Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on versions 7.x and earlier, see Splunk Enterprise Security 7.x documentation.

Configure Cisco Talos Intelligence for Splunk Enterprise Security (Cloud Only)

Configure Cisco Talos Intelligence for Splunk Enterprise Security to leverage Cisco Talos' premium threat intelligence to enrich your findings for easier triage and detect threats.

Cisco Talos Intelligence helps to examine URLs, IP addresses, domain names and so on for security threat classifications and related threat intelligence. Cisco Talos Intelligence provides intelligence on the potential for malware, Command and Control (C2C) usage, phishing, or other malicious URL usage, and other threat classifications such as IP address reputation, acceptable use policy (AUP), threat level, or other descriptions. Intelligence enrichment of this type quickly speeds up triage and investigation of findings in the security operations center.

Cisco Talos Intelligence identifies threats in Splunk Enterprise Security automatically as a Talos Intelligence API lookup or as an adaptive response action.

Download and install Cisco Talos Intelligence for Enterprise Security from Splunkbase. Currently, Cisco Talos Intelligence is supported only on Cloud deployments of Splunk Enterprise Security for versions 7.3.2 and higher.

Cisco Talos Intelligence for Enterprise Security is supported only on Splunk Enterprise Security Cloud deployments.

Run Cisco Talos Intelligence for Enterprise Security as an ad-hoc enrichment adaptive response action

You can run Cisco Talos Intelligence for Enterprise Security as an ad-hoc enrichment adaptive response action on observable fields to enrich findings as required.

Prerequisites

The app for Cisco Talos Intelligence for Enterprise Security is installed from Splunkbase.

Steps

  1. In Splunk Enterprise Security, go to the analyst queue on the Mission Control page.
  2. Select a finding.
  3. Under Actions, select the ellipses to open the drop-down menu and select Run adaptive response action.
  4. Select +Add new response action.
  5. Select Intelligence Enrichment with Talos.
  6. In the Observable field, select the field that contains the observable that must be enriched by Talos intelligence. For example, URL.
  7. In the Observable type field, select URL, IP, or Domain.

    If the observable field does not contain a value of the observable type that is selected for enrichment, the Cisco Talos Intelligence adaptive response action fails.

  8. Select Run to run the Cisco Talos Intelligence for Enterprise Security on the selected observable.

    If no matches are identified when Cisco Talos Intelligence for Enterprise Security is run, an empty Note field is not returned. However, you can view the enrichment data in the UI and the logs that are available in the Configuration page for the app.

    The following figure displays the logs for the Talos adaptive response actions:

    This image shows the Talos adaptive response actions logs.
  9. Reload the finding or investigation on the analyst queue in the Mission Control page by refreshing your browser.

    Refresh the analyst queue on the Mission Control page in Splunk Enterprise Security using the Refresh button on the page.

  10. Review the Notes section for enrichment data.
    The following figure is a screenshot of how the enrichment data is displayed in the Notes section for the finding. This image shows Talos enrichment data displayed in the Notes section for the finding.

Run Cisco Talos Intelligence for Enterprise Security as a collection adaptive response action

You can run Cisco Talos Intelligence for Enterprise Security as a collection adaptive response action to add enrichment data to a detection using a specified index.

Running Cisco Talos Intelligence for Enterprise Security as a collection adaptive response action does not enrich findings automatically because a finding cannot be enriched using its unique identifier (ID) until it is created and associated with an ID.

Steps

  1. In Splunk Enterprise Security, go to the detection editor to create an event-based detection.
  2. Go to Adaptive response actions.
  3. Select +Add new adaptive response action.
  4. Select the Intelligence Collection from Talos adaptive response action that you want to add.
  5. In the Observable field, select the field that contains the observable that must be enriched by Talos intelligence. For example, URL.
  6. In the Observable type field, select URL, IP, or Domain.
  7. In the Index field, select the index to which you want to add the enrichment data from Talos. For example, main.
  8. Select Run to run the Cisco Talos Intelligence for Enterprise Security on the selected observable.
  9. In Splunk Enterprise Security, select the Search tab and enter index = main in the search bar to view the enrichment data in the main index. Running the collection adaptive response action might take a few minutes.

You can now build dashboards using the enrichment data in the main index or you can enrich findings created by the detection automatically.

See also

Last modified on 17 January, 2025
Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets   Overview of Mission Control in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1, 8.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters