|Author||Aplura, LLC., Cybereason|
|Has index-time operations||true, the included TA add-on must be placed on the indexers|
|Creates an index||false|
|Implements summarization||Currently, the app does not generate summaries|
About Cybereason For Splunk
Version 1.0.1 of Cybereason For Splunk is compatible with:
|Splunk Enterprise versions||6.6, 7.0, 7.1|
The Cybereason App for Splunk enables you to gain deep insight & visibility into your endpoints, detect advanced attacks based on AI hunting, and take response actions within Splunk. The Cybereason AI Hunting Engine automatically asks a complex set of questions of data collected from all of your endpoints at a rate of 8 million calculations per second, 24 hours a day, 7 days a week. This means the solution is continuously hunting on your behalf by asking the same sorts of questions advanced security analysts would ask as they hunt for threats inside an environment. The difference, however, is that the Cybereason malicious activity models run constantly, and continually adapt and evolve according to the data the solution receives and analyzes.
When the Cybereason AI Hunting Engine identifies malicious behavior, its classified based on context and severity. Suspicions represent multiple pieces of anomalous behavior which are related and therefore more likely to be malicious. Malops (malicious operations) are a collection of related suspicious activities that are highly likely to indicate a security incident, and are defined in a way that minimizes the likelihood of analysts spending time investigating benign activities or false positives. Both Suspicions and Malops are presented in Splunk along with insights that give context to the alerts so you can quickly understand what is happening in your environment.
This App provides the following scripts:
|cybereason.py||This python file controls the ability to interface with Cybereason.|
|cybereason_rest_client.py||This Python class allows re-use of the cybereason api for various applications.|
|Diag.py||Allows diag-targeted collection of information.|
|ModularInput.py||Inheritable Class to create Modular Inputs|
|Utilities.py||Allows utility interactions with Splunk Endpoints|
Test and QA
Version 1.0.1 of Cybereason For Splunk has the following known issues:
Access questions and answers specific to Cybereason For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Support is available via email at firstname.lastname@example.org.
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download Cybereason For Splunk at https://splunkbase.splunk.com.
NOTE: Where referenced, the IA-CybereasonForSplunk and TA-CybereasonForSplunk versions of this App are located on Splunkbase.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
To configure the Cybereason application you should start on the Application Configuration page (Administration > Application Configuration)*:
On this screen you can set the base index via event type as well as indicating that you have configured the app. Make sure you click the SAVE button to access the additional dashboards.
You can view/delete existing credentials on this tab. These are credentials that are being used by existing modular inputs in the Cybereason application. These credentials are the credentials used to connect to Cybereason appliances.
On this screen you can view and make any changes to existing modular inputs. As you make changes and tab between fields the modular input is modified.
By default creating a new modular input with a username and password specified will create the necessary encrypted credentials. However if you want to create encrypted credentials manually follow this process:
NOTE: By default creating a new modular input will automatically create a new encrypted credential so this process is not necessary unless you need a new credential for another purpose.
NOTE: You will need to configure a new modular input for each Cybereason host.
NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the host/user pair in the modular input configuration. An encrypted credential is required for this Splunk App.
By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.
Cybereason For Splunk contains the following lookup files.
Cybereason For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. Each input listed below must be enabled locally. They are disabled by default.
You can access the eventgen configuration tab in the Application Configuration dashboard.
## Version 1.0.1
- [CYB-38] - Cloud Vetting
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.