OPTIC Splunk App

The OPTIC / Splunk App by THREAT/STREAM seamlessly automates the integration of threat intelligence into Splunk to more quickly react to threats and reduce the time spent in the impact analysis phase.

Release Notes

The OPTIC / Splunk App provides the following:

  • Adds Threat Intelligence context to your event data based on known Indicators of Compromise (IOCs)

  • An initial DB populated with a sample Threat Intelligence collection to get you started (register for a free test-flight account for the full DB)

  • Automated creation of Triggered Alerts based on indicator type

  • Dashboards that detail local event data associated with known IOCs

  • Dashboards providing a high level breakout of the THREAT / STREAM data within the local database

  • Automated integration with the THREAT / STREAM Optic platform for automatic updates (see below) of the Threat Intelligence collection.

Get Started:

After you have install ThreatStream App for Splunk, register to recieve current and real-time threat intelligence updates: https://optic.threatstream.com/registration/?s=s

Documentation:

https://optic.threatstream.com/download?file=SplunkAppThreatStreamUserGuide.pdf

Overview:

The ThreatStream App for Splunk as downloaded from Spunk Apps contains a database populated with a small sampling of the overall ThreatStream Intelligence feed. This sampling of content keeps the app distribution size manageable and provides a means for someone to fully explore the app without any sort of "introduction" to the THREAT / STREAM team. If you would like to introduce yourself to us, please do as we look forward to meeting you and providing full access to the entire dataset via the quick registration process described above.

The ThreatStream App for Splunk provides Dashboards, an event viewer, and real-time alerts that highlight existing Splunk event data by performing lookups against the locally installed ThreatStream IOC collection. The event fields that are being used as lookup keys are assumed to be compliant with Splunk's Common Information Model (CIM). Should there be fields of interest that are not CIM compliant, feel free to edit the props.conf file to get your mappings in place or reach out to us for assistance. If you would like more information on the OPTIC platform or have feedback we are happy to hear from you.

Requirements:

When running on the Windows platform, you will need to install a standalone version of python (version 2.7 or 3.3). The version of python that ships with splunk does not contain the modules required by this app to run.

Feedback:

We value your feedback and will continue to update this app on a regular basis. Please send comments, requests, or feedback to splunk@threatstream.com.

6 ratings