Case Study: CyberCX Strengthens Security Portfolio by Leveraging SPL2 for Threat Hunting

With the recent announcement of Splunk’s public beta of SPL2 in Splunk Enterprise, app developers, including partners, in-house app developers, citizen developers and more, are empowered to build supercharged Splunk applications, addressing security and observability challenges in efficient and novel ways. We’re happy to share that we’ve partnered with CyberCX to highlight how one of our Splunk partners strengthens their security posture monitoring solutions, with the development of CyberCX’s Intel Hunt for Splunk application using SPL2!

Why CyberCX Built a Threat Hunting App Using SPL2

CyberCX recently completed a private beta program leveraging the SPL2 language in Splunk Enterprise, and came away with an application that they say will place an SPL2 lens over the mission of Security Operations.

As a leading Splunk Managed Security Service Provider (MSSP), CyberCX is a trusted partner to private and public sector organizations, helping customers confidently manage cyber risk, respond to incidents and build resilience in an increasingly complex and challenging threat environment. As a result, CyberCX is constantly adapting to new threat vectors while providing seamless security posture monitoring experiences for its clients. This requires advanced capabilities in threat identification, triaging, and remediation.

“We push the Splunk platform hard,” says CyberCX’s Managed Security Services (MSS) Capability team. “The cybersecurity threats we face are evolving rapidly in today’s day and age.”

CyberCX’s MSS Capability team’s primary function is to ensure the currency and efficiency of all of the security platforms used by the dedicated 120 security analysts employed by CyberCX. “Speed, coverage and efficacy is the holy trinity when it comes to much of what we do,” says the team. “SPL2 allows us to develop more content, faster without introducing unexpected load on the system, so when Splunk approached us to become one of the first partners to build a Splunk application with SPL2’s advanced capabilities, we were immediately interested.”

How CyberCX’s 'Intel Hunt for Splunk' SPL2 App Works

After familiarizing themselves with the new capabilities offered by SPL2, the CyberCX team rapidly built their first SPL2 application in days, specifically designed for Intelligence Lead Threat Hunting. The CyberCX Intel Hunt for Splunk app receives data from CyberCX's own Threat Intelligence team and allows analysts to "1 click" generate dynamically-built searches that include all of the indicators from a particular campaign of focus, all driven from the Splunk Search UI and all built with SPL2.

^{CyberCX’s Intel Hunt for Splunk App hunt-generating dashboard, built entirely in SPL2}

To power this, the CyberCX team leveraged differentiating capabilities of the SPL2 language, shipping multiple SPL2 module files in the application. The CyberCX team authored these SPL2 modules using the Splunk Extension for Visual Studio Code, now enhanced to support an SPL2 module editor. These modules included:

• Over 30 custom SPL2 eval and command function declarations that conditionally invoke multiple unique hunts, such as URL hunts, IP hunts, file indicator hunts, and more.
• View datasets, to create views of indexes meant for specific threat investigation patterns and to constrain data access based on role
• Lambda expressions that map() and filter() over complex JSON objects in proprietary CyberCX Threat Intelligence data
• SPL2-as-code, introducing powerful developer concepts and easier CI/CD integration to their application development lifecycle.

“SPL2 is groundbreaking not just for Splunk, but also for the security space as a whole,” added the MSS Capability team. “The syntax is extremely flexible, but more importantly, the programming concepts go far beyond what a standard query language can do. The new JSON functions are surprisingly powerful, which is important given the increasing prevalence of JSON data in the security space. SPL2 gives us exactly what we were hoping for.”

What’s the Verdict?

So, what does this all mean for CyberCX & SPL2?

“SPL2 is a game changer,” says the CyberCX MSS Capability team. “CyberCX constantly seeks to innovate to build more advanced and intuitive applications that help our customers strengthen their security posture. The new CyberCX Intel Hunt for Splunk, built entirely using SPL2, is a breakthrough that makes identifying threats in near-real-time extremely simple for security professionals.”

“We’re looking forward to seeing Splunk continue to build out the future of search & data preparation with SPL2, in order to build the foundations of next-generation analysis to help partners like CyberCX maintain a competitive advantage.”

Get Started Now!

SPL2 is now available in public beta in Splunk Enterprise 9.4.0 and Splunk Cloud 9.3.2408! Learn more:

• Access SPL2 app developer documentation and admin documentation
  • SPL2 language documentation can be found here
• Examine sample apps using SPL2 to understand app architecture & use cases
• Join the #spl2 channel in the Splunk Community Slack workspace for live discussion