Splunk SOAR Integration

Splunk SOAR provides security infrastructure orchestration, case management, playbook automation, and integrated threat intelligence. The solution can ingest security events from various sources, letting security teams track, analyze, and triage events, and use playbooks to automate responses from one interface.

Indicator of Compromise Lookup	Indicator of Compromise Lookup The integration lets you look up details about an indicator of compromise, based on the value of the indicator. An indicator can be specified by URL, fully qualified domain name (FQDN), IP Address, or File Hash (MD5/SHA1/SHA256).
Campaign Lookup	Campaign Lookup The integration lets you look up details about a campaign that has been associated with an Indicator of Compromise (IOC).
Threat Actor Lookup	Threat Actor Lookup When a threat actor is identified as part of the output of the integration, you can request further information about the threat actor from Mandiant Advantage Threat Intelligence (MATI).
Vulnerability/CVE Lookup	Vulnerability/CVE Lookup When a CVE ID or vulnerability is identified as part of the output from any command/integration, you can request further information about the vulnerability from MATI.
Malware Family Lookup	Malware Family Lookup When a malware family is identified as part of the output of the integration, you can request further information about the malware family from MATI.
Report Lookup	Report Lookup When a report is referenced as part of the output of the integration, you can retrieve the report from MATI and display it within the Splunk SOAR console.
Reports List	Reports List You can query for reports within a specified date range and with additional Report Type filters, which can then be displayed within the Splunk SOAR console.

Overview

Splunk SOAR provides security infrastructure orchestration, case management, playbook automation, and integrated threat intelligence. 

This integration requires three steps:

1. Generate credentials in the MATI platform for Splunk SOAR access using the API.
2. Add the MATI Integration to your Splunk SOAR Configuration.
3. Verify connectivity.

Prerequisites

• A server with Splunk SOAR installed
• Network connectivity to https://api.intelligence.mandiant.com over port 443 (HTTPS)
• Network connectivity to your Splunk SOAR instance over port 443 (HTTPS)
  This integration will work with any edition of Splunk SOAR, but limits and restrictions may apply to which features are available. Please see the Splunk SOAR Documentation for additional information on limits and restrictions.

Get API Key and Secret

To obtain an API Key ID and Secret for an individual user account, perform the following:

1. Navigate to the Mandiant Threat Intelligence web console.
2. Click Account Settings.
3. Select API Access and Keys from the navigation menu.
4. Click Get Key ID and Secret.
5. Copy and store the displayed values in a secure location.

Setup and installation

1. Log into Splunk SOAR as an Administrator, go to the Apps page and click App Updates.
2. Search for "Mandiant" and click Update for Mandiant Advantage Threat Intelligence.
3. Upload the provided tar file from Step 1 and click Install.
4. Search for ‘Mandiant’ and click Configure New Asset.
   If Mandiant Advantage Threat Intelligence has not been previously configured, it may appear in Unconfigured Apps. If a previous configuration exists, it will appear in Configured Apps.
5. Fill in an Asset Name, then navigate to the Asset Settings tab.
6. Fill in your MATI API Key and Secret Key, then click Save.

Verify connectivity

1. Navigate to the Asset Settings tab and click Test Connectivity.

Troubleshooting

If an error occurs, provide the following information to Support:

• The text of the exception:

Error Text

• The JSON output of the command:
  Click Download JSON to get the entire output as a file.

Error JSON