on

Fighting cyber crime by using Splunk

As we told you in the post about our free API, threat intelligence is the key factor in the fight against cyber crime and cyber threats, mostly because this intelligence helps you and your organization to prevent and mitigate attacks. But the issue usually is gathering this information. That’s why, to make your life easier, we released our free API: https://map.blueliv.com

With this API, you can get information about hosts, such as the IP of the host, the domain name, information about the location, and the type of crime server. But once you have downloaded this information, you’ll need to do something with it, right? So, we’ve created a plugin to integrate it with Splunk.

You can get the app in the Splunk APPs store:

splunkgetapp

As you already know, Splunk allows you to search, monitor and analyze data. With it, you’ll be able to correlate events in different ways, like time and geolocation, subsearches or sql based queries. By using Splunk intelligence and big data engine you’ll improve your organization cyber security in numerous ways, as Dr, Anton Chuvakin, Research VP of Gartner, stated in his post How to Use Threat Intelligence with Your SIEM?, “you’ll be able to react faster and will have a lot more information about any malicious activity in your organization”.

Our plugin directly feeds the information from the API to Splunk, allowing you to correlate our information with your internal intelligence:

splunkdashboard

The plugin integrates a search tab that allows you to look up information about crimeservers. Let’s say you are investigating an infection in your organization, and you want to know the IP of all the servers of an specific botnet, you only have to select the type and subtype of botnet and the Splunk App for Blueliv will show you all the matches found:

 integratedsearch

But Splunk is capable of a lot more. As we said previously, you can correlate different events and alerts depending on predetermined conditions. Presume you have Splunk installed and you feed it with information about inbound and outbound connections from your organization, the intelligence from our free API, and from your antivirus:

splunk_correlation

Using these sources, you will detect connections from a malicious server and generate an alert, being allowed to easily prevent and mitigate an infection or an attack.

Preventing and mitigating these attacks is what makes a difference in any kind of fight, therefore, having the right tools and information to do so, already puts you one step further from taking any kind of damage.

If you have any doubts or want to give us feedback about the API and the map, email us at community@blueliv.com.

Don’t forget to check out the documentation! 

Have a nice day!

Demo Free Trial MSSP
Program