February 22, 2016 • Matt Kodama
It’s no secret that many security teams who work with threat intelligence also use Splunk to analyze their security operations data.
As we’ve built up our Splunk integration for Recorded Future Cyber (our product for threat intelligence teams) I’ve heard the following reaction many times: “This is great context, and it will really help our SOC analysts. But as a SOC, we just don’t have time to use all of Recorded Future. Is there a version that gives me just what our SOC team needs?”
Now, the answer is yes!
Recorded Future for Splunk is that new product. The capabilities are rooted in our work with top threat intelligence teams, in a form factor streamlined for incident review and response.
How does it help?
Indicator-based correlation rules in Splunk help SOC (security operations center) teams detect incidents with speed and scale. Our IP address risk list identifies thousands of indicators, and gives you dozens of context features to target the indicators that matter most for your security. It’s not just an IP list with risk scores; we continually update and age out indicators with patented algorithms that mine risk evidence from more than 750,000 sources across the entire web, in social media, and from selected threat feeds.
Many SOC teams tell us they have too many indicators, but are starving for context. What does a hit on one of these threat feeds really mean? We deliver enrichment for the external IPs, DNS names, and hashes observed in any detected event. These on-demand intelligence summaries have full transparency with links back to original sources, helping analysts make faster and stronger incident verdicts.
We detect and alert on external threats reported on the open, deep, and dark web, to complement security controls on defended networks. These alerting rules target links to your company, IPs, and domains. Like enrichment summaries, these alerts detail the original sources and include cached content from key volatile sources.
We provide a Splunk app to drop these capabilities into your Splunk deployment. Enrichment dashboards show intel on-demand inside Splunk, while monitoring and correlation dashboards apply our threat intel to your events and infrastructure. Behind the pixels, it’s all built with commands that you can leverage with the full Splunk feature set.
When analysts move from triage into investigation and response, the Recorded Future web application gives much more depth of information: evidence for risk rules, details from originating sources, pivots from the indicators you observe to related infrastructure, vulnerabilities, malware, and more. Alerts for externally detected threats also link back to Recorded Future for details on source reporting and access to cached content.
Take a closer look at Recorded Future for Splunk in the video below.
If you like what you see and you’re eager to get started, request a free trial today!