to automate the analysis, detection, and response of threats by integrating Intezer's technology into their Splunk workflows.

Utilizing Intezer Automated Triage in SOAR Workflows

Intezer's investigation data can enhance your workflows in the following ways:

• Enrichment: Intezer's assessment provides valuable information to enrich your existing tickets or cases, adding deeper context to the investigation and response process.
• Resolving False Positives: Intezer's assessment helps automatically resolve or de-prioritize tickets identified as false positives, reducing noise and allowing your team to focus on genuine threats.
• Escalation of Urgent Incidents: If Intezer determines an incident as high urgency (e.g., ransomware, potentially targeted), you can trigger immediate notifications to ensure prompt team alerting. Non-escalated alerts can be reviewed periodically.
• Remediation: Leverage Intezer's recommended remediation actions like blocking IOCs or resetting user credentials.

For more information, refer to the "Leveraging Intezer's Smart Decision Making in Your SOAR" article.

Supported Actions

• test_availability - Test connection to Intezer.
• detonate_file - Analyze a file from Splunk vault with Intezer.
• detonate_hash - Analyze a file hash (SHA1, SHA256, or MD5) with Intezer.
• get_file_report - Get a file analysis report based on an analysis ID or a file hash.
• detonate_url - Analyze a suspicious URL with Intezer.
• get_url_report - Get a URL analysis report based on a URL analysis ID.
• get_alert - Get an ingested alert triage and response information using alert ID.
• index_file - Index the file's genes into the organizational database.
• unset_index_file - Unset file's indexing.
• submit_raw_suspicious_email: Submit a raw suspicious email for analysis by Intezer.
• submit_new_alert: Submit a new alert to Intezer for analysis.

Install Intezer Splunk SOAR App

Early Access Version

• Contact support@intezer.com to get the app package.
• Import the app to Splunk SOAR

Generally Available Version

• Install the "Intezer" app from Splunkbase

Receive Intezer Alert Triage Results as Events to Splunk SOAR

Intezer can populate Splunk SOAR’s events with all relevant alert triage information so you can take action when Intezer triages a new alert in your environment. To set it up, follow the following steps:

1. Authorization Configuration:

Obtain the REST API authorization configuration, including the "ph-auth-token" and "server" details.

Send this information to support@intezer.com

2. Label Configuration:

In the Splunk SOAR admin menu, add label named "intezer_alerts". This label will be pivotal in automating playbook execution based on Intezer's container/artifacts events.

3. Playbook Automation Setup:

Configure your automation by linking it to the "intezer_alerts" label. This ensures that your playbook runs every time Intezer generates a container/artifacts event.

4. Access Alert Triage Result

In your playbooks, to retrieve the results of alert triage, utilize the "get_alert" action from Intezer.

Input the "container:source_data_identifier" from the Splunk SOAR event as the "alert_id" for this action.

Use the output of "get_alert" to gain insights into alert triage details. This information can be useful in the next playbook steps, like setting conditions based on "risk_category" (for instance, if it's "critical"), forwarding alert details to other platforms (like creating a ServiceNow ticket), or initiating specific responses (such as blocking IOCs).

5. Accessing Event Artifacts in Playbook

During playbook construction, pay special attention to each playbook block.

Adjust each playbook block's "scope" to "All artifacts" so that it includes all the detailed information from Intezer, such as URLs, files, IPs, and domains.