Leveraging Flashpoint’s technical data and intelligence reports provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure, therefore, gaining insights in a timely manner and leveraging connections to prioritize their response. The Flashpoint Splunk App and Add-on enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence.
Integrated Flashpoint Datasets:
Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.
Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.
- Captures, indexes, and correlates in real time Flashpoint technical data within Splunk’s searchable repository
- Enables users to generate reports and visualizations, including graphs, alerts, and dashboards
- Collect integrated data using Flashpoint’s REST-based API
- Includes IOCs such as hashes, URLs, domains, as well as details related to malware families, mapping to the MITRE ATT&CK framework
- Access Pre-Built Dashboards with associated Flashpoint data
Flashpoint delivers converged intelligence and risk solutions to private and public sector organizations worldwide. As the global leader in Business Risk Intelligence (BRI), Flashpoint provides meaningful intelligence to assist organizations in combating threats and adversaries. Through sophisticated technology, advanced data collections, and human-powered analysis, Flashpoint is the only intelligence firm that can help multiple teams across an organization bolster cybersecurity, confront fraud, detect insider threats, enhance corporate and physical security, improve executive protection, address third-party risk, and support due diligence efforts.
For more information, visit https://www.flashpoint-intel.com/ or follow us on Twitter at @FlashpointIntel.
Flashpoint App for Splunk
Flashpoint App for Splunk allows you to leverage the Flashpoint platform's Indicators and reports within your Splunk instance.
Flashpoint Add-on for Splunk
Tested on Ubuntu 16.04, CentOS 7.5.18 and Windows Server 2016
Recommended System Configuration
- Standard Splunk configuration of Search Head, Indexer, and Forwarder.
- The Flashpoint Add-on for Splunk should be installed on the heavy forwarder and Search Head and the Flashpoint App for Splunk should be installed on the Search Head.
This App can be installed through UI using the following steps.
- Log in to Splunk Web and navigate to Apps > Manage Apps.
- Click the
install app from file.
Choose File and select the flashpoint App installation file.
- Click on
Install from the command line using the following command:
sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/flashpoint-1.0.0.spl/
Once the installation is complete, restart Splunk. Now go to the matching configuration page to set up the indexes and the time-range from which the matching of the IOCs should execute. Note that if this set up is not done, then the app will start the matching of event from the last 1 hour by default.
Matching Configuration Page Guide
- In the Matching Configuration page, configure the following fields.
- Index: It is a multi-select field. The user can select multiple indexes from which they want to match the IOCs. The default value is ' All ' i.e. search in all the indexes.
- Start Time: It is a Time-Range filter. The user can select the time from which they want to start the matching of the IOCs. The default value is the last 7 days. Note that this Start Time means from which date/time does the user wants to start matching the events, hence, this will be applicable on the first time of the configuration i.e. when the user saves the configuration for the first time, the app will start matching the events since the Start Time till the current time. Once this matching is completed, then the next subsequent matching logic will be invoked every hour automatically by the saved search and it will match the events from the last 1 hour.
- This Application contains following Saved Searches.
populate_lookup: This Saved Search will populate list_iocs lookup. This saved search interval is every 24 hours.
perform_matching: This saved search will perform matching and populate matched_lookup based on matching. Interval for this saved search is every hour and it will match data for the last 60 minutes.
- This Application contains one custom command
matchiocs: This custom command is used to match flashpoint IOCs with Splunk's selected indexes.
- This Application contains following lookups
list_iocs: This lookup is used to store a list of unique IOCs.
matched_lookup: This lookup is used to store a list of matched events.
To see data logged by
Flashpoint, select the
Search tab. Click on
Data Summary and select
flashpoint_intelligence:reports sourcetype for reports and
flashpoint_intelligence sourcetype for indicators.
You can also enter search parameters in the search box to filter events.