Cyences App for Splunk
Download
Download the Cyences App for Splunk from Splunkbase: https://splunkbase.splunk.com/app/5351/
Overview
The Cyences App for Splunk was designed specifically for security personnel. Since the app is centralized around security, it’s very easy for anyone with a security background to use and implement into their Splunk environment.
By default, the Cyences app provides a multitude of alerts and reports in the following categories:
Active Directory & Windows
Credential, Endpoint, & Network Compromise
Office 365
Network Reports
Palo Alto Firewall
VPN
Ransomware
Sophos
Windows Defender
CrowdStrike
Authentication
Splunk Admin
How does the Cyences App differentiate itself from Enterprise Security?
For new Splunk users, Enterprise Security requires a lot of fine tuning in order to get the most optimal experience and they may have trouble doing so as there’s so much to learn before even reaching that point. For example, users have to configure several correlation searches within Enterprise Security and understand how it ties into specific use cases as well. On the other hand, the Cyences app was created with having one goal in mind and that is to provide an out of the box end-to-end security solutions. Meaning, Splunk users don't have to configure all that much in order to get things started right away. Additionally, the alerting feature found within the Cyences app allows users to receive alerts via Slack or by email all while keeping the false positives at a bare minimum.
There is one more feature that we have included with the first version of the Cyences app and that is the Globally Detected Malicious IPs dashboard. It helps monitor bad traffic and it contains other insightful information such as if an IP address is associated with a distributed denial-of-service (DDoS) attack. For more information, please refer to the Globally Detected Malicious IPs section.
The Cyences App is a contribution-based project that anyone can provide suggestions for. Visit the Cyences website for more information and to offer general feedback: https://cyences.com/welcome/
Visit GitHub repo to find more details: https://github.com/VatsalJagani/Splunk-Cyences-App-for-Splunk
User Guide
The following sources and their respective data need to be onboarded into your Splunk environment in order to get the most security benefits out of the Cyences App:
Sysmon
WinEventLog
Sophos Central (Antivirus)
Windows Defender Logs (Antivirus)
CrowdStrike EventStream Data (Antivirus)
Office 365 Management Events
Palo Alto Logs
Firewall/Network Logs
VPN
Please visit the Data Onboarding [Admin] section for more information.
Please visit the App Installation & Configuration [Admin] section for installation and configuration information regarding the following topics:
App installation
Dependency installation
Macro configurations
Since every Splunk user utilizes different combinations of devices and firewalls, the security use cases will vary depending on their needs. For this reason, all of the alerts and reports that come with the Cyences app will be disabled by default.
Please follow the steps below to enable various alerts/reports in Splunk.
Go to Settings > Searches, reports, and alerts.
In the App dropdown select Cyences App for Splunk (cyences_app_for_splunk).
For each alert/report there is an Edit button underneath the Actions column.
Click on Edit > Enable to enable the desired alert/report.
A few of the included alerts/reports are dependent on other reports being enabled. The additional reports that are essential for these three dependent reports to function are outlined below:
Palo Alto Firewall - Malicious IP List Gen
Palo Alto Firewall - Network Compromise - DDoS Attack Prevented
Palo Alto Firewall - Network Compromise - Inbound Traffic from Blocked IPs
Palo Alto Firewall - Network Compromise - Outbound Traffic to Blocked IPs
Dynamically Update Blocked IPs with HoneyDB
Ransomware - Spike in File Writes
Ransomware - Calculate UpperBound for Spike in File Writes
Windows - Hosts Missing Update
Windows - Hosts Lookup Gen (this report is enabled by default)
Triggered Alerts will be visible in red within the Overview dashboard. Please refer to the Overview Dashboard section for more information.
Email notifications are disabled by default for all alerts.
How to enable email notifications for alerts:
Navigate to Settings > Searches, reports, and alerts.
Under Type: select Alerts.
Under App: select Cyences App for Splunk (cyences_app_for_splunk).
Click + Add Actions and in the newly opened dialog-box select the Send email action.
Complete the necessary field values (i.e., “To”, “Subject”, “Message”, etc.)
Click Save.
The Overview dashboard displays the overall security status of the Splunk environment in addition to highlighting present security issues as well. We specifically designed the Overview dashboard to be a single pane of glass for ease of use.