Upload
truongdiep
View
221
Download
0
Embed Size (px)
Citation preview
The ChallengeMany cybersecurity teams use Splunk to better detect, investigate, and visualize threats. The challenge is to extract value from Splunk, the Splunk Search Processing Language (SPL) is required. SPL is complex and difficult to learn, thus a limited number of people interact with Splunk. As a result, the full value of Splunk is not realized and security posture is not maximized.
The SolutionInsight Engines Cyber Security Investigator for Splunk (CSI) is an App which installs on Splunk Enterprise. Its unique and powerful Natural Language Processing (NLP) technology lets Splunk users write “plain English”, or natural language, search queries, thus eliminating the need to learn and use SPL. CSI is optimized for cybersecurity, enabling cybersecurity teams to easily query Splunk to detect, alert, investigate, and visualize cyberthreats. As a result, the value of machine data in Splunk is unlocked as it is accessible and actionable to anyone from the CISO to the tier-1 analyst.
Natural Language ProcessingInsight Engines’ NLP search technology is much more than keyword lookups from a dictionary. It’s a real-time parser that examines the search query to understand meaning, intent and context. In seconds, it then produces highly-efficient SPL queries, accurate results, and powerful visualizations.
Strong ROIThe benefits of CSI lead to a strong ROI from CSI enhancing existing people, processes, and tools.
Benefits of CSI
Insight Engines Cyber Security Investigator for SplunkMaking machine data accessible to everyone in cybersecurity
Splunk Training Costs
Expand Analyst Hiring Pool
Overall Productivity
Decreased Maintenance/ProServ Costs
Time Spent per Query Construction
Increased AnalystCreativity
Increased Utilization
of Existing Systems
Value of Existing Infrastructure
People Processes Tools
+200% +150%
-80% -30%-90%
+400%
+70%
+400%
Data Sheet
Less Reliance on SPL Experts
No longer have to deal with finding, training, and retaining SPL experts.
Highly Efficient Splunk SPL
Plain-English queries are automatically translated into highly efficient SPL and fast searches
Productivity Improves
Analyst time is spent defeating threats, and not writing SPL
Search to show what vulnerable systems had failed updates
SPL Query
| tstats allow_old_summaries=t append=t prestats=t summariesonly=t count values(Up-dates.severity) as Updates.severity from datamodel=Updates where Updates.status="-failure" earliest=06/20/2016:00:00:00 latest=06/27/2016:00:00:00 by Updates. dest, Updates.signature| tstats allow_old_summaries=t append=t prestats=t summariesonly=t count from datamodel=Vulnerabilities where earliest =06/20/2016:00:00:00 latest=06/27/2016: 00:00:00 by Vulnerabilities.dest| fillnull value="" Updates.signature| eval dest=coalesce('Updates.dest', 'Vulnerabilities.dest'), join_node=if (isnotnull('Updates.dest'),"Updates", "Vulnerabilities")| stats count values(Updates.severity) as Updates.severity by dest, join_node, Updates.signature| eval count_Updates=if(join_node== "Updates", 'count', null()), count_ Vulner-abilities=if(join_node=="Vulnerabilities", 'count', null())| stats list(count_Updates) as count_ Updates list(Updates.signature) as Updates.signature list(count_Vulnerabili-ties) as count_Vulnerabilities values(Up-dates.severity) as Updates.severity by dest| where isnotnull('count_Updates') AND isnotnull('count_Vulnerabilities')| stats sum(count) as count
“Show me vulnerable systems with failed updates”
Insight Engines Query
Realize the Full Value of Splunk
The potential benefits and capabilities of Splunk are now realized
Stronger Security Posture
More easily detect, investigate, and visualize cyber threats
Democratize your Data
Anyone in your organization can ask Splunk questions to gain insight
ABOUT INSIGHT ENGINESInsight Engines’ software enables organizations to unlock the value of machine data so it becomes accessible and actionable to anyone in an organization, from an analyst to an executive. Its unique and powerful technology leverages natural language, or “plain English”, search queries against machine data, thus eliminating the need to learn and use complex search languages. www.insightengines.com [email protected]
© 2017 Insight Engines, Inc. All rights reserved. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
100% self-contained Splunk App
Installs in under an hour
No additional hardware required
Installs on a search head or search head cluster
Requires only Splunk Enterprise (not Splunk Enterprise Security)
Leverages Splunk Common Information Model (CIM)
Will run in any environment Splunk Enterprise is running in, including private/public/Splunk cloud or a virtual environment
Technical and Installation Details
Returns Rich Results FastEnter a plain English search and CSI automatically, in real-time, handles the SPL translation and presents rich visualizations and insight. Searches can leverage multiple data sources and CSI automatically writes highly optimized searches that leverage data models and have minimal impact to hardware.
See the Raw Splunk SPLCSI shows the SPL it generated. This is useful as a training tool to learn SPL. Even SPL experts benefit from this detail because they use it as a shortcut to creating complex SPL and to check the accuracy of their SPL queries.
Reports, Visualizations, AlertsCSI dynamically visualizes search results in a way that makes sense based on the query, making it easy to get actionable visualizations and insights. In this image, CSI understands the search centers around location and shows a geo-IP map. Users can also easily turn a plain English query into an alert.
Data Sheet