Cyences App for Splunk
Download the Cyences App for Splunk from Splunkbase: https://splunkbase.splunk.com/app/5351/
The Cyences App for Splunk was designed specifically for security personnel. Since the app is centralized around security, it’s very easy for anyone with a security background to use and implement into their Splunk environment.
By default, the Cyences app provides a multitude of alerts and reports in the following categories:
Active Directory & Windows
Credential, Endpoint, & Network Compromise
Palo Alto Firewall
Apart from alerts and reports, the Cyences App also integrates with some other well-known tools to create important dashboards that can be particularly helpful when confronting security vulnerabilities and issues:
Device Master Table
Globally Identified Malicious IP List
How does the Cyences app differentiate itself from Enterprise Security?
For new Splunk users, Enterprise Security requires a lot of fine tuning in order to get the most optimal experience and they may have trouble doing so as there’s so much to learn before even reaching that point. For example, users have to configure several correlation searches within Enterprise Security and understand how it ties into specific use cases as well. On the other hand, the Cyences app was created with having one goal in mind and that is to provide an out of the box end-to-end security solution. Meaning, Splunk users don't have to configure all that much in order to get things started right away. Additionally, the alerting feature found within the Cyences app allows users to receive alerts via Slack or by email all while keeping the false positives at a bare minimum.
We’re always looking to improve the Cyences app by incorporating new features when possible. The first build came equipped with the Globally Detected Malicious IPs dashboard, which is one of the more prominent features of the Cyences app. This dashboard helps monitor bad traffic and it contains other insightful information such as if an IP address is associated with a distributed denial-of-service (DDoS) attack. For more information, please refer to the Globally Detected Malicious IPs section. The 1.2.0 version of the Cyences app includes a new component and that is the Device Master Table. It’s a vital tool that helps with the security audit process and requires zero configuration. It lists all the different devices present in an environment by correlating data from CrowdStrike, Lansweeper, Qualys, Sophos, Tenable, and Windows Defender. For more information, please refer to the Device Master Table section.
The Cyences App is a contribution-based project that anyone can provide suggestions for. Visit the Cyences website for more information and to offer general feedback: https://cyences.com/welcome/
Visit GitHub repo to find more details: https://github.com/VatsalJagani/Splunk-Cyences-App-for-Splunk
The following sources and their respective data need to be onboarded into your Splunk environment in order to get the most security benefits out of the Cyences App:
Sophos Central (Antivirus)
Windows Defender Logs (Antivirus)
CrowdStrike EventStream Data (Antivirus)
Office 365 Management Events
Palo Alto Logs
Please visit the Data Onboarding [Admin] section for more information.
Please visit the App Installation & Configuration [Admin] section for installation and configuration information regarding the following topics:
Since every Splunk user utilizes different combinations of devices and firewalls, the security use cases will vary depending on their needs. For this reason, all of the alerts and reports that come with the Cyences app will be disabled by default.
Please follow the steps below to enable various alerts/reports in Splunk.
Go to Settings > Searches, reports, and alerts.
In the App dropdown select Cyences App for Splunk (cyences_app_for_splunk).
For each alert/report there is an Edit button underneath the Actions column.
Click on Edit > Enable to enable the desired alert/report.
A few of the included alerts/reports are dependent on other reports being enabled. The additional reports that are essential for these three dependent reports to function are outlined below:
Palo Alto Firewall - Malicious IP List Gen
Palo Alto Firewall - Network Compromise - DDoS Attack Prevented
Palo Alto Firewall - Network Compromise - Inbound Traffic from Blocked IPs
Palo Alto Firewall - Network Compromise - Outbound Traffic to Blocked IPs
Dynamically Update Blocked IPs with HoneyDB
Ransomware - Spike in File Writes
Ransomware - Calculate UpperBound for Spike in File Writes
Windows - Hosts Missing Update
Windows - Hosts Lookup Gen (this report is enabled by default)
Device Master Table Gen
Tenable Assets Lookup Gen
Tenable Vuln Lookup Gen
Triggered Alerts will be visible in red within the Overview dashboard. Please refer to the Overview Dashboard section for more information.
Email notifications are disabled by default for all alerts.
How to enable email notifications for alerts:
Navigate to Settings > Searches, reports, and alerts.
Under Type: select Alerts.
Under App: select Cyences App for Splunk (cyences_app_for_splunk).
Click + Add Actions and in the newly opened dialog-box select the Send email action.
Complete the necessary field values (i.e., “To”, “Subject”, “Message”, etc.)
The Overview dashboard displays the overall security status of the Splunk environment in addition to highlighting present security issues as well. We specifically designed the Overview dashboard to be a single pane of glass for ease of use.