Splunk continues lead the way with it's powerful big data SIEM capabilities inside their Enterprise Security App.
Here at Anomali we were especially excited with one initiative the company introduced last year, Adaptive Response. We liked it so much we partnered with Splunk to give security teams a powerful way to integrate Threatstream capabilities within the Enterprise Security workflow using the Adaptive Response framework.
An Introduction to Adaptive Response
Splunk's Adaptive Response enables security analysts—from hunters to less skilled security staff—to better handle threats. The Adaptive Response Framework resides within Splunk Enterprise Security (ES) and optimizes threat detection and remediation using workflow-based context. Having spent years working with all layers of security teams, I like to think of Adaptive Response as the “security nerve center” to bridge intelligence from multiple security domains, including threat intelligence.
One of the key parts of the Adaptive Response framework is the ability for analysts to automate actions or individually review response actions to quickly gather more context and take appropriate actions across their multi-vendor environment. For an increasing number of people this means comparing security data against threat feeds, or threat intelligence sources like Threatstream.
Anomali Threatstream Splunk App
Introducing Adaptive Response Integration
The Anomali Threatstream Splunk App already provides users the ability to download millions of IOCs directly into Splunk to cross-reference against security data, providing dashboards and alerts for analysis. The app now has support for the Adaptive Response action framework providing seamless integration with Enterprise Security.
An analyst will likely start an investigation once a notable event has been triggered in Splunk's Enterprise Security. It is at this point they want to add as much context to a notable event, or security incident, in order to complete their investigation as quickly and accurately as possible. One way to do this is to compare raw events that trigger notable event against the Threatstream IOC database. For example, an analyst might want to look up the suspicious destination of an event that triggered the notable event in ES, to validate whether it should be of concern.
Perform actions inside Enterprise Security
Within the Enterprise Security Incident Review dashboard an analyst can select to run an "Adaptive Response Action", in this case "Analyze with Threatstream". They can then select as many fields in the raw events they want to analyse against Threatstream IOCs. When the analyst runs the action a Threatbullitin will be created within Threatstream and visible within the Threatstream platform.
The Threatbullitin created will contain all incident data and comments from the notable event in Splunk, including the raw event data that triggered the notable event in the first place. Millions IOCs in the Threatstream database are automatically matched against the raw data of the notable event stored in the Threatbullitin to identify matches.
When matches are found they can be examined and triaged in the Threatstream user interface. Users can approve approve malicious indicators and reject those found to be benign. This threat intelligence, including full information about each IOC matched to a notable event can then be pushed back down to your security tools, including back into Splunk using Threatstream Link, to continue any investigation.
tl;dr - Anomali Threatstream App for Splunk Key features
Seamless integration with Enterprise Security Incident Review workflow
Bi-directional flow of threat intelligence data for additional enrichment, correlation and analysis
Automated IOC matching and customizable alerting against your security data in Splunk
Dashboards detailing event data associated with IOCs allowing you to pivot on severity, type, classification, time...
Access to weekly Anomali Threat Intelligence briefings