The Splunk Enterprise Security Threat Intelligence framework helps aggregate, prioritize and manage wide varieties of threat intelligence feeds. Watch a demo now.
Splunk Enterprise Security includes a comprehensive threat intelligence framework, allowing organizations to aggregate, prioritize, and manage wide varieties of threat intel from unlimited source of threat lists. Splunk Enterprise Security, right out of the box, provides 20 or more threat intelligence feeds available for immediate use and operationalization of threat intelligence.
Here at the Threat Intelligence Downloads interface, a security administrator can define commercial or community threat list by simply entering in the URLs, update intervals, weight scores, and other instructions in the graphical user interface to manage multiple sources of the threat lists. Once different layers of threat lists are downloaded, threat intel framework aggregates, consolidates, and prioritizes the information, allowing easy utilization and processing of many threat sources and defined priority-based detection on accuracy of threat intelligence, such as defining priority order of setting internal threat lists as top, followed by commercial threat lists and community threat lists.
After the configuration is complete, Splunk Enterprise Security applies this massive intelligence to all data processed by Enterprise Security across all domains, such as access, network, identity, and endpoints. The type of threat intelligence information includes IPs and domains from all traffic, file hashes, executables from all endpoint data, certificates, user information for access identity domain data. Whenever any of these eight types of threat intel categories data is matched against security data entities, Splunk Enterprise Security generates an alert notifying the security operation with specific threat intel matched notification for further investigation.
To investigate the threat list match incidents, Splunk Enterprise Security provides an interface to dive into rapid investigation using Asset Investigator or specific domain analysis, such as traffic search for an IP with threat match. Of course, on top of that, advanced analysis can kick off ad hoc Splunk standard search to really connect the dots underneath the hidden threats.