The new ThreatQuotient App for Splunk improves on our previous capability while incorporating feedback collected from our customers around functionality and deployability.

Note: The new ThreatQuotient App for Splunk requires the ThreatQuotient Add-on for Splunk as well as ThreatQ version 4.16 or later.

Functionality includes:

Ingestion of ThreatQ Data into Splunk

Enable users to customize what data is ingested by leveraging ThreatQ exports and Splunk input filters. Customization continues for advanced users with the ability to modify leveraged indexes and Splunk saved searches that drive the ThreatQuotient App for Splunk to meet the needs of their environment.

Matching of Splunk Events with ThreatQ Indicators

Provide context on possible malicious activity by matching Splunk Events with ThreatQ indicators. Matching is customizable by ThreatQ indicator status and score to meet the differing needs of customer environments and workflows.

Reporting of Matches in Splunk back to ThreatQ as Sighting EventsSighting events in ThreatQ will show indicator matches from Splunk and will be grouped by indicator.

Workflow Actions

Users can modify ThreatQ data based on any indexed indicators within Splunk.

Workflow actions include:

• ThreatQ: Add Indicator
• ThreatQ: Add to Whitelist
• ThreatQ: Lookup Indicator
• ThreatQ: Mark as False Positive
• ThreatQ: Mark as True Positive

Note: Support for ingesting ThreatQ data into Splunk Enterprise Security will be leveraged in the additional workflows provided within that application.

Deployability

The ThreatQuotient App for Splunk has been re-designed to scale to our customers growing needs, supporting installations in Splunk deployments of all sizes.