Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cybereason For Splunk
SHA256 checksum (cybereason-for-splunk_101.tgz) caf382d3dbaa1f14dc88c5772240b20870dbd42563ff5b501206fd1c7d760c93
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Cybereason For Splunk

Splunk AppInspect Passed
Overview
Details
The Cybereason App for Splunk enables you to gain deep insight & visibility into your endpoints, detect advanced attacks based on AI hunting, and take response actions within Splunk. The Cybereason AI Hunting Engine automatically asks a complex set of questions of data collected from all of your endpoints at a rate of 8 million calculations per second, 24 hours a day, 7 days a week. This means the solution is continuously hunting on your behalf by asking the same sorts of questions advanced security analysts would ask as they hunt for threats inside an environment. The difference, however, is that the Cybereason malicious activity models run constantly, and continually adapt and evolve according to the data the solution receives and analyzes.

Learn More: https://cybereason-1.wistia.com/medias/hz40bq01nc

Welcome to Cybereason for Splunk Apps documentation!

Overview

About Cybereason For Splunk

Author Aplura, LLC., Cybereason
App Version 1.0.1
App Build 103
Vendor Products Cybereason
Has index-time operations true, the included TA add-on must be placed on the indexers
Creates an index false
Implements summarization Currently, the app does not generate summaries

About Cybereason For Splunk

Version 1.0.1 of Cybereason For Splunk is compatible with:

Splunk Enterprise versions 6.6, 7.0, 7.1
Platforms Splunk Enterprise

Compatability

The Cybereason App for Splunk enables you to gain deep insight & visibility into your endpoints, detect advanced attacks based on AI hunting, and take response actions within Splunk. The Cybereason AI Hunting Engine automatically asks a complex set of questions of data collected from all of your endpoints at a rate of 8 million calculations per second, 24 hours a day, 7 days a week. This means the solution is continuously hunting on your behalf by asking the same sorts of questions advanced security analysts would ask as they hunt for threats inside an environment. The difference, however, is that the Cybereason malicious activity models run constantly, and continually adapt and evolve according to the data the solution receives and analyzes.

When the Cybereason AI Hunting Engine identifies malicious behavior, its classified based on context and severity. Suspicions represent multiple pieces of anomalous behavior which are related and therefore more likely to be malicious. Malops (malicious operations) are a collection of related suspicious activities that are highly likely to indicate a security incident, and are defined in a way that minimizes the likelihood of analysts spending time investigating benign activities or false positives. Both Suspicions and Malops are presented in Splunk along with insights that give context to the alerts so you can quickly understand what is happening in your environment.

Scripts and binaries

This App provides the following scripts:

cybereason.py This python file controls the ability to interface with Cybereason.
cybereason_rest_client.py This Python class allows re-use of the cybereason api for various applications.
Diag.py Allows diag-targeted collection of information.
ModularInput.py Inheritable Class to create Modular Inputs
Utilities.py Allows utility interactions with Splunk Endpoints

Scripts

Release notes

Version 1.0.1

  • Bug

    • [CYB-38] - Cloud Vetting

Version 1.0.0

  • Test and QA

    • [CYB-27] - Failed Test - Evengent Docs
  • Bug

    • [CYB-13] - Remove Proxy Configs for Mod Inputs
    • [CYB-24] - Modular Input throwing 400 errors
    • [CYB-32] - More UI Changes
    • [CYB-34] - Counting of Fields
    • [CYB-35] - Enable Proxy configurations
    • [CYB-36] - Self Signed Certificate throws error on request
    • [CYB-37] - API Inconsistent - Throws exception on string boolean
  • New Feature

    • [CYB-6] - Modular Input
    • [CYB-7] - Field Extractions and CIM Compliance
    • [CYB-8] - Discovery Dashboard
    • [CYB-9] - Inbox Dashboard
    • [CYB-10] - Malop Breakdown Dashboard
    • [CYB-11] - Malware Dashboard
    • [CYB-12] - Suspicions Dashboard
    • [CYB-14] - Malops Breakdown - Additional detail
    • [CYB-15] - App Icons
    • [CYB-17] - Health Dashboard
    • [CYB-26] - Create Eventgen
  • Improvement

    • [CYB-16] - Discovery Dashboard Modifications
    • [CYB-18] - Inbox Dashboard Cell Drilldown
    • [CYB-20] - Add Host Dropdown - All Dashboards
    • [CYB-22] - Remove Menu Slider
    • [CYB-23] - Discovery Board
    • [CYB-25] - Suspicions Inbox Update searches
    • [CYB-28] - Slight Updates
    • [CYB-29] - CSS Changes
    • [CYB-30] - Updates to Interface

Known Issues

Version 1.0.1 of Cybereason For Splunk has the following known issues:

  • None

Support and resources

Questions and answers

Access questions and answers specific to Cybereason For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.

