Overview

The Flashpoint Splunk Add-on and App facilitates the delivery of Flashpoint technical and finished intelligence with the associated context specifically for Splunk Enterprise users.

Once consumed by a Splunk instance, Flashpoint Technical Indicators are treated as an additional Splunk source type and can be used in search, correlation, reporting, and visualization workflows in the same manner as other data, enhancing the user’s ability to uncover malicious activity within their environment and add context to investigations.

The Flashpoint & Splunk Advantage

Leveraging Flashpoint’s technical data and intelligence reports provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure, therefore, gaining insights in a timely manner and leveraging connections to prioritize their response.

The Flashpoint Splunk App and Add-on enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence.

Key Features

  • Captures, indexes, and correlates in real-time Flashpoint technical data within Splunk’s searchable repository

  • Enables users to generate reports and visualizations, including graphs, alerts, and dashboards

  • Includes IOCs such as hashes, URLs, domains, as well as details related to malware families, mapping to the MITRE ATT&CK framework

  • Access Pre-Built Dashboards with associated Flashpoint data

Integrated Flashpoint Datasets

TECHNICAL DATA

Technical Indicators: Enable users to access indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence reports, allowing for seamless integration into users’ workflows and automated tools.

CVEs: Access to the latest CVEs within Flashpoint collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts.

Use Cases

SECURITY OPERATIONS

Organizations collect large amounts of security event data, requiring significant resources to sift through, identify, and protect against a vast number of threat indicators. Security operations centers (SOCs) can leverage the Flashpoint Splunk App and Add-on to correlate high-fidelity IOCs curated by Flashpoint intelligence analysts with the client’s security event data to automatically filter through the noise and prioritize significant threats.

INCIDENT RESPONSE (IR)

Organizations can leverage the Flashpoint Splunk App and Add-on to quickly query across Flashpoint technical data, expediting incident response investigations and enabling teams to enrich data collected during an investigation, in which response time is critical.

CYBER THREAT INTELLIGENCE (CTI)

CTI analysts are able to query against Flashpoint Technical Indicators to find data related to specific malware and threat actors. This allows analysts to generate alerts for new IOCs related to priority threat actors and groups.

THREAT HUNTING

The Flashpoint Add-on for Splunk enables hunt teams to query Flashpoint technical data to identify and pivot off known threats to find additional indicators, as well as proactively uncover threats across the enterprise. Teams can search malicious hashes, IPs and domains to determine if any systems have communicated with known IOCs.

Deploying the Flashpoint Splunk App and Add-on

Both the Flashpoint Splunk App and Add-on are available on Splunkbase; Splunk users download the app, deploy, and configure it using a Flashpoint API key.

For more information contact:

[email protected]nt-intel.com

Did this answer your question?