Splunk Add-on for Investigate.

Issue link:

Contents of this Issue


Page 0 of 0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Many security products provide visibility into what's happening on your own network. But how do you see what's happening on the internet, beyond your perimeter? That's where attackers are staging infrastructure in preparation for their next attack. With the Splunk Add-on for Cisco Umbrella Investigate, you can automatically enrich security events inside Splunk with Cisco's intelligence on domains, IPs, and networks across the internet. By leveraging Investigate's threat intelligence from within Splunk Enterprise Security, you can gain more context about a domain, IP, or ASN related to the event, allowing you to make faster, more informed decisions when responding to critical incidents and researching potential threats. Key capabilities of the Investigate Add-on Threat intelligence add-on in Splunkbase Add intelligence about the relationships between domains, IPs, ASNs, and file hashes inside Splunk, helping security analysts get the most complete view of an attacker's internet infrastructure. Better prioritize incident response To properly triage incidents, security teams need to get accurate and relevant information quickly. Investigate's unique view of the internet enriches your security event data with real-time context about malicious domains, IPs, and networks to help better prioritize investigations and incident response. See what connections you've been missing Kick start investigations by uncovering valuable connections commonly overlooked such as passive DNS, domain ownership, co-occurrences, related domains, geolocation, categorization, blocked requests and reputation scores. Speed up investigations By automatically populating security events with intelligence from Investigate, security teams have more context related to the event and can make faster, more informed decisions during investigations — versus manually going to and correlating data from multiple sources. Splunk Add-on for Investigate. DATA S H E E T Benefits of Investigate • Internet-wide visibility Investigate connects the dots between attackers' infrastructure, which helps attribute domains to specific attacks and malicious activity. • Predictive intelligence Our statistical models accurately identify malicious domains, IPs, and ASNs across the internet, and even predict where future attacks may be staged. • All of the information you need in a single source Including real-time and historical information about the domain ownership, relationships with IPs, co-occurrences, reputation, global request and route analysis, and much more. Pull in logs from: Data from Investigate: Security Controls • Firewall, IDS/IPS, other network security • Web security/proxy • Endpoint security (AV, EDR, VPN, etc.) Network Infrastructure • Routers/Switches • Domain controllers • Wireless • Access Points • Application servers • Databases • Intranet applications • Domain Ownership • Relationships with IPs & ASNs • Passive DNS • WHOIS Record Data • Co-occurrences • Reputation Scores • Categorization • Global request • Route analysis, and much more Enrich events & prioritize based on results from Investigate (and other sources) Triage incidents for analysts based on Splunk scores Use Investigate console for interactive investigations & additional research Query Source/destination domain & IPs Enrich with context from Investigate • SecureRank2, RIP, and Threat Grid "le scores • Malicious domains hosted on same IP • Malicious co-occurrences API Console 1 2 3 5 4

Articles in this issue

Links on this page

view archives of Datasheets - Splunk Add-on for Investigate.