Integration with Splunk
Symantec Advanced Threat Protection (ATP) customers who are using Splunk as their SIEM tool can now take advantage of the free Symantec ATP app on the Splunk’s app store. They can export threat events across their ATP sensors to Splunk®. A default security dashboard is made available for ATP Splunk users to get a glance of all threat events. Meanwhile, customers can also create and customize a security dashboard in Splunk easily by leveraging the rich threat data from Symantec ATP. They can drill down to see any file hash that is related to a specific incident and do ad hoc queries via Splunk.
If customers have multiple Symantec ATP modules, they may also filter ATP events via Splunk console by different search fields, such as endpoint, network, email, or roaming events. In addition, the Symantec ATP App leverages Splunk Adaptive Response framework in Enterprise Security app to allow incident responders to respond to threats by remediating and isolating compromised endpoints directly from the Splunk management console. This integration provides visibility into multiple control points and automates IR response tasks.
The app is available for download on https://splunkbase.splunk.com/app/3453/
Key feature enhancement in the latest release
Enhanced Rules for Incident Creation- Customers can now easily identify incidents based on: 1) Detections of malicious file that has not been remediated at the endpoint 2) Sandbox detections of any malicious file 3) Communication with known malicious or Command and Control sites
Improved performance for ATP: Email- See email details and correlations immediately. Incidents and events will be created without any delays.
Improved Detection of Suspicious Files- Symantec continuously fine tune our machine learning algorithm to improve identification of suspicious files
Ability to submit and detect malware in RTF files via Cynic sandbox- Customers can now submit RTF files for sandboxing as they are a common document file type
For more information, visit: http://atp.symantec.com
Resource:
Download ATP Datasheet: Splunk & ServiceNow Integration
Download ATP: Platform Datasheet