Enrichment
Enrichment of your data in Splunk provides a way to add additional context and information to speed up your mean time to respond (MTTR).
When trying to understand more about data or events, manually looking up additional information about that event takes time. Splunk allows you to enrich the events and automatically add information from other sources, making that process much quicker.
For example, you can use the Splunk Intel Management (Legacy) enrichment action within a notable event in Splunk Enterprise Security. By enriching your Splunk Enterprise Security notable event with information from the Splunk Intel Management (Legacy) database, you can add valuable information into the event that will provide you with actionable insights without having to look them up manually. This improves your analyst workflows and speeds up your time to respond.
What are the benefits of data enrichment?
Enriching data within your security incident review provides valuable additional insight into the events and speed up time to resolution.
- Automatically add additional insight to security events and correlation searches
- Automate manual analyst tasks
- Provide a single pane of glass for a security notable event
- Break down data silos
- Improve operational efficiency
- Reduce noise from intelligence sources to automatically improve alert prioritization
- Share threat intelligence data across teams, tools, and sharing partners
- Drive efficiencies with enrichment based on normalized intelligence
What are data enrichment best practices?
Businesses can implement a number of integrations for enrichment of their data. These integrations can be vendor specific or provide industry framework mapping.
- Enhance notable events with MITRE ATT&CK annotations.
- Add adaptive response actions in Splunk Enterprise Security.
- Install and implement the Splunk Enterprise Security Content Updates app to automatically get the latest threat detections.
What processes can I put in place to enhance my data enrichment capabilities?
These resources will help you implement this guidance:
- Use case: Enriching suspicious email domains
- Product Tip: Using Splunkbase Add-ons and Apps with Splunk Enterprise Security
- Product Tip: Splunk Intelligence Management (TruSTAR) + SOAR: Indicator Enrichment Playbook
- Getting Started Guide: Unified App: Use Case - Splunk Intelligence Management (TruSTAR)
- Product Tip: Splunk Intelligence Management (TruSTAR) and Emerging Threats: A Log4j Use Case