Support

Support is available via email at support@cybereason.com.

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download Cybereason For Splunk at https://splunkbase.splunk.com.

Installation steps

NOTE: Where referenced, the IA-CybereasonForSplunk and TA-CybereasonForSplunk versions of this App are located on Splunkbase.

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Deploy as you would any App, and restart Splunk.
  2. Install IA-CybereasonForSplunk.
  3. Configure.

Deploy to Splunk Cloud

  1. Have your Splunk Cloud Support handle this installation. Do NOT install the IA on the same system as the App.
  2. You may consider using an on-premise Heavy Forwarder to install IA-CybereasonForSplunk, and send the logs to Splunk Cloud.

Deploy to a Distributed Environment

  1. For each Search Head in the environment, deploy a non-configured copy of the App. DO NOT SEND TA or IA to a Search Head Cluster (SHC).
  2. For each indexer in the environment, deploy a copy of the TA-CybereasonForSplunk Add-On that is located as mentioned above.
  3. For a single Data Collection Node OR Heavy Forwarder (a full instance of Splunk is required), install IA-CybereasonForSplunk and configure through the GUI.

User Guide

Configure Cybereason For Splunk

  • Install the App according to your environment (see steps above)
  • Navigate to App > IA-CybereasonForSplunk > Administration > Application Configuration

Application Configuration Dashboard

To configure the Cybereason application you should start on the Application Configuration page (Administration > Application Configuration)*[]:

Application Configuration

On this screen you can set the base index via event type as well as indicating that you have configured the app. Make sure you click the SAVE button to access the additional dashboards.

Encrypted Credentials

You can view/delete existing credentials on this tab. These are credentials that are being used by existing modular inputs in the Cybereason application. These credentials are the credentials used to connect to Cybereason appliances.

Cybereason

On this screen you can view and make any changes to existing modular inputs. As you make changes and tab between fields the modular input is modified.

Creating New Credentials

By default creating a new modular input with a username and password specified will create the necessary encrypted credentials. However if you want to create encrypted credentials manually follow this process:

  • Navigate to the Credentials tab.
  • To create a new encrypted credential, click the Create New Credential button and fill in with the appropriate username and password.
  • The realm is the application name where the encrypted credential is created + the username.

NOTE: By default creating a new modular input will automatically create a new encrypted credential so this process is not necessary unless you need a new credential for another purpose.

Creating New Cybereason Inputs

NOTE: You will need to configure a new modular input for each Cybereason host.

  • To create a new data input, click the Create New Cybereason Input button and fill in the following fields. Those with a red asterisk on the screen are required.
    • Modular Input Name: Name for the data input configuration.
    • Base URL: The hostname or IP address and port of the Cybereason service. By default you can specify hostname:443.
    • Username: The username used to connect to the service.
    • Password: The password for the previously specified service.
    • Toggle all data keys: Check to select all data keys.
    • Data keys: List of endpoints available on the Cybereason service. Check the data key if you wish to pull event data.
    • Interval: The number of seconds indicate how often the input will poll for new data. This setting must be at least 60.
    • Index: This sets the index for data to be written to. This setting should be changed from default, which normally writes to the main index, to a specified index for best performance. The index must exist on the Search Head and Indexer.
  • After creating the modular input you may need to disable/re-enable the input in Settings > Data Inputs > Cybereason For Splunk to activate the input.

NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the host/user pair in the modular input configuration. An encrypted credential is required for this Splunk App.

Indexes

By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.

Troubleshoot Cybereason For Splunk

  1. Check the Monitoring Console (>=v6.5) for errors
  2. Visit the Application Health dashboard

Lookups

Cybereason For Splunk contains the following lookup files.

  • labels.csv - contains the labels for use with the Cybereason data
  • malop_types.csv - a lookup that helps drive panels

Event Generator

Cybereason For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. Each input listed below must be enabled locally. They are disabled by default.

You can access the eventgen configuration tab in the Application Configuration dashboard.

  • cybereason_users.sample
  • cybereason_malops_rootCauseElements.sample
  • cybereason_malware.sample
  • cybereason_malops_affectedUsers.sample
  • cybereason_malops_filesToRemediate.sample
  • cybereason_malop.sample
  • cybereason_malops_suspects.sample
  • cybereason_malops_affectedMachines.sample
  • cybereason_suspicious.sample

Acceleration

  1. Summary Indexing: No
  2. Data Model Acceleration: No
  3. Report Acceleration: No

Release Notes

Version 1.0.1
Sept. 11, 2018

## Version 1.0.1

- Bug

- [CYB-38] - Cloud Vetting

55
Installs
163
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.