Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security 8.x documentation.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure Cisco Talos Intelligence for Splunk Enterprise Security (Cloud Only)

Configure Cisco Talos Intelligence for Splunk Enterprise Security to leverage Cisco Talos' premium threat intelligence to enrich your notable events for easier triage and detect threats.

Cisco Talos Intelligence helps to examine URLs, IP addresses, domain names and so on for security threat classifications and related threat intelligence. Cisco Talos Intelligence provides intelligence on the potential for malware, Command and Control (C2C) usage, phishing, or other malicious URL usage, and other threat classifications such as IP address reputation, acceptable use policy (AUP), threat level, or other descriptions. Intelligence enrichment of this type quickly speeds up triage and investigation of notable events in the security operations center.

Cisco Talos Intelligence provides enrichment in Splunk Enterprise Security automatically as a Talos API lookup or as an adaptive response action.

Download and install Cisco Talos Intelligence for Enterprise Security from Splunkbase. Currently, Cisco Talos Intelligence is supported only on Splunk Cloud deployments.

Cisco Talos Intelligence for Enterprise Security is supported only on Splunk Enterprise Security Cloud deployments.

Run Cisco Talos Intelligence for Enterprise Security as an ad-hoc enrichment adaptive response action

You can run Cisco Talos Intelligence for Enterprise Security as an ad-hoc enrichment adaptive response action on observable fields to enrich notable events as required.

Prerequisites

The app for Cisco Talos Intelligence for Enterprise Security is installed from Splunkbase.

Steps

  1. In Splunk Enterprise Security, go to the Incident Review page.
  2. Select a notable event.
  3. Under Actions, select the ellipses to open the drop-down menu and select Run adaptive response action.
  4. Select +Add new response action.
  5. Select Intelligence Enrichment with Talos.
  6. In the Observable field, select the field that contains the observable that must be enriched by Talos intelligence. For example, URL.
  7. In the Observable type field, select URL, IP, or Domain.

    If the observable field does not contain a value of the observable type that is selected for enrichment, the Cisco Talos Intelligence adaptive response action fails.

  8. Select Run to run the Cisco Talos Intelligence for Enterprise Security on the selected observable.
  9. Review the enrichment data from running the adaptive response action in the Next steps field by expanding the notable event details.

    10. Refresh the Incident Review page in Splunk Enterprise Security using the Refresh button on the page.

Run Cisco Talos Intelligence for Enterprise Security as a collection adaptive response action

You can run Cisco Talos Intelligence for Enterprise Security as a collection adaptive response action to add enrichment data to a correlation search using a specified index.

Running Cisco Talos Intelligence for Enterprise Security as a collection adaptive response action does not enrich notable events automatically because a notable event cannot be enriched using its unique identifier (ID) until it is created and associated with an ID.

Steps

  1. In Splunk Enterprise Security, go to the correlation search editor to create a correlation search.
  2. Go to Adaptive response actions.
  3. Select +Add new adaptive response action.
  4. Select the Intelligence Collection from Talos adaptive response action that you want to add.
  5. In the Observable field, select the field that contains the observable that must be enriched by Talos intelligence. For example, URL.
  6. In the Observable type field, select URL, IP, or Domain.
  7. In the Index field, select the index to which you want to add the enrichment data from Talos. For example, main.
  8. Select Run to run the Cisco Talos Intelligence for Enterprise Security on the selected observable.
  9. In Splunk Enterprise Security, select the Search tab and enter index = main in the search bar to view the enrichment data in the main index. Running the collection adaptive response action might take a few minutes.

You can now build dashboards using the enrichment data in the main index or you can enrich notable events created by the correlation search automatically.

See also

Last modified on 17 January, 2025
Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets   Overview of Incident Review in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters