|Author||Aplura, LLC., Cybereason|
|Has index-time operations||true, the included TA add-on must be placed on the indexers|
|Creates an index||false|
|Implements summarization||Currently, the app does not generate summaries|
About Cybereason For Splunk
Version 1.0.3 of Cybereason For Splunk is compatible with:
|Splunk Enterprise versions||8.0|
The Cybereason App for Splunk enables you to gain deep insight & visibility into your endpoints, detect advanced attacks based on AI hunting, and take response actions within Splunk. The Cybereason AI Hunting Engine automatically asks a complex set of questions of data collected from all of your endpoints at a rate of 8 million calculations per second, 24 hours a day, 7 days a week. This means the solution is continuously hunting on your behalf by asking the same sorts of questions advanced security analysts would ask as they hunt for threats inside an environment. The difference, however, is that the Cybereason malicious activity models run constantly, and continually adapt and evolve according to the data the solution receives and analyzes.
When the Cybereason AI Hunting Engine identifies malicious behavior, its classified based on context and severity. Suspicions represent multiple pieces of anomalous behavior which are related and therefore more likely to be malicious. Malops (malicious operations) are a collection of related suspicious activities that are highly likely to indicate a security incident, and are defined in a way that minimizes the likelihood of analysts spending time investigating benign activities or false positives. Both Suspicions and Malops are presented in Splunk along with insights that give context to the alerts so you can quickly understand what is happening in your environment.
This App provides the following scripts:
|cybereason.py||This python file controls the ability to interface with Cybereason.|
|cybereason_rest_client.py||This Python class allows re-use of the cybereason api for various applications.|
|Diag.py||Allows diag-targeted collection of information.|
|ModularInput.py||Inheritable Class to create Modular Inputs|
|Utilities.py||Allows utility interactions with Splunk Endpoints|
[DESK-710] - Add code to disregard comments field on malops events
[DESK-716] - Fix paging issue with malware events
[CYB-41] - IA shipped with no log.cfg
[CYB-43] - Remove URL inspection
[DESK-681] - Convert From All Suspicions To time_bound
[CYB-39] - Update versioned API call
[CYB-42] - Malware Endpoint Change
[CYB-44] - Better Handling of HTML Error Messages
[CYB-45] - Improper Pagination on >17.5 API Calls
[DESK-663] - Last Activity Sorting is Incorrect
[DESK-664] - Classification Type And File Path Fields Are Empty For Powershell
[DESK-665] - Change Default Time Filter To Last 30 Days
[DESK-666] - Suspicious Insights Tab Not Functioning
[DESK-667] - Malop Inbox - Malop Type And Hashes Are Empty For Blacklisted IP
[DESK-668] - Malop Inbox - Sort by Last Activity Desc - Malops From Previous Year Are Presented First
[DESK-669] - Malop Inbox - Multiple Values For Affected Machines
[DESK-670] - Malop Inbox - File Hashes Section Is Empty For Obscured Extension Malop
[DESK-671] - Malop Inbox - Malop Type Is Empty For Custom Rule Malop
[DESK-672] - Malop Inbox - Malop Type Is Empty For Pass The Hash Malop
[DESK-700] - Malware Inbox - Unknown And App Control Malware Are Not Presented At Inbox
[DESK-701] - Malware Inbox - Fileless Malware Data Is Not Presented For Last Month
[DESK-702] - Malware Inbox - Multiple Values For Scan Time
[DESK-703] - Malop Statistics - Machine Data Discrepancy
[DESK-704] - Malop Statistics - Users And Files Data Discrepancy
[DESK-706] - Malop Inbox - Long Process List Breaks The Layout
Test and QA
[CYB-13] - Remove Proxy Configs for Mod Inputs
[CYB-24] - Modular Input throwing 400 errors
[CYB-32] - More UI Changes
[CYB-34] - Counting of Fields
[CYB-35] - Enable Proxy configurations
[CYB-36] - Self Signed Certificate throws error on request
[CYB-37] - API Inconsistent - Throws exception on string boolean
[CYB-6] - Modular Input
[CYB-7] - Field Extractions and CIM Compliance
[CYB-8] - Discovery Dashboard
[CYB-9] - Inbox Dashboard
[CYB-10] - Malop Breakdown Dashboard
[CYB-11] - Malware Dashboard
[CYB-12] - Suspicions Dashboard
[CYB-14] - Malops Breakdown - Additional detail
[CYB-15] - App Icons
[CYB-17] - Health Dashboard
[CYB-26] - Create Eventgen
[CYB-16] - Discovery Dashboard Modifications
[CYB-18] - Inbox Dashboard Cell Drilldown
[CYB-20] - Add Host Dropdown - All Dashboards
[CYB-22] - Remove Menu Slider
[CYB-23] - Discovery Board
[CYB-25] - Suspicions Inbox Update searches
[CYB-28] - Slight Updates
[CYB-29] - CSS Changes
[CYB-30] - Updates to Interface
Version 1.0.3 of Cybereason For Splunk has the following known issues:
Access questions and answers specific to Cybereason For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Support Email: firstname.lastname@example.org
Support Offered: Email, Community Engagement
Support is available via email at email@example.com.
