Flashpoint Add-On for Splunk Brings Context to Noisy Data
By Matthew Howell
Security operations centers are noisy places.
Even if the only audible sounds come from a clacking keyboard or an occasional expletive, the noise can be deafening for an analyst sitting in front of a screen watching alert after alert surface.
Compounding the weight upon their shoulders is the fact that each alert merits investigation because you can never be 100% certain that the alert you ignore won’t grind your company’s systems to its knees or expose its data in ways it wasn’t meant to.
A measure of relief, however, arrives in the form of context. A hash may be labeled as malicious, or an IP address’ reputation is potentially harmful and characterized as such in an alert. But without supporting that determination with additional context in the form of curated data and information that’s molded into finished intelligence, an analyst staring at a screen is flying blind on alert after alert.
Given that scenario, Flashpoint’s recent release of the Flashpoint Add-On for Splunk is an important step forward affording users operating in a Splunk environment invaluable context around technical indicators of compromise. The add-on captures, indexes, and correlates Flashpoint’s technical data within the Splunk searchable repository. Users may then generate reports and visualizations of security events. The add-on also includes IOCs and details related to malware families that map to the MITRE ATT&CK framework.
The Flashpoint Add-on for Splunk facilitates the delivery of Flashpoint technical data and associated context specifically for Splunk Cloud or Enterprise users. Once consumed by a Splunk instance, those technical indicators become an additional Splunk source type and are critical for analysts operating within a SOC, or on incident response, cyber threat intelligence, and hunt teams. They become for numerous workflows, including search, correlation, reporting, and visualization in the same manner as other data, enhancing the user’s ability to uncover malicious activity within their environment and add context to investigations.
The Flashpoint Add-on for Splunk enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence. Together, Flashpoint’s technical data provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure. This combination brings timely insights and connections that help prioritize incident response, for example.
For SOC teams, the Flashpoint Add-On for Splunk correlates high-fidelity IOCs curated by our analysts with the user’s security event data, sifting through large amounts of event data in an efficient manner.
Incident response teams, meanwhile, may use the add-on to rapidly query Flashpoint technical data, cutting down response times, while CTI analysts may use it to find data related to specific malware and threat actors and build rules for alerts for new IOCs related to priority threat actors and groups. Finally, hunt teams find the add-on useful for the identification of, and pivoting from, known threats to find additional indicators, as well as proactively uncover threats across the enterprise. Teams can search malicious hashes, IPs and domains to determine if any systems have communicated with known IOCs, for example.
Senior Director of Product
Matthew Howell is the Senior Director of Product for Flashpoint, where he brings a passion for new ideas, outcome-based prioritization, continuous process improvement, and metrics-driven development. Matthew has experience launching commercial products, building integration ecosystems, supporting five 9s SLAs, and leading distributed teams.