Re: Mandiant Advantage

andy_splunk_2 · ‎11-08-2021

We've just installed Mandiant Advantage App and I was hoping someone else here could provide some guidance on what to do after installation and configuration of api keys.

schimpy · ‎11-21-2021

Hello @andy_splunk_2 ,

Does the enabling produced a lot of notable events? I am a bit scared not to overwhelm our SOC...

andy_splunk_2 · ‎11-22-2021

@schimpy , it does produce a lot an overwhelming amount of indicators and notable events. I currently have a ticket in with support on how to best reduce those numbers by possible filtering out blocked or failed actions in the panel queries.

schimpy · ‎11-18-2021

Hello @andy_splunk_2

I am having the same "issue" here.

I managed to set up ingestion of Mandiant-based IoC to defined index.

Although I set up correlation with my netflow data model (Setup > Config > Mandiant Advantage Correlation Settings), I have no signs it is working somehow.

Have you made any progress here?

Br, Simon

andy_splunk_2 · ‎11-18-2021

HI, @schimpy

We were able to see data after adding some data models. For us it was a matter of waiting. Try adding Web or Network Traffic data models to Mandiant Advantage Correlation Settings. It took several hours for the data to start filling out in the panels.

Mandiant Advantage

configuration

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases