Optimizing and automating SecOps with JupiterOne
Splunk’s integration with JupiterOne gives you greater visibility and control over your cyber assets. This integration combines Splunk’s search, analysis, and visualization of event data with JupiterOne’s graph data model to clarify and expose complex relationships between cyber assets for better situational awareness (using event logs and activity) and structural context (leveraging configurations and correlations). This allows you to:
- Improve decision-making to accelerate incident response
- Automate remediation with reliable accuracy
- Conduct thorough investigations to understand how, when, and what assets were impacted
How to get started with the Splunk integration with JupiterOne
JupiterOne ingests over 100 types of metadata from CSPs, SaaS apps, code repos, IAM policies, security controls, and vulnerability findings with over 180 applications and services. This data gives you detailed, drill-down context and relationship information between assets – context that becomes the foundation for cloud security posture, asset management, incident response, SecOps, compliance, vulnerability management, and more.
To get started:
- Install the JupiterOne App in the Splunk platform using the installation instructions on Splunkbase. The app provides a dashboard to view your JupiterOne alerts in the Splunk platform for shared reporting across your team.
- Install the Jupiter Add-On in the Splunk platform using the installation instructions on Splunkbase. The add-on imports and enriches data from JupiterOne, creating a rich data set ready for direct analysis. It provides the following functionality:
- Collects data from the REST endpoint of the JupiterOne platform.
- Parses the data and extracts important fields.
- Adds a workflow action for JupiterOne entities.
- Adds a workflow action for any field value in the Splunk platform.
- Includes a Custom Command (jupiteronesearch) to execute a J1QL query on JupiterOne Platform and display the response in the Splunk platform.
- Used in combination with the JupiterOne add-on, this app provides a dashboard to view your JupiterOne alerts in the Splunk platform.
- Add your JupiterOne credentials to enable the integration. JupiterOne alerts and details are automatically imported into the Splunk platform.
When installation and configuration is complete, you will be able to
- Combine data from the Splunk platform and JupiterOne in the same search.
- Use direct links from the Splunk platform to JupiterOne to quickly dig deeper.
- Take immediate action on threats, vulnerabilities, gaps, and misconfigurations.
Learn more about JupiterOne’s integration with the Splunk platform and see the integration at work here:
Example use cases
Asset management and log analysis
Splunk platform can be used to collect and analyze log data, while JupiterOne can be used to manage and secure the IT assets that generate the log data. This integration provides a complete picture of an organization's IT environment, including real-time monitoring of security incidents and tracking of security posture.
Threat detection and incident response
Splunk platform's real-time monitoring capabilities can be used to detect security incidents, while JupiterOne can be used to manage and track the affected cloud assets in real time. JupiterOne’s App and Add-On for Splunk enables you to ask complex questions, assess the range of an impacted asset, and connect it back to Splunk platform’s rich event-driven data. This functionality enables teams to respond quickly and automate remediation with better accuracy and the complete context of knowing when, how, and what assets were impacted.
Compliance and audit
JupiterOne can be used to assess and report on an organization's compliance with security policies and regulations, while the Splunk platform can be used to generate reports based on log data and create visualized dashboards.
Automate security workflows
JupiterOne can be used to automate security and compliance workflows, as well as security audits. The Splunk platform can provide data and insights to support these workflows, such as real-time monitoring and alerting, log analysis, and reporting.
Discover cyber assets and infrastructure
Extend the visibility of the Splunk platform into endpoints, IP addresses, users, and devices with JupiterOne to secure all your cyber assets, including cloud security providers, SaaS apps, code repos, IAM policies, vulnerability findings, and more. From asset management to vulnerability to compliance, gain in-depth knowledge of your cyber assets and infrastructure so you can have a complete picture of potential risks, threats, or security gaps and address any issues faster.
Correlate both situational and structural context
Combine situational awareness (alerting you of security events in the enterprise) in the Splunk platform with JupiterOne’s structural awareness of configurations and assets (showing you exactly where those events have occurred), to augment your security investigations with greater context. With the data all in one place, you can easily connect all the pertinent information back to all of your workflows and event-driven data within the Splunk platform.
- Learn more about JupiterOne’s comprehensive asset management platform at jupiterone.com.
- Navigate to the community site at Askj1.com that has a Questions Library for use with J1QL (the query language to quickly extract context and information from JupiterOne’s graph database), as well as detailed information about each of the integrations, including the integration with Splunk platform. You’ll also find complete documentation, information about events, our blog, and more.
- Access the JupiterOne Github repository for dashboards, templates, policies builders, and examples.