Pure Signal, the world’s largest threat intelligence data ocean is now available as a Splunk Dashboard
Our mission at Team Cymru has always been to ‘save and improve human lives’. We empower defenders with the actionable intelligence they need to detect, analyze, and respond to threats quickly and effectively.
With so many tools available, overwhelming volumes of alerts, and multiple dashboards, there is a strong desire to consolidate and simplify workstreams for SOC analysts. Last year, we launched Pure Signal Scout, a web-based threat-hunting and intelligence tool for security analysts of all experience levels. It features a simple GUI, graphical displays, tagged results, and easy-to-use searches to determine if suspicious IPs are malicious or compromised.
Today, we proudly announce the Team Cymru Scout App for Splunk. This app is Splunk certified, and compatible with Splunk Enterprise, and Splunk Cloud (versions 9.2, 9.1, 9.0). This free app enriches Splunk with real-time and historical threat data.
How this can help you:
By presenting threat data in an accessible format and providing contextual information, SOC analysts can gain an immediate understanding of cyber threats without training. They can also create summary reports directly from within the tool for internal sharing and escalation.
Key features and benefits:
The Scout App for Splunk provides these datasets to help you better understand domain and IP addresses: Tags and Insights, Open Ports, PDNS, X509 Certificate details, Fingerprints, WhoIs Information, and Communication timelines.
The app currently contains three Dashboards for Splunk Enterprise:
Dashboard 1: Indicators Overview Dashboard
This dashboard shows you any of the IOCs (IPs or domains) within Splunk with enriched data from Scout. In this view, you will see any IPs or Domains uploaded from Scout. You can search to identify any IP address or domains uploaded and get immediate data such as tags, ASN information, a summary of IPs communicated with, open ports, PDNS, fingerprints, and x509’s. These provide additional context needed to help identify malicious indicators within Splunk. This information is also available in Scout natively.
Common use cases: IP and domain enrichment, alert resolution and triage, conducting more effective investigations
Dashboard 2: Correlation Overview Dashboard
Match any IPs or domains within your existing logs. Configure and specify the log source and field to match against and enrich. Alerting and reporting can also be created and used to generate enrichments in real-time.
Common use cases: Real-time enrichments of IPs and Domains in existing log sources
Dashboard 3: Live Investigation Dashboard
During investigations, this dashboard will help you quickly obtain domain intelligence in context with Splunk log data. You can add and query either a domain or an IP.
If you enter a Domain, this dashboard will show the related IP addresses.
If you enter an IP address, you can obtain the rating information. In the example below, this IP is a known malicious IP, that is a known command and control server, it is tagged both as a RAT and a nanocore controller, as well as a Digital Ocean asset.
This dashboard also provides timelines showing when ports were open and when specific tags were relevant to the IP address. This information is helpful for any investigation or incident response.
Aside from this dashboard, you can also set up alerts or a notification when a specific condition occurs. There are other options to query your account history and usage for your Scout license.
I invite you to try Scout Insight and the Scout App for Splunk.
Getting started with the Team Cymru App for Splunk is straightforward:
Visit the Scout Insight Trial page: sign up for a free, 30-day Scout trial.
Navigate to the Team Cymru App for Splunk page to download the app directly from the Splunkbase and follow the installation instructions to integrate it seamlessly into your Splunk environment.
Explore and Customize: Explore the features and functionalities of the app, customize dashboards to suit your specific needs, and start leveraging actionable threat intelligence to enhance your cybersecurity posture.
Upload indicators via CSV file or - better option - through the API
Conclusion
The Team Cymru Scout App for Splunk provides immediate access to Pure Signal, the world’s largest threat intelligence data ocean. Installing the App enables you to leverage several graphical dashboards with deep IP and domain intelligence to enrich logs and datasets within Splunk.
Having this data in a single place will help centralize critical data inside Splunk, so you can pivot on a domain or IP address and get the information you need to respond, further your investigation, or trigger additional actions.
Next steps:
Download the free app from Splunkbase store
Article Link: https://www.team-cymru.com/post/how-the-new-splunk-app-for-scout-can-enrich-and-accelerate-your-investigations