Through Network Behavior Analytics for Splunk and our native integrations for Demisto and Graylog, we instantly enrich network indicators (FQDNs, URLs, and IP addresses) to provide security teams with hunting material.
In this post, I describe some of the key classifiers within the AlphaSOC Analytics Engine, the public API we operate, and how teams consume our context data to uncover emerging threats that don’t have signatures.
To drop any non-starters (e.g. user typos) the engine verifies that:
- The domain exists via DNS / WHOIS lookup
- The domain isn’t owned by the respective company (e.g. Dropbox)
- The infrastructure isn’t operated by a phishing simulation provider
Highlighting Unique and Young Domains
Active Scoring and Fingerprinting
Uncovering Emerging Threats in Practice
“The cloud!” somebody shouts out loud. “This means my data is sent to the cloud – my precious telemetry data that in the hands of the bad guys could reveal too much about myself!”. This is correct. And for the sake of transparency, let’s have a look at what actually goes on behind the scenes.