icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CIS Critical Security Controls
SHA256 checksum (cis-critical-security-controls_110.tgz) ac9d0d247b0fecb67b1920ad473dd9f1cc9abacbfd4113509ea44839609e9bf2 SHA256 checksum (cis-critical-security-controls_10beta.tgz) 9079c63df9ebb73f2cb22b8f6f4a9121008eb6086ef11926bd073605a570946f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


CIS Critical Security Controls

This app is NOT supported by Splunk. Please read about what that means for you here.
The CIS Critical Security Controls app for Splunk was designed to provide a consolidated, easily-extensible framework for baseline security “best-practices” based on the Top 20 Critical Security Controls v6.1 published by the Center for Internet Security.

CIS Critical Security Controls

Version 1.1.0

Developed by Anthony Perez (anthony at splunk.com)


The CIS Controls app for Splunk was designed to provide a consolidated, easily-extensible framework for baseline security “best-practices” based on the Top 20 Critical Security Controls v6.1 published by the Center for Internet Security.

This app provides a data-agnostic framework that leverages Splunk tags, event types, and fields from Splunk's common information model (CIM) to easily visualize and report on these controls regardless of the size or sophistication of an organization’s security team.

Who this app is for:

This app was designed for any security team or Splunk administrator seeking pre-configured, easily extended visibility into an organization’s CIS Top 20 Critical Controls compliance - regardless of what type of data, equipment, or architecture that organization may use.


In order for this app to visualize your data in the context of the controls framework, users must conform to the following basic prerequisites:

a. Ingest data relevant to the various Critical control families into a Splunk Enterprise (or Splunk Cloud) instance
* https://www.cisecurity.org/critical-controls/

b. Leverage CIM-compliant Splunk Technology Add-ons (TAs), freely available on splunkbase.splunk.com, to apply the CIM tags and event types to their raw data

Example CIM-Compliant TAs that were used for development and testing

Note that this is not a comprehensive list and that any CIM-compliant TAs will drive the reports and visuzlizations in this app

a. https://splunkbase.splunk.com/app/2790/ (bit9 TA)
b. https://splunkbase.splunk.com/app/1640/ (bro TA)
c. https://splunkbase.splunk.com/app/1620/ (Cisco ASA TA)
d. https://splunkbase.splunk.com/app/1761/ (Cisco ESA TA)
e. https://splunkbase.splunk.com/app/1903/ (Cisco IPS TA)
f. https://splunkbase.splunk.com/app/1915/ (Cisco ISE TA)
g. https://splunkbase.splunk.com/app/1747/ (Cisco WSA TA)
h. https://splunkbase.splunk.com/app/2847/ (Juniper TA)
i. https://splunkbase.splunk.com/app/1819/ (McAfee TA)
j. https://splunkbase.splunk.com/app/1710/ (Nessus TA)
k. https://splunkbase.splunk.com/app/833/ (*nix TA)
l. https://splunkbase.splunk.com/app/742/ (Windows TA)
m. https://splunkbase.splunk.com/app/1621/ (Splunk Common Information Model (CIM))


This app should be deployed on a search head that meets or exceeds the hardware specification for a dedicated search head due to the use of tags and event types (and to a lesser degree a high number of accelerated searches). In simpler terms, this app trades search efficiency in exchange for data/vendor agnostic queries via the Common Information Model.

Please reference the detailed PDF documentation available via the app navigation menu (or located in:$SPLUNK_HOME/etc/apps/cis-controls-app-for-splunk/appserver/static/documentation.pdf) for detailed hardware, app configuration, and customization notes.

Special Thanks:

  • Dave Herrald for the controls overview dashboard
  • Dan Goldburt for Control 16 content

Change log - v.1.1.0

Control 2:

Created workstation_list.csv
Updated Control 2 reports and dashboards to utilize the new workstation lookup

Control 4:

Updated "Control #4 - Vulnerability Severity Trend" report from 7days to 30days to provide better visibility into week-over-week changes
Updated Control #4 dashboard to afford wider view of the above report's data

Control 5:

Updated table header in "Control #5 - Privileged Actions/Activities (excluding auth and account creation/deletion events)" report FROM "signature" TO "system_message_(where_applicable)" to more clearly indicate a service account is conducting the activity and highlight the corresponding message

Control 7:

Updated field name used in SPL in reports FROM 'user_agent' to 'http_user_agent' to adhere to current CIM (CIM v. 4.4.0)

Control 8:

Added ransomware tracker threatinfo
    Python scripts to auto-download ransomware tracker ip, domain, url blocklists and create lookup files in Splunk with these blocklists
    Created reports under Control #8 to provide visibility for users to see if they've had contact with ransomware indicators
    Created Control #8 dashboard to provide consolidated visibility in to contact with ransomware indicators

Control 12:

Updated 'Contact to known-bad destination IPs - Spamhaus DROP nets list' to only show matches against the 'known_bad' list

Control 15:

Updated SPL to reference a field for 'action' versus a tag

App Dependencies:

Updated in-app documentation to clearly call out that the current version of Splunk's Common Information Model add-on is a prerequisite installation since it contains the current CIM data models, etc.: https://splunkbase.splunk.com/app/1621/

Hardware Resources:

Lower system resource requirements for systems running Splunk Enterprise version 6.4 and higher
App should be acceptably performant on a 12 CPU core x12GB RAM Searchhead with low search concurrency

Threat Info Scripts

Updated all scripts to specify HTTPS vs. HTTP for threat info downloads
Removed legacy bash scripts - all python for this iteration

Release Notes

Version 1.1.0
July 26, 2016

Check the 'Details' tab for v.1.1.0 changelog info

Version 1.0beta
Feb. 18, 2016
  • Initial release version 1.0 beta
  • Reference the 'PDF Documentation' within the app for detailed configuration guidance

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.