Demisto_Logo
  • Platform
    • Overview
    • Security Orchestration
    • Incident Management
    • Interactive Investigation
    • Machine Learning
    • Architecture
    • Indicator Repository
  • Solutions
    • Accelerate Incident Response
    • Standardize Incident Response
    • Threat Hunting
    • Cloud Security
    • SOC Metrics
    • MSSP
  • Community
  • Resources
    • Content Library
    • Blog
  • Integrations
  • Company
    • About Us
    • News
    • Join Us
    • Media Kit
    • Contact
  • Free community edition
Free Community Edition
March 29, 2018

Splunk

SIEM

Partner Integrations

Demisto

Splunk and Demisto for Automated Data Enrichment and Response

Splunk Blog Feature

Subscribe to Email Updates

envelope-icon.png
subscribe to email updates
  • All
  • Must-Read Articles
  • Product Features
  • Use-Cases
  • News and Events
  • Partner Integrations
  • Tweet

Agile Nerve Systems

SIEMs are usually considered the brains of an organization, providing real-time collection, enrichment, and logging of data across a variety of sources. But, taking this biological analogy further, a brain's actionable functions are limited without a nerve system to carry out the orders. Over the past few years, security automation and orchestration tools have fulfilled this purpose, functioning in concert with SIEMs to enable SOC readiness across the incident lifecycle.

Demisto has powerful integrations with a host of SIEM platforms. In this article, we will go through Demisto's bi-directional integration with Splunk, our Adaptive Response partnership, and some illustrative use cases that highlight user benefits.

Integration Overview

When investigating a security event or breach, users can enrich Splunk’s correlated alerts and notables’ data through Demisto Enterprise’s security orchestration capabilities.

Using Demisto and Splunk, users can:

  • Extract new insight from existing security architectures.
  • Improve investigations with more context from key security and IT domains.
  • Automate incident response and playbook-driven triage of security alerts.
  • Shorten decision-making cycle by automating key tasks with analyst review.

Splunk Integration Features.png

Adaptive Response Partnership

The Demisto Add-on for Splunk allows users to trigger specific playbooks to gather information about Splunk ES events, take actions on point products with the help of the Adaptive Response Framework, and manage the complete incident lifecycle within Demisto Enterprise.  

Splunk Image 1.pngThe Demisto App for Splunk helps in tracking Splunk-to-Demisto incident metrics. It visually displays all saved searches and relevant incident details, providing users a succinct summary of incidents created from Splunk into Demisto Enterprise.

Splunk Image 2.png

USE CASE #1

Extracting context from investigation data

Challenge:

During investigations, analysts need to check indicators, find out whether they are malicious, and weave a contextual thread through the endless holes of data at their disposal. Faced with many indicators sans context, this can be a repetitive and time-consuming process.

Solution:

After ingesting incidents from Splunk ES, Demisto uses hypersearch to give analysts critical context about the indicators associated with an incident. Analysts can view indicator malice, repeating patterns, and cross-correlations at a glance in both the work plan and war room windows.

Splunk Use Case 1 Image.jpgBenefit:

Contextual viewing of data allows for quicker identification of remediation procedures and running the respective playbooks/actions to curtail the incident.

 

For more information on the Demisto and Splunk integration, download our joint solution brief:

Get solution brief

USE CASE #2

Customized enrichment for incidents

Challenge:

No two incidents are equal, with each incident having different metrics and labels considered important for analysis and reporting. Analysts face challenges across the board with incident ingestion, especially with low number of default labels transferred and tough mapping procedures.

Solution:

While ingesting incidents from Splunk ES to Demisto, all 111 labels will be captured by default. Analysts can also easily map Splunk labels to Demisto incident fields and request for a specific number of labels to be captured depending on the incident at hand.

Splunk2.jpgSplunk1.jpgBenefit:

A large number of labels transferred by default allows for comprehensive enrichment of incidents. Intuitive mapping lets analysts customize incident labels according to relevance and needs, giving them better initial context to deal with incidents.


These are just a few of many use cases that are possible with Demisto and Splunk. As a SIEM, Splunk deals with event logging, correlations, and initial enrichment. Demisto kicks off after ingesting Splunk data, automating and orchestrating further enrichment and response actions. The more extensive an organization's Splunk base is, the more benefits it will avail using Demisto's automation engine.

If you'd like to explore Demisto's features in greater detail, download the Free Edition below.

Free community edition

 

Share:

What Should I Read Next:

December 3, 2019 10:50:16 PM

Demisto and Amazon Detective: Automated Cloud Threat Investigation and Response

SHARE

December 3, 2019 09:00:00 PM

Demisto and AWS: Identity and Access Management (IAM) Access Analyzer

SHARE

November 22, 2019 04:00:00 PM

Demisto and Risk Based Security VulnDB: Automated Vulnerability Data Enrichment and Response

SHARE
Careers
foot-logo.png
get in touch

Copyright © 2019   |   DEMISTO - A PALO ALTO NETWORKS COMPANY   |   PRIVACY STATEMENT