ThreatStream Community App for Splunk

The ThreatStream Community App for Splunk brings together Anomali’s rich threat intelligence with Splunk’s deep analytics to help organizations identify and response to external security threats. Download on Splunkbase

The Weekly Threat Briefing

Every week the award winning Anomali Labs team publishes a threat briefing, delivering topical cyber events and intelligence to subscribers. The briefing includes trending threat information and new threat intelligence. Anomali also provides details on observed threats across the global Anomali ThreatStream Community. All the research is vetted and curated by the Anomali Labs team and includes actionable IOCs and detailed threat bulletins.

Breaking News: In addition to the weekly briefing Anomali also provides Breaking News alerts, delivering critical updates in real time as new cyber threats become known. This information is delivered proactively to Splunk app users with all available details to evaluate if customers have been breached.

Community Sharing: This service allows independent threat researchers to publish and share intelligence research with the Anomali ThreatStream Community. Anomali makes intelligence sharing efficient and seamless, allowing the entire community to benefit from threat analysis from any member.

Automated Health-Check

Anomali takes the intelligence sharing further by allowing subscribers to instantly check their exposure against published threats. Anomali briefings include specific, actionable IOCs and automate a health check against subscribers’ own live Splunk event data.

The health-check allows users to evaluate their security posture against the Anomali Weekly Briefing, any Breaking News updates, and any shared intelligence from the Anomali ThreatStream Community.

Investigate and Respond

Once threat matches are identified Anomali provides security teams the tools to research and investigate IOCs further. Here Anomali delivers critical insight into IOC threats, including actors, techniques, associated IOCs and other threat details. From within the Splunk interface users can access this information, or pivot to the Anomali portal for additional investigation capabilities.

For Splunk ES customers Anomali pushes IOC notable events directly into the ES interface. From here users can expand entries in the Splunk interface, revealing in-depth details about the event.

Anomali Adaptive Response App for Splunk

Anomali supports the Splunk Adaptive Response Initiative, delivering rich context regarding IOCs, actors and campaigns seamlessly within the Splunk interface.
  • Anomali integrates threat intelligence from the following:

    • • Anomali Labs
    • • 3rd party sources
    • • Open source intelligence
    • • Anomali ThreatStream Community
  • Anomali delivers IOC feeds to Splunk to identify matches against customer log events

  • Splunk displays the matches in the Incident Report view

  • An individual match indicates a single IOC was detected

However, that specific IOC is likely associated with an actor and campaign, for which hundreds of other IOCs may be related.

  • Anomali maintains this relationship information

  • We see the IOC is a single datapoint in a much larger security threat

  • To get full context of the potential breach we need to search for all related IOCs

With the Anomali integration and Splunk Adaptive Response, users can perform this analysis with a single click, without ever leaving the Splunk console. Simply select Anomali Check Indicator.

The Anomali App for Splunk then presents all associated IOCs, in the timeline, with categorization for each step of the Kill Chain model. In one single view, organizations can see the extent of a potential breach that started with a single IOC detection.