Developed by Anthony Perez (anthony at splunk.com)
The CIS Controls app for Splunk was designed to provide a consolidated, easily-extensible framework for baseline security “best-practices” based on the Top 20 Critical Security Controls v6.1 published by the Center for Internet Security.
This app provides a data-agnostic framework that leverages Splunk tags, event types, and fields from Splunk's common information model (CIM) to easily visualize and report on these controls regardless of the size or sophistication of an organization’s security team.
This app was designed for any security team or Splunk administrator seeking pre-configured, easily extended visibility into an organization’s CIS Top 20 Critical Controls compliance - regardless of what type of data, equipment, or architecture that organization may use.
In order for this app to visualize your data in the context of the controls framework, users must conform to the following basic prerequisites:
a. Ingest data relevant to the various Critical control families into a Splunk Enterprise (or Splunk Cloud) instance
b. Leverage CIM-compliant Splunk Technology Add-ons (TAs), freely available on splunkbase.splunk.com, to apply the CIM tags and event types to their raw data
Note that this is not a comprehensive list and that any CIM-compliant TAs will drive the reports and visuzlizations in this app
a. https://splunkbase.splunk.com/app/2790/ (bit9 TA)
b. https://splunkbase.splunk.com/app/1640/ (bro TA)
c. https://splunkbase.splunk.com/app/1620/ (Cisco ASA TA)
d. https://splunkbase.splunk.com/app/1761/ (Cisco ESA TA)
e. https://splunkbase.splunk.com/app/1903/ (Cisco IPS TA)
f. https://splunkbase.splunk.com/app/1915/ (Cisco ISE TA)
g. https://splunkbase.splunk.com/app/1747/ (Cisco WSA TA)
h. https://splunkbase.splunk.com/app/2847/ (Juniper TA)
i. https://splunkbase.splunk.com/app/1819/ (McAfee TA)
j. https://splunkbase.splunk.com/app/1710/ (Nessus TA)
k. https://splunkbase.splunk.com/app/833/ (*nix TA)
l. https://splunkbase.splunk.com/app/742/ (Windows TA)
m. https://splunkbase.splunk.com/app/1621/ (Splunk Common Information Model (CIM))
This app should be deployed on a search head that meets or exceeds the hardware specification for a dedicated search head due to the use of tags and event types (and to a lesser degree a high number of accelerated searches). In simpler terms, this app trades search efficiency in exchange for data/vendor agnostic queries via the Common Information Model.
Please reference the detailed PDF documentation available via the app navigation menu (or located in:
$SPLUNK_HOME/etc/apps/cis-controls-app-for-splunk/appserver/static/documentation.pdf) for detailed hardware, app configuration, and customization notes.
Created workstation_list.csv Updated Control 2 reports and dashboards to utilize the new workstation lookup
Updated "Control #4 - Vulnerability Severity Trend" report from 7days to 30days to provide better visibility into week-over-week changes Updated Control #4 dashboard to afford wider view of the above report's data
Updated table header in "Control #5 - Privileged Actions/Activities (excluding auth and account creation/deletion events)" report FROM "signature" TO "system_message_(where_applicable)" to more clearly indicate a service account is conducting the activity and highlight the corresponding message
Updated field name used in SPL in reports FROM 'user_agent' to 'http_user_agent' to adhere to current CIM (CIM v. 4.4.0)
Added ransomware tracker threatinfo Python scripts to auto-download ransomware tracker ip, domain, url blocklists and create lookup files in Splunk with these blocklists Created reports under Control #8 to provide visibility for users to see if they've had contact with ransomware indicators Created Control #8 dashboard to provide consolidated visibility in to contact with ransomware indicators
Updated 'Contact to known-bad destination IPs - Spamhaus DROP nets list' to only show matches against the 'known_bad' list
Updated SPL to reference a field for 'action' versus a tag
Updated in-app documentation to clearly call out that the current version of Splunk's Common Information Model add-on is a prerequisite installation since it contains the current CIM data models, etc.: https://splunkbase.splunk.com/app/1621/
Lower system resource requirements for systems running Splunk Enterprise version 6.4 and higher App should be acceptably performant on a 12 CPU core x12GB RAM Searchhead with low search concurrency
Threat Info Scripts
Updated all scripts to specify HTTPS vs. HTTP for threat info downloads Removed legacy bash scripts - all python for this iteration
Check the 'Details' tab for v.1.1.0 changelog info
- Initial release version 1.0 beta
- Reference the 'PDF Documentation' within the app for detailed configuration guidance
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.