Correlating Carbon Black Watchlist Alerts on Splun...

akulg

Hi, our company does not yet have Splunk enterprise security, but we are considering getting it. Currently, our security posture includes a stream of EDR data from Carbon Black containing the EDR events and watchlist hits. We want to correlate the watchlist hits to create incidents. Is this something Splunk Enterprise Security can do right out of the box, given access to the EDR data? If so, how can do we do this in the Splunk Enterprise Security dashboard?

Bhumi

Hello @akulg

If I understand your requirement correctly, you're looking to correlate Carbon Black data which will be indexed in Splunk with the watchlist (threat feeds). If there’s a match, an incident should be created. And looking for a way to implementing this functionality within Enterprise Security.

Yes, there is a framework in the ES known as THREAT INTELlIGENCE which will help you to enhance your security monitoring by integrating threat intelligence into your deployment, allowing you to correlate indicators of suspicious activity and known or potential threats with your events. This addition provides valuable context for your analysts' investigations.

Splunk Enterprise Security supports various types of threat intelligence, enabling you to incorporate your own as well.

Please refer the below doc for more information.
https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligenc...

Let me know if you have any further questions!!

Correlating Carbon Black Watchlist Alerts on Splunk Enterprise Security

correlation search

incident review

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...