Cyences App for Splunk

 

Download

Download the Cyences App for Splunk from Splunkbase:​​ https://splunkbase.splunk.com/app/5351/

 

Overview

The Cyences App for Splunk was designed specifically for security personnel. Since the app is centralized around security, it’s very easy for anyone with a security background to use and implement into their Splunk environment.​​ 

 

By default, the Cyences app provides a multitude of alerts and reports in the following categories:

  • Active Directory​​ & Windows

  • Credential, Endpoint, & Network Compromise

  • Office 365

  • Network​​ Reports

  • Palo Alto​​ Firewall

  • VPN

  • Ransomware

  • Sophos

  • Windows Defender

  • CrowdStrike

  • Authentication

  • Splunk Admin

 

Apart from alerts and reports,​​ the​​ Cyences App also integrates​​ with some other well-known tools to​​ create important dashboards​​ that can be particularly helpful​​ when confronting​​ security vulnerabilities and issues:

  • Qualys

  • Tenable

  • Lansweeper

  • Device​​ Master Table

  • Globally Identified Malicious IP List

 

 

How does the Cyences​​ app differentiate itself from Enterprise Security?

 

For new Splunk users, Enterprise Security requires a lot of fine tuning in order to get the most optimal experience and they may have trouble doing so as there’s so much to learn before even reaching that point. For example, users have to configure several correlation searches within Enterprise Security and understand how it ties into specific use cases as well. On the other hand, the Cyences app was created with having one goal in mind and that is to provide an out of the box end-to-end security solution. Meaning, Splunk users don't have to configure all that much in order to get things started right away. Additionally, the alerting feature found within the Cyences app allows users to receive alerts via Slack or by email all while keeping the false positives at a bare minimum.

 

We’re always looking to improve​​ the​​ Cyences​​ app​​ by incorporating new features when​​ possible. The first​​ build came equipped with​​ the Globally Detected Malicious IPs dashboard, which is one of the more prominent features of the Cyences app. This dashboard helps monitor bad traffic and it contains other​​ insightful information such as if an IP address is associated with a distributed denial-of-service (DDoS) attack. For more information, please refer to the​​ Globally Detected​​ Malicious IPs​​ section.​​ The​​ 1.2.0​​ version of the Cyences app includes​​ a new​​ component and​​ that is the​​ Device​​ Master Table. It’s a vital tool that​​ helps with​​ the​​ security audit​​ process​​ and​​ requires zero​​ configuration.​​ It​​ lists​​ all the different devices present in​​ an​​ environment by correlating data from​​ CrowdStrike, Lansweeper,​​ Qualys, Sophos,​​ Tenable, and​​ Windows Defender. For more information, please refer to the​​ Device Master Table​​ section.

 

The Cyences App is a contribution-based project that anyone can provide suggestions for. Visit the Cyences website for more information and to offer general​​ feedback:​​ https://cyences.com/welcome/

Visit GitHub repo to find more details:​​ https://github.com/VatsalJagani/Splunk-Cyences-App-for-Splunk

 

 

 

 

User Guide

 

Data Collection

The following sources and their respective data​​ need​​ to be onboarded into your Splunk environment in order to get the most security benefits out of the Cyences App:

  • Sysmon

  • WinEventLog

  • Sophos Central​​ (Antivirus)

  • Windows Defender Logs​​ (Antivirus)

  • CrowdStrike EventStream Data​​ (Antivirus)

  • Office 365 Management Events

  • Palo Alto Logs

  • Firewall/Network Logs

  • VPN

  • Lansweeper

  • Qualys

  • Tenable

Please visit the​​ Data Onboarding [Admin]​​ section for more information.

 

Configuration

Please visit the​​ App Installation & Configuration [Admin]​​ section for installation and configuration information regarding the following topics:

  • App installation

  • Dependency installation

  • Macro configurations

 

Enable Alerts and Reports

Since every Splunk user utilizes different combinations of devices and firewalls, the security use cases will vary depending on their needs. For this reason, all of the alerts and reports that come with the Cyences app will be disabled by default.​​ 

Please follow the steps below to enable various alerts/reports in Splunk.

  • Go to​​ Settings​​ >​​ Searches, reports, and alerts.

  • In the App dropdown select​​ Cyences App for Splunk (cyences_app_for_splunk).

  • For each alert/report there is an​​ Edit​​ button underneath the​​ Actions​​ column.

  • Click on​​ Edit​​ >​​ Enable​​ to enable the desired alert/report.

 

A few of the included alerts/reports are dependent on other reports being enabled. The additional reports that are essential for these three dependent reports to function are outlined below:​​ 

  • Palo Alto Firewall - Malicious IP List Gen

    • Palo Alto Firewall - Network Compromise - DDoS Attack Prevented

    • Palo Alto Firewall - Network Compromise - Inbound Traffic from Blocked IPs

    • Palo Alto Firewall - Network Compromise - Outbound Traffic to Blocked IPs

      • Dynamically Update Blocked IPs with HoneyDB

  • Ransomware - Spike in File Writes

    • Ransomware - Calculate UpperBound for Spike in File Writes

  • Windows - Hosts Missing Update

    • Windows - Hosts Lookup Gen (this report is enabled by default)

  • Device​​ Master Table Gen

    • Tenable Assets Lookup Gen

    • Tenable Vuln Lookup Gen

 

Enable Email Notifications with Alerts

Triggered Alerts will be visible in red within the Overview dashboard. Please refer to the​​ Overview Dashboard​​ section for more information.​​ 

Email notifications are disabled by default for all alerts.

How to enable email notifications for alerts:​​ 

  • Navigate to​​ Settings​​ >​​ Searches, reports, and alerts.

  • Under​​ Type:​​ select​​ Alerts.

  • Under​​ App:​​ select​​ Cyences App for Splunk (cyences_app_for_splunk).

  • Click​​ + Add Actions​​ and in the newly opened dialog-box select the​​ Send email​​ action.

  • Complete the necessary field values (i.e., “To”, “Subject”, “Message”, etc.)

  • Click​​ Save.

 

Overview Dashboard

The​​ Overview dashboard displays the overall security status of​​ the​​ Splunk environment​​ in addition to​​ highlighting​​ present​​ security issues as well.​​ We​​ specifically​​ designed the Overview dashboard to be a single pane of glass for ease of use.​​