Splunk Enterprise (SIEM): Splunk App for Enterprise Security 3.0 Threat Lists

Check out the latest Splunk App for Enterprise Security 3.0 and see how the new threat list activity framework lets you look across threat list data.


Video Transcript


This is Mark Stuart. I am senior director for Security Compliance Solutions at Splunk, and I'm here with Vijay Chauhan, where we're looking at Enterprise Security 3.0. Vijay is with our product management team and has helped develop the app you see before you, and we're going to get an overview of the threat list activity area of here, which is a brand new piece added to 3.0, it's a framework for threat list.

Absolutely. Thanks, Mark. This is to make use of the various threat feeds that you may be collecting within your organization. And one of the cool features that you can see here is that we're showing a visualization of which threat lists are appearing most frequently over time. So here you can see that the I-Blocklist spyware, which is a free threat list is showing up really quite frequently. And then some of the other ones like I-Blocklist tool is appearing less frequently.

So it looks like I've got at that point in time, about 14 hosts that are talking to threat list IP's on that particular threat list.


Also looks like I've got a lot of activity around 178-219-244-129, what's that mean?

It's really a sticking out like a sore thumb there, Mark. So this particular guy, if you just hover over, you can see that it seems to be involved in a number of different events. So what that's telling me is that we've got an external IP address, which is showing up as a threat. Most probably on multiple threat lists, and is involved in communications with multiple hosts within my organization.

So what's nice is I've seen that multiple times. It's probably cause we're doing some dedupe action over here?

Absolutely. Yes, so within our new threat framework, we deduplicate across the various threat list. So for example, if an IP address does show up on multiple threat lists, you'd only get one count, but you'll also be informed as to which threat lists are being hit. So that might be an indication of an IP address that is really bad news if it shows up on multiple threat lists.

And then recent threat list, activity I see one entry where I've got one IP address is on two different lists, of course, I probably want to treat that with a little more caution than I do the rest of the ones here, but it's nice to have everything all laid out. You want to show us a real life scenario as to how we're going to use this in action?

Absolutely. So we've partnered with a vendor called Norse, and they're providing one of the commercial threat feeds. And what Norse has is they've got a tool called IP Viking. Now, how I would make use of that particular tool is let's say I'm looking at this incident here. We've got what appears to be some kind of exfiltration. There's a lot of traffic going from an internal IP address to an external IP address that I don't really recognize.

So what I can do is I can pivot on that external IP address, and there are a number of options that I have at my disposal, but the one that I want to try it right now is IP Viking.

OK, as we go into IP Viking, I'm noticing that we're running a search with look what looks like a custom command. IP Viking, and we're going to look at that particular address, what do we find here? So what IP Viking has done for us is well, what Splunk has done it has reached out to IP Viking and said, tell me everything you know about this particular IP address.

In real time?

In real time.


And it's come back with a little bit of information that this is coming from Albania. In fact, it's registered with the Albanian Mobile Communications Corporation. So while this is showing up as a fairly low-risk, I can see green as a risk color and the risk factors are pretty low, I'm a little bit concerned because I'm fairly confident that we don't do that much business with Albania.

I think that the most important part here is the ability to, in real time, enrich the data that we have to understand what kinds of threats there may be out there that our hosts may be talking to. So I really appreciate you walking us through this, Vijay, and thanks a lot.

Thank you, Mark.