Agile Nerve Systems
SIEMs are usually considered the brains of an organization, providing real-time collection, enrichment, and logging of data across a variety of sources. But, taking this biological analogy further, a brain's actionable functions are limited without a nerve system to carry out the orders. Over the past few years, security automation and orchestration tools have fulfilled this purpose, functioning in concert with SIEMs to enable SOC readiness across the incident lifecycle.
Demisto has powerful integrations with a host of SIEM platforms. In this article, we will go through Demisto's bi-directional integration with Splunk, our Adaptive Response partnership, and some illustrative use cases that highlight user benefits.
Integration Overview
When investigating a security event or breach, users can enrich Splunk’s correlated alerts and notables’ data through Demisto Enterprise’s security orchestration capabilities.
Using Demisto and Splunk, users can:
- Extract new insight from existing security architectures.
- Improve investigations with more context from key security and IT domains.
- Automate incident response and playbook-driven triage of security alerts.
- Shorten decision-making cycle by automating key tasks with analyst review.
Adaptive Response Partnership
The Demisto Add-on for Splunk allows users to trigger specific playbooks to gather information about Splunk ES events, take actions on point products with the help of the Adaptive Response Framework, and manage the complete incident lifecycle within Demisto Enterprise.
The Demisto App for Splunk helps in tracking Splunk-to-Demisto incident metrics. It visually displays all saved searches and relevant incident details, providing users a succinct summary of incidents created from Splunk into Demisto Enterprise.
USE CASE #1
Extracting context from investigation data
Challenge:
During investigations, analysts need to check indicators, find out whether they are malicious, and weave a contextual thread through the endless holes of data at their disposal. Faced with many indicators sans context, this can be a repetitive and time-consuming process.
Solution:
After ingesting incidents from Splunk ES, Demisto uses hypersearch to give analysts critical context about the indicators associated with an incident. Analysts can view indicator malice, repeating patterns, and cross-correlations at a glance in both the work plan and war room windows.
Benefit:
Contextual viewing of data allows for quicker identification of remediation procedures and running the respective playbooks/actions to curtail the incident.
For more information on the Demisto and Splunk integration, download our joint solution brief:
USE CASE #2
Customized enrichment for incidents
Challenge:
No two incidents are equal, with each incident having different metrics and labels considered important for analysis and reporting. Analysts face challenges across the board with incident ingestion, especially with low number of default labels transferred and tough mapping procedures.
Solution:
While ingesting incidents from Splunk ES to Demisto, all 111 labels will be captured by default. Analysts can also easily map Splunk labels to Demisto incident fields and request for a specific number of labels to be captured depending on the incident at hand.
Benefit:
A large number of labels transferred by default allows for comprehensive enrichment of incidents. Intuitive mapping lets analysts customize incident labels according to relevance and needs, giving them better initial context to deal with incidents.
These are just a few of many use cases that are possible with Demisto and Splunk. As a SIEM, Splunk deals with event logging, correlations, and initial enrichment. Demisto kicks off after ingesting Splunk data, automating and orchestrating further enrichment and response actions. The more extensive an organization's Splunk base is, the more benefits it will avail using Demisto's automation engine.
If you'd like to explore Demisto's features in greater detail, download the Free Edition below.
