Cyences
Menu
Menu
Cyences App for Splunk
Download
Download the Cyences App for Splunk from Splunkbase: https://splunkbase.splunk.com/app/5351/
Overview
The Cyences App for Splunk was designed to allow users complete visibility of their system's security status. Our vision is a single dashboard showcasing the entire security profile of any user's environment from the office to the cloud and everything else in between. The forensic interface based on the MITRE ATT&CK framework is well equipped to quickly identify areas of concern with first to market countermeasures. These measures that are commonly used in security incidents allow Splunk users to take swift action against hackers. Cyences was created with the intention of becoming a seamless piece of the Blue team arsenal for security engineers and administrators; continuous quarterly enhancements will occur to achieve that goal. These updates will continue to improve tool customization and scalability with advanced search features, alerting, machine learning, and AI.
By default, the Cyences app provides a multitude of alerts and reports in the following categories:
Active Directory & Windows
Linux/Unix
Credential, Endpoint, & Network Compromise
Office 365
Network Reports
Palo Alto Firewall
VPN
Ransomware
Sophos
Windows Defender
CrowdStrike
Authentication
Splunk Admin
Apart from alerts and reports, the Cyences App also integrates with some other well-known tools to create important dashboards that can be particularly helpful when confronting security vulnerabilities and issues:
Qualys
Tenable
Lansweeper
Device Inventory Table
Globally Identified Malicious IP List
How does the Cyences app differentiate itself from Enterprise Security?
For new Splunk users, Enterprise Security requires a lot of fine tuning in order to get the most optimal experience and they may have trouble doing so as there’s so much to learn before even reaching that point. For example, users have to configure several correlation searches within Enterprise Security and understand how it ties into specific use cases as well. On the other hand, the Cyences app was created with having one goal in mind and that is to provide an out of the box end-to-end security solution. Meaning, Splunk users don't have to configure all that much in order to get things started right away. Additionally, the alerting feature found within the Cyences app allows users to receive alerts via Slack or by email all while keeping the false positives at a bare minimum.
We’re always looking to improve the Cyences app by incorporating new features when possible. The first build came equipped with the Globally Detected Malicious IPs dashboard, which is one of the more prominent features of the Cyences app. This dashboard helps monitor bad traffic and it contains other insightful information such as if an IP address is associated with a distributed denial-of-service (DDoS) attack. For more information, please refer to the Globally Detected Malicious IPs section. Version 1.2.0 of the Cyences app features a new component and that is the Device Inventory Table. It’s a vital tool that helps with the security audit process and requires zero configuration. It lists all the different devices present in an environment by correlating data from CrowdStrike, Lansweeper, Qualys, Sophos, Tenable, and Windows Defender. For more information, please refer to the Device Inventory section.
The Cyences App is a contribution-based project that anyone can provide suggestions for. Visit the Cyences website for more information and to offer general feedback: https://cyences.com/welcome/
Visit GitHub repo to find more details: https://github.com/VatsalJagani/Splunk-Cyences-App-for-Splunk
User Guide
The following sources and their respective data need to be onboarded into your Splunk environment in order to get the most security benefits out of the Cyences App:
Sysmon
WinEventLog
Sophos Central (Antivirus)
Windows Defender Logs (Antivirus)
CrowdStrike EventStream Data (Antivirus)
Office 365 Management Events
Palo Alto Logs
Firewall/Network Logs
VPN
Lansweeper
Qualys
Tenable
Linux/Unix
View the Data Onboarding [Admin] section for more information.
View the App Installation & Configuration [Admin] section for installation and configuration information regarding the following topics:
App installation
Dependency installation
Macro configurations
Since every Splunk user utilizes different combinations of devices and firewalls, the security use cases will vary depending on their needs. For this reason, all of the alerts and reports that come with the Cyences app will be disabled by default.
Please follow the steps below to enable various alerts/reports in Splunk.
Go to Settings > Searches, reports, and alerts.
In the App dropdown select Cyences App for Splunk (cyences_app_for_splunk).
For each alert/report there is an Edit button underneath the Actions column.
Click on Edit > Enable to enable the desired alert/report.
A few of the included alerts/reports are dependent on other reports being enabled. The additional reports that are essential for these three dependent reports to function are outlined below:
Palo Alto Firewall - Malicious IP List Gen
Palo Alto Firewall - Network Compromise - DDoS Attack Prevented
Palo Alto Firewall - Network Compromise - Inbound Traffic from Blocked IPs
Palo Alto Firewall - Network Compromise - Outbound Traffic to Blocked IPs
Dynamically Update Blocked IPs with HoneyDB
Ransomware - Spike in File Writes
Ransomware - Calculate UpperBound for Spike in File Writes
Windows - Hosts Missing Update
Windows - Hosts Lookup Gen (this report is enabled by default)
Device Inventory Gen
View the App Installation and Configuration > Device Inventory section for more details.
Triggered Alerts will be visible in red within the Overview dashboard. Please refer to the Overview Dashboard section for more information.
Email notifications are disabled by default for all alerts.
How to enable email notifications for alerts:
Navigate to Settings > Searches, reports, and alerts.
Under Type: select Alerts.
Under App: select Cyences App for Splunk (cyences_app_for_splunk).
Click + Add Actions and in the newly opened dialog-box select the Send email action.
Complete the necessary field values (i.e., “To”, “Subject”, “Message”, etc.)
Click Save.
The Overview dashboard displays the overall security status of the Splunk environment in addition to highlighting present security issues as well. We specifically designed the Overview dashboard to be a single pane of glass for ease of use.