The ChallengeMany cybersecurity teams use Splunk to better detect, investigate, and visualize threats. The challenge is to extract value from Splunk, the Splunk Search Processing Language (SPL) is required. SPL is complex and difficult to learn, thus a limited number of people interact with Splunk. As a result, the full value of Splunk is not realized and security posture is not maximized.

The SolutionInsight Engines Cyber Security Investigator for Splunk (CSI) is an App which installs on Splunk Enterprise. Its unique and powerful Natural Language Processing (NLP) technology lets Splunk users write “plain English”, or natural language, search queries, thus eliminating the need to learn and use SPL. CSI is optimized for cybersecurity, enabling cybersecurity teams to easily query Splunk to detect, alert, investigate, and visualize cyberthreats. As a result, the value of machine data in Splunk is unlocked as it is accessible and actionable to anyone from the CISO to the tier-1 analyst.

Natural Language ProcessingInsight Engines’ NLP search technology is much more than keyword lookups from a dictionary. It’s a real-time parser that examines the search query to understand meaning, intent and context. In seconds, it then produces highly-efficient SPL queries, accurate results, and powerful visualizations.

Strong ROIThe benefits of CSI lead to a strong ROI from CSI enhancing existing people, processes, and tools.

Benefits of CSI

Insight Engines Cyber Security Investigator for SplunkMaking machine data accessible to everyone in cybersecurity

Splunk Training Costs

Expand Analyst Hiring Pool

Overall Productivity

Decreased Maintenance/ProServ Costs

Time Spent per Query Construction

Increased AnalystCreativity

Increased Utilization

of Existing Systems

Value of Existing Infrastructure

People Processes Tools

+200% +150%

-80% -30%-90%

+400%

+70%

+400%

Data Sheet

Less Reliance on SPL Experts

No longer have to deal with finding, training, and retaining SPL experts.

Highly Efficient Splunk SPL

Plain-English queries are automatically translated into highly efficient SPL and fast searches

Productivity Improves

Analyst time is spent defeating threats, and not writing SPL

Search to show what vulnerable systems had failed updates

SPL Query

| tstats allow_old_summaries=t append=t prestats=t summariesonly=t count values(Up-dates.severity) as Updates.severity from datamodel=Updates where Updates.status="-failure" earliest=06/20/2016:00:00:00 latest=06/27/2016:00:00:00 by Updates. dest, Updates.signature| tstats allow_old_summaries=t append=t prestats=t summariesonly=t count from datamodel=Vulnerabilities where earliest =06/20/2016:00:00:00 latest=06/27/2016: 00:00:00 by Vulnerabilities.dest| fillnull value="" Updates.signature| eval dest=coalesce('Updates.dest', 'Vulnerabilities.dest'), join_node=if (isnotnull('Updates.dest'),"Updates", "Vulnerabilities")| stats count values(Updates.severity) as Updates.severity by dest, join_node, Updates.signature| eval count_Updates=if(join_node== "Updates", 'count', null()), count_ Vulner-abilities=if(join_node=="Vulnerabilities", 'count', null())| stats list(count_Updates) as count_ Updates list(Updates.signature) as Updates.signature list(count_Vulnerabili-ties) as count_Vulnerabilities values(Up-dates.severity) as Updates.severity by dest| where isnotnull('count_Updates') AND isnotnull('count_Vulnerabilities')| stats sum(count) as count

“Show me vulnerable systems with failed updates”

Insight Engines Query

Realize the Full Value of Splunk

The potential benefits and capabilities of Splunk are now realized

Stronger Security Posture

More easily detect, investigate, and visualize cyber threats

Democratize your Data

Anyone in your organization can ask Splunk questions to gain insight

ABOUT INSIGHT ENGINESInsight Engines’ software enables organizations to unlock the value of machine data so it becomes accessible and actionable to anyone in an organization, from an analyst to an executive. Its unique and powerful technology leverages natural language, or “plain English”, search queries against machine data, thus eliminating the need to learn and use complex search languages. www.insightengines.com sales@insightengines.com

© 2017 Insight Engines, Inc. All rights reserved. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

100% self-contained Splunk App

Installs in under an hour

No additional hardware required

Installs on a search head or search head cluster

Requires only Splunk Enterprise (not Splunk Enterprise Security)

Leverages Splunk Common Information Model (CIM)

Will run in any environment Splunk Enterprise is running in, including private/public/Splunk cloud or a virtual environment

Technical and Installation Details

Returns Rich Results FastEnter a plain English search and CSI automatically, in real-time, handles the SPL translation and presents rich visualizations and insight. Searches can leverage multiple data sources and CSI automatically writes highly optimized searches that leverage data models and have minimal impact to hardware.

See the Raw Splunk SPLCSI shows the SPL it generated. This is useful as a training tool to learn SPL. Even SPL experts benefit from this detail because they use it as a shortcut to creating complex SPL and to check the accuracy of their SPL queries.

Reports, Visualizations, AlertsCSI dynamically visualizes search results in a way that makes sense based on the query, making it easy to get actionable visualizations and insights. In this image, CSI understands the search centers around location and shows a geo-IP map. Users can also easily turn a plain English query into an alert.

Data Sheet