Splunk Enterprise

ThreatConnect provides the ability to aggregate threat intelligence from multiple sources (i.e., open source, commercial, communities, and internally created), analyze and track identified adversary infrastructure and capabilities, and put that refined knowledge to work in Splunk, identifying threats targeting organizations.

The ThreatConnect App for Splunk provides Splunk users the ability to leverage customizable threat intelligence integrated into Splunk from their ThreatConnect accounts and trigger Playbooks directly from the Splunk interface. The App takes user’s aggregated logs from Splunk and combines them with their threat intelligence in ThreatConnect. ThreatConnect provides context with indicators, and enables their teams to easily spot abnormal trends and patterns to be able to act on them efficiently. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster directly from Splunk – as well as send to other systems like Carbon Black, ServiceNow, Palo Alto, or Tenable. With this app you can do things like:

• Automate the detection of Advanced Threats in your environment
• Collect multi-source threat intelligence (open source, commercial, communities, internal research)
• Access insights on a threat’s capability, infrastructure, and past incidents
• Receive alerts to block cyber threats and respond to incidents
• Reduce False Positives to save time
• Leverage tailored, accurate, and timely threat intelligence
• Receive alerts on intel sourced from ThreatConnect communities and feeds matched against the logs and other machine data from a network within Splunk Enterprise
• Prioritize events and respond to threats as they happen
• Sort by threat rating and confidence scores, relationships to known threat types and adversary groups, past incidents, and tags
• Triage events with context to quickly spot abnormal trends and patterns and act on them efficiently
• Built-in dashboards and reports to expedite time to value
• Kick-off Playbooks through an integrated Event Triage Dashboard

Features and Benefits:

• Apply tailored, relevant threat intelligence to your existing infrastructure
• Easily mark false positives
• Enrich and take action on your intel automatically
• Orchestrate security actions across your enterprise with Playbooks
• Receive alerts to block cyber threats and respond to incidents
• Correlate strategic and tactical threat intelligence with actionable machine-readable data from trusted communities
• Built-in dashboards and reports to expedite time to value

This app can be found in the ThreatConnect App Catalog under the name: Splunk (Playbook) and Splunk (Custom Trigger)

This app can be found in Splunkbase under the following name: ThreatConnect App for Splunk