All Apps and Add-ons

Mandiant Advantage

andy_splunk_2
New Member

We've just installed Mandiant Advantage App and I was hoping someone else here could provide some guidance on what to do after installation and configuration of api keys.

Labels (1)
Tags (1)
0 Karma

schimpy
New Member

Hello @andy_splunk_2 ,

Does the enabling produced a lot of notable events? I am a bit scared not to overwhelm our SOC...

0 Karma

andy_splunk_2
New Member

@schimpy , it does produce a lot an overwhelming amount of indicators and notable events.  I currently have a ticket in with support on how to best reduce those numbers by possible filtering out blocked or failed actions in the panel queries.

0 Karma

schimpy
New Member

Hello @andy_splunk_2 

I am having the same "issue" here.

I managed to set up ingestion of Mandiant-based IoC to defined index.

Although I set up correlation with my netflow data model (Setup > Config > Mandiant Advantage Correlation Settings), I have no signs it is working somehow.

Have you made any progress here?

Br, Simon

0 Karma

andy_splunk_2
New Member

HI, @schimpy 

We were able to see data after adding some data models.  For us it was a matter of waiting.  Try adding Web or Network Traffic data models to Mandiant Advantage Correlation Settings.  It took several hours for the data to start filling out in the panels. 

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...