Harness the Power of Cisco Talos Threat Intelligence Across Splunk Security Products

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk Enterprise Security, Splunk SOAR, and Splunk Attack Analyzer. We know just how eager the community has been to see these integrations come to fruition, so we’re thrilled to share that as of today, all of the integrations are live for Splunk Security cloud customers!

Now, Splunk customers can directly leverage Cisco Talos’ invaluable threat intelligence through Cisco Talos Intelligence for Enterprise Security, the Cisco Talos Intelligence connector for Splunk SOAR, and as a globally enabled feature in Splunk Attack Analyzer — at no additional cost.

With these integrations, customers can power the SOC of the future with even more efficient threat detection, investigation, and response processes to swiftly identify and mitigate risks.

Lack of Context Hinders Effective Threat Detection, Investigation and Response

It’s been said time and again: SecOps teams face significant challenges in today’s threat landscape. They’re inundated with vast amounts of data they need to make sense of to even begin detecting threats, and then they need the ability to prioritize investigating the riskiest threats first.

A pervasive lack of context makes threat detection, investigation and response (TDIR) even more arduous. In fact, the SANS Institute’s 2023 SOC Survey found the lack of context related to security events to be the most “popular” obstacle to a SOC’s success. It’s hardly surprising: with an overwhelming number of alerts that analysts must take action on, it can be challenging to distinguish high-priority threats without the necessary context.

How can SOCs get that context? By integrating threat intelligence directly into their TDIR workflows. As the industry leader in security operations solutions, Splunk already provides a variety of features and capabilities to help security teams integrate threat intelligence as part of a unified approach to TDIR, such as:

• Threat Intelligence Management, which provides analysts with relevant and normalized intelligence in Splunk Enterprise Security to better understand threat context and accelerate time to triage
• Real-time visualizations in Splunk Attack Analyzer, which showcase a threat’s step-by-step actions along with associated intelligence and context, such as screenshots of relevant websites and files
• Splunk Intelligence Management for SOAR, which allows users to intake prepared and normalized intelligence from internal and external sources for faster triage and more streamlined playbooks
• Out-of-the-box security content that includes built-in threat research and insights from the Splunk Threat Research Team

Now, Splunk is taking integrated threat intelligence even further with Cisco Talos. By harnessing the power of Cisco Talos threat intelligence, Splunk customers can enhance their defenses against known and unknown threats to effectively tackle the ever-evolving threat landscape.

Cisco Talos Threat Intelligence Integrations for Splunk Security

Cisco Talos is one of the most trusted threat intelligence research teams and powers the Cisco platform with comprehensive, proven, and tested threat intelligence. The team’s unmatched visibility across the threat landscape includes:

• 800 billion security events observed daily
• ~2,000 new samples analyzed every minute
• 200 vulnerabilities discovered each year

Here’s how you can leverage Talos’ intelligence in Splunk Enterprise Security, Splunk SOAR, and Splunk Attack Analyzer.

Integration with Splunk Enterprise Security

Cisco Talos threat intelligence is now available to Splunk Enterprise Security customers through the new Cisco Talos Intelligence for Enterprise Security app.

The app enriches findings in Splunk Enterprise Security with intelligence from Talos to quickly provide further context about potential threats. Analysts simply run an Adaptive Response Action provided by the app, and it returns related intelligence from Talos, such as the threat level, category, description, and more.

The Adaptive Response Action can be configured to run automatically or on an ad-hoc basis, but either way, the intelligence is incorporated directly into the finding. This makes it easier for analysts to quickly and efficiently understand potential threats, so they can prioritize and respond to them accordingly.

Figure 1: Cisco Talos intelligence incorporated directly into a Splunk Enterprise Security finding.

Ready to get started? Current Splunk Enterprise Security (cloud) customers can download the Cisco Talos Intelligence for Enterprise Security from Splunkbase here and find additional guidance on leveraging the app’s capabilities here.

Integration with Splunk SOAR

Talos threat intelligence is now available to Splunk SOAR customers through the new Cisco Talos Intelligence connector for Splunk SOAR.

Splunk’s connectors support the coordination of complex workflows across teams and tools by enabling Splunk SOAR to connect to another tool’s API and direct those tools to perform actions. Specifically, the Cisco Talos Intelligence connector initiates an investigative action that returns related intelligence from Talos, such as URL reputation, domain reputation, and IP reputation details.

This allows analysts to automatically infuse Talos threat intelligence directly into incident response workflows, supporting faster response times. Furthermore, because the connector is pre-installed for Splunk SOAR customers, analysts are able to start using and deriving value from this out-of-the-box enrichment quickly, easily, and efficiently.

Figure 2: URL reputation intelligence from Cisco Talos delivered within Splunk SOAR.

Ready to get started? The Cisco Talos Intelligence connector for Splunk SOAR is now pre-installed for all current Splunk SOAR (cloud) customers. Additional guidance on leveraging the connector’s capabilities is available here.

Integration with Splunk Attack Analyzer

Last but certainly not least is our integration with Splunk Attack Analyzer. We announced its availability in August, and in case you missed the news, here’s a quick overview.

The integration allows Splunk Attack Analyzer to enrich URLs discovered in the attack chain with reputation results from Talos. Each URL analyzed by Splunk Attack Analyzer receives a threat level and threat category from Talos.

This intelligence helps customers improve their threat detection efficacy by enabling Splunk Attack Analyzer to detect net new threats — especially ephemeral threats that may already be taken down before they reach Splunk Attack Analyzer for analysis.

Figure 3: URL reputation results from Cisco Talos delivered within Splunk Attack Analyzer.

Ready to get started? These capabilities are globally enabled for all Splunk Attack Analyzer customers and don’t require any extra apps, connectors, or configuration. Check out this blog for additional details.

Fuel efficient TDIR with Cisco Talos + Splunk Security

With these integrations, Splunk customers are empowered with invaluable context from one of the most trusted threat intelligence teams in the world — at no additional cost — to help fuel even more efficient TDIR processes.

If you aren’t a Splunk customer yet but are interested in exploring how integrated threat intelligence can help your organization, reach out to us here.