Exploiting Threat Intelligence From the Web Using Recorded Future and Splunk

June 17, 2015 • Glenn

A day in the life of a security operations center (SOC) analyst typically involves monitoring dashboards and network traffic for suspicious-looking activity. Sifting through these mountains of data, an analyst has to determine the true indicators of threat, when to escalate red flags, and recommend actions when a compromise seems imminent. All of this can’t be accomplished without some aspect of research that provides context to the found data and ties it all together.

While there’s been heightened interest in threat intelligence to help analysts separate the wheat from the chaff, such intelligence is often limited to threat feeds and fails to provide context to the observed data. With Recorded Future’s Web Intelligence Engine, over 140 entity types (including IP addresses, hashes, and domains) are categorized and tagged to form comprehensive maps, enriching standalone log data, alerting on potential issues, and turning data into immediately actionable intelligence.

Example of Threat Intelligence From the Web

Above: Example of threat intelligence from the Web that goes beyond a simple “threat feed.” In addition to indicators of compromise (IOCs, in this case, IP addresses: 94.242.255.60 and 94.242.255.53), note the inclusion of different sources, Twitter authors, associated malware, dates, and source location.

The Technology Add-on for Recorded Future enhances data in Splunk so analysts can easily find and prioritize IOCs, actors, and emerging threats found on the open Web across hundreds of thousands of sources.

During a live webinar, Recorded Future demonstrated how Splunk data can be enriched and correlated, allowing analysts to uncover real-world details on the who, what, when, and why of IOCs. The Recorded Future IP Enrichment dashboard in Splunk, shown below, provides open source intelligence (OSINT) context that will be invaluable during the research phase.

Record Future IP Enrichment Dashboard for Splunk

Above: Screen shot from Record Future’s IP Enrichment dashboard for Splunk, showing summaries of OSINT content for a given IOC across a variety of sources, including information security blogs, social media, and paste sites.

The integration add-on also allows analysts to set up automatic alerts on critical information found on the open Web that may be of interest, such as company-specific IP addresses or hashes.

With this single pane of glass, suspicious anomalies in your log data become tactical intelligence, increasing the effectiveness of your operations data and proactively protecting your company from unknown threats.

Request a demo to learn more about our Splunk integration and how this capability can turn your SIEM data into actionable threat intelligence!

New call-to-action

Related Posts

Elite Security Intelligence That Moves at the Speed of Business

Elite Security Intelligence That Moves at the Speed of Business

September 1, 2020 • The Recorded Future Team

All security and IT teams are tasked with keeping up with the speed of their business while...

Elite Intelligence Ascends to the Cloud With Recorded Future and Microsoft Azure

Elite Intelligence Ascends to the Cloud With Recorded Future and Microsoft Azure

August 11, 2020 • The Recorded Future Team

New business realities and widespread remote work models are driving even greater reliance on cloud...

How Recorded Future and Cortex XSOAR Accelerate Investigation and Response

How Recorded Future and Cortex XSOAR Accelerate Investigation and Response

August 4, 2020 • The Recorded Future Team

In today’s ever-changing security landscape, incident response teams are time-strapped by manual...