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download Cybereason For Splunk at https://splunkbase.splunk.com.
NOTE: Where referenced, the IA-CybereasonForSplunk and TA-CybereasonForSplunk versions of this App are located on Splunkbase.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
Deploy as you would any App, and restart Splunk.
Have your Splunk Cloud Support handle this installation. Do NOT install the IA on the same system as the App.
You may consider using an on-premise Heavy Forwarder to install IA-CybereasonForSplunk, and send the logs to Splunk Cloud.
For each Search Head in the environment, deploy a non-configured copy of the App. DO NOT SEND TA or IA to a Search Head Cluster (SHC).
For each indexer in the environment, deploy a copy of the TA-CybereasonForSplunk Add-On that is located as mentioned above.
For a single Data Collection Node OR Heavy Forwarder (a full instance of Splunk is required), install IA-CybereasonForSplunk and configure through the GUI.
Install the App according to your environment (see steps above)
Navigate to App > IA-CybereasonForSplunk > Administration > Application Configuration
To configure the Cybereason application you should start on the Application Configuration page (Administration > Application Configuration)*:
On this screen you can set the base index via event type as well as indicating that you have configured the app. Make sure you click the SAVE button to access the additional dashboards.
You can view/delete existing credentials on this tab. These are credentials that are being used by existing modular inputs in the Cybereason application. These credentials are the credentials used to connect to Cybereason appliances.
On this screen you can view and make any changes to existing modular inputs. As you make changes and tab between fields the modular input is modified.
By default creating a new modular input with a username and password specified will create the necessary encrypted credentials. However if you want to create encrypted credentials manually follow this process:
Navigate to the Credentials tab.
To create a new encrypted credential, click the Create New Credential button and fill in with the appropriate username and password.
The realm is the application name where the encrypted credential is created + the username.
NOTE: By default creating a new modular input will automatically create a new encrypted credential so this process is not necessary unless you need a new credential for another purpose.
NOTE: You will need to configure a new modular input for each Cybereason host.
NOTE: The Suspicious data type should be only pulled 1 once per day. This particular input pulls all available suspicious items, not just the time-based delta, at the time of ingest. Please configure a separate input with interval 84600 for the suspicious data type.
To create a new data input, click the Create New Cybereason Input button and fill in the following fields. Those with a red asterisk on the screen are required.
Modular Input Name: Name for the data input configuration.
Base URL: The hostname or IP address and port of the Cybereason service. By default you can specify hostname:443.
Username: The username used to connect to the service.
Password: The password for the previously specified service.
Toggle all data keys: Check to select all data keys.
Data keys: List of endpoints available on the Cybereason service. Check the data key if you wish to pull event data.
Interval: The number of seconds indicate how often the input will poll for new data. This setting must be at least 60.
Index: This sets the index for data to be written to. This setting should be changed from default, which normally writes to the main index, to a specified index for best performance. The index must exist on the Search Head and Indexer.
After creating the modular input you may need to disable/re-enable the input in Settings > Data Inputs > Cybereason For Splunk to activate the input.
NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the host/user pair in the modular input configuration. An encrypted credential is required for this Splunk App.
By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.
Check the Monitoring Console (>=v6.5) for errors
Visit the Application Health dashboard
Check for errors in
index=_internal sourcetype=modularinput OR sourcetype=restclient log_level=ERROR OR
$SPLUNK_HOME/bin/splunk diag --collect app:CybereasonForSplunk and send the diag to Cybereason Support.
Cybereason For Splunk contains the following lookup files.
labels.csv - contains the labels for use with the Cybereason data
malop_types.csv - a lookup that helps drive panels
Cybereason For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. Each input listed below must be enabled locally. They are disabled by default.
You can access the eventgen configuration tab in the Application Configuration dashboard.
Summary Indexing: No
Data Model Acceleration: No
Report Acceleration: No
Disregard comments field on malops
Fix paging issue with malware events
Malware ingestion works with Cybereason Version > 17.5. Better error messages on API failure. Updated dashboards.
## Version 1.0.1
- [CYB-38] - Cloud Vetting
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.