Integration with Splunk
Symantec Advanced Threat Protection (ATP) customers who are using Splunk as their SIEM tool can now take advantage of the free Symantec ATP app on the Splunk’s app store. They can export threat events across their ATP sensors to Splunk®. A default security dashboard is made available for ATP Splunk users to get a glance of all threat events. Meanwhile, customers can also create and customize a security dashboard in Splunk easily by leveraging the rich threat data from Symantec ATP. They can drill down to see any file hash that is related to a specific incident and do ad hoc queries via Splunk.
If customers have multiple Symantec ATP modules, they may also filter ATP events via Splunk console by different search fields, such as endpoint, network, email, or roaming events. In addition, the Symantec ATP Adaptive Response Add-on for Splunk would allow incident responders to blacklist or remediate malicious files and isolate compromised endpoints directly from the Splunk management console, allowing visibility into multiple control points and automating IR response tasks.
Key feature enhancement in the latest release
Enhanced Rules for Incident Creation- Customers can now easily identify incidents based on: 1) Detections of malicious file that has not been remediated at the endpoint 2) Sandbox detections of any malicious file 3) Communication with known malicious or Command and Control sites
Improved performance for ATP: Email- See email details and correlations immediately. Incidents and events will be created without any delays.
Improved Detection of Suspicious Files- Symantec continuously fine tune our machine learning algorithm to improve identification of suspicious files
Ability to submit and detect malware in RTF files via Cynic sandbox- Customers can now submit RTF files for sandboxing as they are a common document file type
For more information, visit: http://atp.symantec.com
Resource:
Download ATP Datasheet: Splunk & ServiceNow Integration
Download ATP: Platform Datasheet