Splunk

ThreatConnect provides the ability to aggregate threat intelligence from multiple sources (i.e., open source, commercial, communities, and internally created), analyze and track identified adversary infrastructure and capabilities, and put that refined knowledge to work in Splunk, identifying threats targeting organizations.

The ThreatConnect App for Splunk provides Splunk users the ability to leverage customizable threat intelligence integrated into Splunk from their ThreatConnect accounts and trigger Playbooks directly from the Splunk interface. The App takes users' aggregated logs from Splunk and combines them with their threat intelligence in ThreatConnect. ThreatConnect provides context with indicators and enables their teams to easily spot abnormal trends and patterns to be able to act on them efficiently. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster directly from Splunk -- as well as send to other systems like Carbon Black, ServiceNow, Palo Alto, or Tenable.

How Splunk and ThreatConnect Work Together

Using Splunk for threat intelligence management, you can:

• Automate the detection of Advanced Threats in your environment: Use ThreatConnect Query Language (TQL) to tailor the data you import into Splunk. Then, you can operationalize multi-source threat intelligence. 
• Reduce False Positives to save time: Use timely, tailored, and accurate threat intelligence enriched and refined from several sources, such as our Collective Analytics Layer (CAL), to reduce false positives. Use intel from ThreatConnect communities against network data and logs in Splunk Enterprise. 
• Prioritize events and respond to threats as they happen: Be proactive about threats and sort each by rating and confidence scores, relationship to known threats, past incidents, adversary groups, and tags. Get an overview of all ThreatConnect matches by intelligence source and data model search from your dashboard.

How ThreatConnect Enhances Splunk

There are many reasons to incorporate Splunk into your threat intelligence feeds. Some of the ways ThreatConnect enhances Splunk include:

• Gives you the ability to apply tailored, relevant threat intelligence to your existing infrastructure
• Allows you to centralize threat intelligence
• Helps you develop process consistency
• Allows you to scale your operations
• Provides context to threat intelligence so your security team can detect abnormal patterns and trends and take immediate action.
• Allows you to easily mark false positives
• Provides the option to enrich and take action on your intel automatically
• Enables you to orchestrate security actions across your enterprise with Playbooks
• Delivers alerts to block cyber threats and respond to incidents
• Helps you correlate strategic and tactical threat intelligence with actionable machine-readable data from trusted communities
• Provides built-in dashboards and reports to expedite time to value

The ThreatConnect App for Splunk allows you to integrate threat intelligence into Splunk directly from your ThreatConnect account. You can also trigger Playbooks directly from the Splunk interface. To find the app, search for either Splunk (Playbook) or Splunk (Custom Trigger) in the ThreatConnect App Catalog. You can also find the app in Splunkbase as ThreatConnect App for Splunk

Contact Us Today to Learn More About Splunk Threat Intelligence

Using the ThreatConnect App for Splunk, you can apply relevant threat intelligence to your infrastructure, mark false positives, and take immediate and automatic action on your intel. Request a demo today to learn more.