DATASHEET

Splunk Add-on for Investigate.

Many security products provide visibility into what’s happening on your own network. But how
do you see what’s happening on the internet, beyond your perimeter? That’s where attackers
are staging infrastructure in preparation for their next attack. Benefits of Investigate
With the Splunk Add-on for Cisco Umbrella Investigate, you can automatically enrich security • Internet-wide visibility
events inside Splunk with Cisco’s intelligence on domains, IPs, and networks across the Investigate connects the
internet. dots between attackers’
infrastructure, which helps
By leveraging Investigate’s threat intelligence from within Splunk Enterprise Security, you can
attribute domains to specific
gain more context about a domain, IP, or ASN related to the event, allowing you to make faster,
attacks and malicious activity.
more informed decisions when responding to critical incidents and researching potential threats.
• Predictive intelligence
Our statistical models
Key capabilities of the Investigate Add-on accurately identify malicious
domains, IPs, and ASNs
Threat intelligence add-on in Splunkbase across the internet, and even
Add intelligence about the relationships between domains, IPs, ASNs, and file hashes inside predict where future attacks
Splunk, helping security analysts get the most complete view of an attacker’s internet may be staged.
infrastructure.
• All of the information you
Better prioritize incident response need in a single source
To properly triage incidents, security teams need to get accurate and relevant information Including real-time and
quickly. Investigate’s unique view of the internet enriches your security event data with real-time historical information about
context about malicious domains, IPs, and networks to help better prioritize investigations and the domain ownership,
incident response. relationships with IPs,
co-occurrences, reputation,
See what connections you’ve been missing global request and route
Kick start investigations by uncovering valuable connections commonly overlooked such as analysis, and much more.
passive DNS, domain ownership, co-occurrences, related domains, geolocation, categorization,
blocked requests and reputation scores.

Speed up investigations
By automatically populating security events with intelligence from Investigate, security teams
have more context related to the event and can make faster, more informed decisions during
investigations — versus manually going to and correlating data from multiple sources.

Pull in
1 2
logs from:
Security Controls
• Firewall, IDS/IPS,
other network security
• Web security/proxy
• Endpoint security
(AV, EDR, VPN, etc.)
Network Infrastructure
• Routers/Switches
• Domain controllers
• Wireless
• Access Points
• Application servers
• Databases
• Intranet applications
Query
Source/destination domain & IPs
API
Data from
3 Investigate:
Enrich with context from Investigate • Domain Ownership
• SecureRank2, RIP, and Threat Grid file scores • Relationships with
Enrich events 4 • Malicious domains hosted on same IP IPs & ASNs
& prioritize • Malicious co-occurrences • Passive DNS
based on results • WHOIS
from Investigate Record Data
(and other sources) • Co-occurrences
• Reputation Scores
• Categorization
Console
Triage 5
• Global request
incidents for • Route analysis,
analysts based Use Investigate console and much more
on Splunk scores for interactive investigations & additional research

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the
property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)