Splunk and DTEX Systems Leverage Human Telemetry and Zero Trust to Mitigate Insider Risks and Account Compromise

What was once the thing of spy movies and industrial espionage news headlines is now, sadly, a common occurrence for public organizations and private enterprises around the globe. Insiders… employees, consultants, partners… have emerged as one of the most immediate and serious threats facing IT and cyber security teams and practitioners today.  

It is not however because every insider has turned malicious. To the contrary, employees are more in-tune with cyber security, privacy and information protection than ever before. The vast majority understand their role in protecting their organizations information and why it is important to their employer and for themselves to be vigilant and take an active role as a ‘human firewall.’

Unfortunately, what were positive gains has seen a regression in the last 18 months due in large part to the sudden shift to remote work, anxiety about job security and furloughs, and, more recently, a massive trend in career professionals proactively changing jobs in what has become an incredibly ‘hot’ job market termed the ‘Great Resignation’ Migration.  

The decentralization of the modern enterprise — and the digital empowerment of the insider — have since expanded the attack surface, compounding the need for a zero trust strategy. As such it is important to adopt the premise that an attacker is already in your environment and may be a trusted insider. The way in which we need to approach security has changed dramatically and the actions and intent of the human must take center stage.

Splunk and DTEX Systems have partnered to offer an integrated solution that captures, analyzes and streams a single, noise-free endpoint data signal. This telemetry describes genuine user intent and delivers the contextual human activity intelligence and endpoint meta-data as ‘Indicators of Intent’ ignored by 'several' or 'many' NGAV, UEBA and DLP tools. 



Splunk Enterprise Security (ES) takes DTEX InTERCEPT’s ‘Indicators of Intent’ and provides customers with forensic intelligence that answers the questions of who, what, when, where and for how long an insider interacts with data, applications, machines and other users. This real-time, user behavior lineage highlights deviations from baseline activity to identify emerging insider threats, compromised account events or data loss scenarios.

Early adopter customers are advancing three use-case scenarios and realizing immediate time to value including:

  • Visibility and collection of hundreds of unique meta-data elements and user activities transformed into Splunk CIM format (no contextual losses) for a noise-free endpoint data signal. 
  • Accelerated response times and root cause analysis within the Splunk ES console using real-time, detailed inside risk analytics and risk-based notifications. 
  • Notable event enrichment with human-behavioral intent telemetry to support faster, more automated remediation.


Description automatically generated

What makes Splunk ES and DTEX InTERCEPT unique is a simple and clear view of endpoint telemetry complete with human activity. The graphic below on the left illustrates a short sequence of user activities representing high-risk behavior that creates several thousand windows events that can be very difficult to review and interpret. By contrast, DTEX InTERCEPT data is filtered at the source, and the context provided reduces the number of truly notable events from 2500 Windows Security Event Logs to less than 100.

Graphical user interface, application, Teams

Description automatically generated

In a similar construct with Splunk SOAR, DTEX InTERCEPT’s risk-score stacking and streaming behavioral analysis delivers a noise-free signal that expresses user activity to accurately inform automated response processes. The graphic below on the right is an example of a response orchestration utilizing DTEX InTERCEPT’s human intelligence telemetry. 

Getting DTEX InTERCEPT telemetry into Splunk is fast and easy. The direct integration between DTEX InTERCEPT and Splunk Cloud makes endpoint telemetry and insider risk intelligence ingestion fast and simple. Data is streamed securely and reliably over HTTPS. With DTEX and Splunk, security teams can focus on security, not managing infrastructure. With this integration, actionable data is visible in a single console, reducing the need to pivot across disjointed point products during investigations. 

Together, Splunk and DTEX are accelerating security response times and root cause analysis, driving faster event resolution with advanced analytics and reporting, and decreasing manual security and IT operations with DMAP+ telemetry that provides the full context regarding the data, machines, applications, and people involved in a notable event. 

We’re very excited to partner with DTEX on this superior, cloud-to-cloud approach to security. We hope that you take advantage of this powerful integration to improve your zero trust maturity today.

To stay up to date on all things DTEX and Splunk, head over to our DTEX Global Strategic Partner Page. We’ll be updating this with all of the content that we create together.

This article was co-authored by Rajan Koo, Chief Customer Success Officer at DTEX Systems.

Jane Wong
Posted by

Jane Wong

Jane is the VP of Products for the Splunk security product portfolio, including Splunk Enterprise Security (SIEM), Splunk Phantom (SOAR), Splunk User Behavior Analytics (UEBA), and several emerging cloud security services that are foundational to the pursuit of Splunk’s disruptive vision to make machine data accessible, usable, and valuable for everyone. At Splunk we are committed to our strong sense of purpose to deliver "aha" moments for our customers based on their data.

Jane is passionate about security and over the past decade has led teams building market-leading products in Data Loss Prevention, Network and Endpoint security. Most recently, Jane led the email product portfolio as the VP of Engineering and Product Management at Symantec. Earlier in her career, Jane held various engineering roles at enterprise technology companies, earning several patents. Jane holds a BS from the University of London.

Show All Tags
Show Less Tags