Threat hunting is hard, and threat hunting in an enterprise network with thousands of endpoints is even harder. We will demonstrate how we leveraged Splunk Enterprise to build an Advanced Threat Hunting platform designed for large scale threat hunting of 100,000 or more endpoints. Using Splunk Enterprise allows us to combine analytics, data enrichment, and custom workflows to display in one platform the most important data to analysts. Our threat hunting platform addresses the challenges of data retention and collection, high false positive rates, and analyst fatigue, all while lowering the time to detection of malicious incidents and improving the efficiency of enterprise SOC operations.

Speaker(s)
Dan Rossell, Analyst, Booz Allen Hamilton
Ashleigh Moriarty, Lead Technologist, Booz Allen Hamilton

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1071.pdf?podcast=1576909588