Cyences App for Splunk

 

Download

Download the Cyences App for Splunk from Splunkbase:​​ https://splunkbase.splunk.com/app/5351/

 

Overview

The Cyences App for Splunk was designed to allow users complete visibility of their system's security status. Our vision is a single dashboard showcasing the entire security profile of any user's environment from the office to the cloud and everything else in between. The forensic interface based on the MITRE ATT&CK framework is well equipped to quickly identify areas of concern with first to market countermeasures. These measures that are commonly used in security incidents allow Splunk users to take swift action against hackers. Cyences was created with the intention of becoming a seamless piece of the Blue team arsenal for security engineers and administrators; continuous quarterly enhancements will occur to achieve that goal. These updates will continue to improve tool customization and scalability with advanced search features, alerting, machine learning, and AI.

 

By default, the Cyences app provides a multitude of alerts and reports in the following categories:

  • Active Directory​​ & Windows

  • Linux/Unix

  • Credential, Endpoint, & Network Compromise

  • Office 365

  • Network​​ Reports

  • Palo Alto​​ Firewall

  • VPN

  • Ransomware

  • Sophos

  • Windows Defender

  • CrowdStrike

  • Authentication

  • Splunk Admin

 

 

 

 

 

 

Apart from alerts and reports,​​ the​​ Cyences App also integrates​​ with some other well-known tools to​​ create important dashboards​​ that can be particularly helpful​​ when confronting​​ security vulnerabilities and issues:

  • Qualys

  • Tenable

  • Lansweeper

  • Device​​ Inventory​​ Table

  • Globally Identified Malicious IP List

 

How does the Cyences​​ app differentiate itself from Enterprise Security?

 

For new Splunk users, Enterprise Security requires a lot of fine tuning in order to get the most optimal experience and they may have trouble doing so as there’s so much to learn before even reaching that point. For example, users have to configure several correlation searches within Enterprise Security and understand how it ties into specific use cases as well. On the other hand, the Cyences app was created with having one goal in mind and that is to provide an out of the box end-to-end security solution. Meaning, Splunk users don't have to configure all that much in order to get things started right away. Additionally, the alerting feature found within the Cyences app allows users to receive alerts via Slack or by email all while keeping the false positives at a bare minimum.

 

We’re always looking to improve​​ the​​ Cyences​​ app​​ by incorporating new features when​​ possible. The first​​ build came equipped with​​ the Globally Detected Malicious IPs dashboard, which is one of the more prominent features of the Cyences app. This dashboard helps monitor bad traffic and it contains other​​ insightful information such as if an IP address is associated with a distributed denial-of-service (DDoS) attack. For more information, please refer to the​​ Globally Detected​​ Malicious IPs​​ section.​​ Version​​ 1.2.0​​ of the Cyences app​​ features​​ a new​​ component and​​ that is the​​ Device​​ Inventory​​ Table. It’s a vital tool that​​ helps with​​ the​​ security audit​​ process​​ and​​ requires zero​​ configuration.​​ It​​ lists​​ all the different devices present in​​ an​​ environment by correlating data from​​ CrowdStrike, Lansweeper,​​ Qualys, Sophos,​​ Tenable, and​​ Windows Defender. For more information, please refer to the​​ Device​​ Inventory​​ section.

 

The Cyences App is a contribution-based project that anyone can provide suggestions for. Visit the Cyences website for more information and to offer general​​ feedback:​​ https://cyences.com/welcome/

Visit GitHub repo to find more details:​​ https://github.com/VatsalJagani/Splunk-Cyences-App-for-Splunk

 

 

 

 

User Guide

 

Data Collection

The following sources and their respective data​​ need​​ to be onboarded into your Splunk environment in order to get the most security benefits out of the Cyences App:

  • Sysmon

  • WinEventLog

  • Sophos Central​​ (Antivirus)

  • Windows Defender Logs​​ (Antivirus)

  • CrowdStrike EventStream Data​​ (Antivirus)

  • Office 365 Management Events

  • Palo Alto Logs

  • Firewall/Network Logs

  • VPN

  • Lansweeper

  • Qualys

  • Tenable

  • Linux/Unix

View​​ the​​ Data Onboarding [Admin]​​ section for more information.

 

Configuration

View​​ the​​ App Installation & Configuration [Admin]​​ section for installation and configuration information regarding the following topics:

  • App installation

  • Dependency installation

  • Macro configurations

 

Enable Alerts and Reports

Since every Splunk user utilizes different combinations of devices and firewalls, the security use cases will vary depending on their needs. For this reason, all of the alerts and reports that come with the Cyences app will be disabled by default.​​ 

Please follow the steps below to enable various alerts/reports in Splunk.

  • Go to​​ Settings​​ >​​ Searches, reports, and alerts.

  • In the App dropdown select​​ Cyences App for Splunk (cyences_app_for_splunk).

  • For each alert/report there is an​​ Edit​​ button underneath the​​ Actions​​ column.

  • Click on​​ Edit​​ >​​ Enable​​ to enable the desired alert/report.

 

A few of the included alerts/reports are dependent on other reports being enabled. The additional reports that are essential for these three dependent reports to function are outlined below:​​ 

  • Palo Alto Firewall - Malicious IP List Gen

    • Palo Alto Firewall - Network Compromise - DDoS Attack Prevented

    • Palo Alto Firewall - Network Compromise - Inbound Traffic from Blocked IPs

    • Palo Alto Firewall - Network Compromise - Outbound Traffic to Blocked IPs

      • Dynamically Update Blocked IPs with HoneyDB

  • Ransomware - Spike in File Writes

    • Ransomware - Calculate UpperBound for Spike in File Writes

  • Windows - Hosts Missing Update

    • Windows - Hosts Lookup Gen (this report is enabled by default)

  • Device​​ Inventory​​ Gen

    • View the​​ App Installation and Configuration >​​ Device Inventory​​ section for more details.

 

Enable Email Notifications with Alerts

Triggered Alerts will be visible in red within the Overview dashboard. Please refer to the​​ Overview Dashboard​​ section for more information.​​ 

Email notifications are disabled by default for all alerts.

How to enable email notifications for alerts:​​ 

  • Navigate to​​ Settings​​ >​​ Searches, reports, and alerts.

  • Under​​ Type:​​ select​​ Alerts.

  • Under​​ App:​​ select​​ Cyences App for Splunk (cyences_app_for_splunk).

  • Click​​ + Add Actions​​ and in the newly opened dialog-box select the​​ Send email​​ action.

  • Complete the necessary field values (i.e., “To”, “Subject”, “Message”, etc.)

  • Click​​ Save.

 

Overview Dashboard

The​​ Overview dashboard displays the overall security status of​​ the​​ Splunk environment​​ in addition to​​ highlighting​​ present​​ security issues as well.​​ We​​ specifically​​ designed the Overview dashboard to be a single pane of glass for ease of use.​​