Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Campus Compliance Toolkit for NIST 800-171
SHA256 checksum (campus-compliance-toolkit-for-nist-800-171_102.tgz) 9f3628195eef5b44662836b5360bea74f2f2dc4083c81eae79f221f10f4afd1d
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Campus Compliance Toolkit for NIST 800-171

Splunk Certified
Overview
Details
This app is designed to assist organizations with reaching compliance
with the NIST 800-171 standards. Where Splunk can be applied to these
standards, dashboards have been created using the Common Information
Model for normalizing event data.

Campus Compliance Toolkit for NIST 800-171

Overview

Author BAI
App Version 1.0.2
App Build 37
Has index-time operations false
Creates an index false
Implements summarization Currently, the app does not generate summaries
Data Models This App makes use of Data Models, and expects them to be accelerated.

About this App

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download Campus Compliance Toolkit for NIST 800-171 at https://splunkbase.splunk.com/app/3828/.

Prerequisites

This app requires the Splunk Common Information Model (CIM) Add-on to be installed. For information regarding the installation of the CIM Add-on, please see the Splunk Common Information Model Add-on documentation.

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Deploy as you would any App, and restart Splunk.
  2. Configure.

Deploy to Splunk Cloud

  1. Contact Splunk Cloud Support for assistance with the installation.

Deploy to a Distributed Environment

  1. This app should be distributed only to search heads on which you would like to use this app.

Search Head Clustering

  1. This app should be compatible with Splunk Search Head Clustering.

Data Model Acceleration

While not required, it is highly recommended, and the default, to use Data Model Acceleration with this App, for performance reasons. See the Data Models section for more information about which data models should be accelerated.

A note on Splunk Data Model Acceleration and Disk Space

This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it. This documentation can be found here: Data Model Summary Size On Disk.

User Guide

Key concepts for Campus Compliance Toolkit for NIST 800-171

This app is designed to assist organizations with reaching compliance with the NIST 800-171 standards. Where Splunk can be applied to these standards, dashboards have been created using the Common Information Model for normalizing event data. This means that for the app to provide dashboard results, your data must be properly onboarded, and have the appropriate tags to be consumed by the data model. See the Data Model Acceleration section of the documentation for more information, as well as the table for individual controls.

Data Models

This app uses the following Data Models:

  • Application_State
  • Authentication
  • Change_Analysis
  • Intrusion_Detection
  • Malware
  • Network_Sessions
  • Network_Traffic
  • Performance
  • Updates
  • Vulnerabilities
  • Web

Macros

The following macros can be used to configure the app.

cc_allowed_ports

Contains the name of the lookup which states which ports are considered allowed for reports.

cc_get_indexers

Contains a search pattern which returns the indexers for the environment.

cc_get_searchheads

Contains a search pattern which returns the search heads for the environment.

cc_inactive_time

Contains the time span, in seconds after which an account is considered inactive. Defaults to 31536000 seconds (one year).

cc_internal_ranges

Returns a search pattern which indicated which traffic is considered internal traffic. Takes an argument which should be the field name which is being compared (src, dest, src_ip, dest_ip).

cc_max_review_age

Contains the time span, in seconds, which is considered the review period for the control dashboards in the application. Defaults to 172800 seconds (two days).

cc_prestats

Used to control how the tstats command, when using prestats option, is called within the application.

cc_priv_lookup

Contains the definition of a lookup which contains the list of users which is considered privileged in the environment.

cc_timeSync_allowance

Contains the time span, in seconds, in which is expected systems will synchronize time. Defaults to 86400 (one day).

cc_tstats

Used to control how the tstats command, when not using prestats option, is called within the application.

Lookups

The following lookups can be used to configure the app.

cc_allowed_ports

File name: cc_allowed_ports.csv

This lookup is used for controlling which network ports are considered allowed when viewing reports. The dvc field is wild-carded to allow for the creation of allowed ports across multiple devices.

cc_allowed_processes

File name: cc_allowed_processes.csv

This lookup is used for controlling which processes are considered allowed when viewing reports. The dest field is wild-carded to allow for whitelisting processes across multiple destinations.

cc_priv_users

File name: cc_priv_users.csv

A list of users which are considered privileged users in the applicable environment.

cc_splunk_data_controls

File name: cc_splunk_data_controls.csv

A lookup which allows for the control of data sources which are considered missing. The index, host, and sourcetype fields are wild-carded.

