External Threat Management Analyst

Partner Deep-Dive: The RiskIQ PassiveTotal for Splunk

Attackers are more active than ever before, taking advantage of organizations' expanded attack surfaces outside the corporate firewall and across the internet. Phishing attacks, typosquat registrations, and disinformation campaigns aiming to take advantage of COVID-19 and political turmoil are running rampant. Security teams lacking visibility into this new attack surface are coming up dangerously short. 

RiskIQ has been collecting internet data for more than a decade to help organizations meet the challenge of this new generation of threats. The RiskIQ PassiveTotal App puts petabytes of this external Internet security intelligence into Splunk's Data-to-Everything Platform, giving security teams the visibility they need in a platform and workflow they already use. 

The app enables teams to investigate and respond to threats across their organization's attack surface by laying the RiskIQ Internet Intelligence Graph on top of Splunk data—all in one location—to show how internal assets interact with external infrastructure. With this 360-degree view of their attack surface, analysts have unparalleled context and intelligence to detect, investigate, and remediate IoC's and security events.

Security teams are using Splunk to store asset logs, network events, endpoint information, and more. The RiskIQ PassiveTotal app can pair this data with RiskIQ's external visibility. Users can also conduct investigations on indicators of compromise (IOCs) directly from Splunk, saving them time and avoiding the need to pivot between interfaces. These indicators can be enriched on a scheduled basis with all or selective RiskIQ data sets to automate collection. Data collected from this process is stored within Splunk and searchable during local or live investigations.

Here's more on these three main use cases:

Indicator Enrichment: Staying ahead of your adversaries requires automation. Indicators collected from open-source intelligence—those published by security companies and ones extracted from local telemetry— can be uploaded to the PassiveTotal for Splunk application. Users can schedule to have these indicators enriched on a timeframe of their choosing. They can also select an index to store the data and the data sets they wish to use during the enrichment process.

Indicator enrichment

Live or Local Investigations:
Analysts have long used PassiveTotal to conduct investigations on indicators of compromise. With PassiveTotal for Splunk, analysts no longer need to leave the Splunk interface to get access to RiskIQ data. Analysts have the option of performing a live query (querying RiskIQ real-time) or a local query (querying locally stored data) investigation directly in Splunk. Whatever method, analysts get the added benefit of their queries and pivots also running against internal log sources, therefore reducing critical steps they would normally need to take.

Users have a choice of live or local investigations

Event Enrichment:
Search is key to Splunk. PassiveTotal for Splunk introduces several commands for users to leverage to enrich events from search queries. For ad-hoc enrichment, users can make use of individual generative commands to display PassiveTotal data alongside events. For scaled enrichment, users can leverage streaming commands to enrich events that match a given query as they return from Splunk. This functionality becomes especially useful when searching across various logs like proxy or firewall logs.

Event enrichment

Get Started Today

Access to internet data is critical to making informed decisions in security. RiskIQ PassiveTotal for Splunk allows analysts to tap into petabytes of Internet intelligence and instantly correlate that against their internal log sources. Today, there are several ways Splunk users can tap RiskIQ's internet-wide telemetry and internet data collection to continuously visualize and defend their ever-changing attack surface and proactively protect their organization. 

Users can access these offerings for free directly from Splunkbase. Install the PT App and Add-on, and find detailed support information on our RiskIQ Interlock Partner Page.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor