Security operations centers are noisy places.
Even if the only audible sounds come from a clacking keyboard or an occasional expletive, the noise can be deafening for an analyst sitting in front of a screen watching alert after alert surface.
Compounding the weight upon their shoulders is the fact that each alert merits investigation because you can never be 100% certain that the alert you ignore won’t grind your company’s systems to its knees or expose its data in ways it wasn’t meant to.
A measure of relief, however, arrives in the form of context. A hash may be labeled as malicious, or an IP address’ reputation is potentially harmful and characterized as such in an alert. But without supporting that determination with additional context in the form of curated data and information that’s molded into finished intelligence, an analyst staring at a screen is flying blind on alert after alert.
Given that scenario, Flashpoint’s recent release of the Flashpoint Add-On for Splunk is an important step forward affording users operating in a Splunk environment invaluable context around technical indicators of compromise. The add-on captures, indexes, and correlates Flashpoint’s technical data within the Splunk searchable repository. Users may then generate reports and visualizations of security events. The add-on also includes IOCs and details related to malware families that map to the MITRE ATT&CK framework.
The Flashpoint Add-on for Splunk enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence. Together, Flashpoint’s technical data provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure. This combination brings timely insights and connections that help prioritize incident response, for example.
For SOC teams, the Flashpoint Add-On for Splunk correlates high-fidelity IOCs curated by our analysts with the user’s security event data, sifting through large amounts of event data in an efficient manner.
Incident response teams, meanwhile, may use the add-on to rapidly query Flashpoint technical data, cutting down response times, while CTI analysts may use it to find data related to specific malware and threat actors and build rules for alerts for new IOCs related to priority threat actors and groups. Finally, hunt teams find the add-on useful for the identification of, and pivoting from, known threats to find additional indicators, as well as proactively uncover threats across the enterprise. Teams can search malicious hashes, IPs and domains to determine if any systems have communicated with known IOCs, for example.