Control Dashboards

3.1.1 Limit system access to authorized users

Data model: Authentication

3.1.6 Use of non-privileged accounts

Data model: Authentication

3.1.7 Prevention of privileged functions

Data model: Authentication

3.1.8 Unsuccessful logon attempts

Data model: Authentication, Change_Analysis

3.1.12 Monitor remote access

Data model: Network_Sessions

3.1.20 Use of external systems

This dashboard can be used to provide links to additional Splunk apps which may contain relevant information. By default this provides a link the Splunk App for AWS.

3.1.21 Portable storage

The CIM does not currently contain a model for these events. Events to populate this dashboard should be tagged with the following tags:

  • usb
  • storage

Eventtypes and tags have been included for Windows and Linux USB storage insertions.

3.3.1 Create protect and retain audit records

Provides an overview of Splunk index retention settings and results.

3.3.2 User action audit

Data model: Change_Analysis

3.3.3 Audit event reviews

Data model: Splunk_Audit

Provides a report on the last time the relevant dashboards in the app were viewed, and if they need to be reviewed again.

3.3.4 Audit failure alerts

Data model: Change_Analysis

Uses Splunks _internal index.

3.3.5 Audit event monitoring

Data model: Authentication, Network_Traffic, Vulnerabilities, Malware, Intrusion_Detection

3.3.6 On-demand audit analysis and reporting

Provides a link to the Search and Reporting app.

3.3.7 Time synchronization

Data model: Performance, Application_State

3.3.8 Protect audit information and tools

Uses REST commands to gather information on Splunk users.

3.3.9 Limit audit management users

Uses REST commands to gather information on Splunk users.

3.4.6 Least functionality

Data model: Application_State

3.4.7 Nonessential functions ports protocols and services

Data model: Network_Traffic

3.4.8 Default deny

Data model: Application_State

3.4.9 Control and monitor user installed software

Data model: Application_State

Software installation is not covered by the current version of the CIM. The panels will display events tagged with the following tags:

  • software
  • installation

Eventtypes and tags for Windows (MSI) installations have been included in this app.

tag=installation tag=software

3.5.6 Identifier inactivity

Data model: Authentication

3.8.7 Removable media

The CIM does not currently contain a model for these events. Events to populate this dashboard should be tagged with the following tags:

  • usb
  • storage

Eventtypes and tags have been included for Windows and Linux USB storage insertions.

3.11.2 Vulnerability scanning

Data model: Vulnerabilities

3.11.3 Vulnerability remediation

Data model: Vulnerabilities

To effectively drive this dashboard, Vulnerability events should have the following knowledge objects

Knowledge Object Value/Name Type
tag campus_compliance N/A
tag vulnerability N/A
field is_mitigated true/false
field first_seen epoch time
field last_seen epoch time

3.11.3 Knowledge Objects

3.12.3 Control effectiveness

Pending

3.13.1 Boundary protection

Data model: Network_Traffic

3.13.13 Mobile code

Data model: Web

3.14.1 Flaw handling

Data model: Updates, Application_State

3.14.3 Alert monitoring

Data model: Intrusion_Detection, Malware

3.14.4 Protection updates

Data model: Malware.Malware_Operations

3.14.5 File and malware scanning

Data model: Malware

3.14.6 Traffic monitoring

Data model: Network_Traffic

3.14.7 Unauthorized use

Pending

Release notes

  • Initial Version

  • Added correct URL to Documentation

  • CC-34 - Fix failed App Inspect Errors

About this release

Version 1.0.2 of Campus Compliance Toolkit for NIST 800-171 is compatible with:

Splunk Enterprise versions 6.6, 7.0
Platforms Splunk Enterprise

Compatability

Known Issues

Version 1.0.2 of Campus Compliance Toolkit for NIST 800-171 has the following known issues:

  • None

Event Generator

No event generator is shipped with this app.

Support and resources

Questions and answers

Access questions and answers specific to Campus Compliance Toolkit for NIST 800-171 at https://answers.splunk.com . Be sure to tag your question with the App.

Support

  • Support Offered: Community Engagement

License

This app has been released under the GNU General Public License, Version 2. Please see this included license.txt for more details.

Third Party Notices

Version 1.0.2 of Campus Compliance Toolkit for NIST 800-171 incorporates the following Third-party software or third-party services.

See internal README for full list.

Release Notes

Version 1.0.2
Feb. 1, 2018

1. Moved Location of managed_configurations.conf

68
Installs
299
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.