The SecurityScorecard app for Splunk will offer customers the ability to monitor three components of the SecurityScorecard platform:
You can choose to monitor your own scorecard or third party scorecards or both. Once the app is installed, the app will begin pulling scores and issue level event information on a daily basis and logging them to Splunk. You can leverage the power of Splunk to search, visualize and take action on the information that is logged, enabling you to efficiently monitor your own cybersecurity risk as well as the risk posed by your 3rd parties.
Once our data begins flowing into your Splunk instance, there are numerous applications you can use it for. Some examples include the ability to merge:
Additional you can:
You can also leverage the power of Splunk’s visualization features to create dashboard with SecurityScorecard data included. Attached are some examples of the type of dashboards you can build to monitor for changes in scores and issue level events.
The SecurityScorecard Splunk app leverages the SecurityScorecard API to retrieve scores and issue level findings information, this is why the app requires an API key as part of the setup process. The SecurityScorecard Splunk app gets fresh data every 24 hours.
When the SecurityScorecard Splunk app runs, it will retrieve the following data points:
Changes in the Scorecard Event Log for the day
Please Note: The SecurityScorecard app for Splunk will not currently retrieve all active historical issues on a scorecard and backfill them to Splunk, it will log all score changes and new events on a daily basis going forward. *
SecurityScorecard’s Splunk app is now available on Splunkbase. Sign into Splunkbase and download the latest version available. Once you have downloaded the package:
To install apps and add-ons from within Splunk Enterprise
To install apps and add-ons directly into Splunk Enterprise
Once the app is installed, you should see it on the left hand menu under Apps.
Yes, please make sure you have completed the following steps before installing our app:
Please note: You must have an active SecurityScorecard license & API token in order to setup the app. If you do not have a SecurityScorecard license you can reach out to us at email@example.com
Yes, our app has passed Splunk’s App inspect process. Going forward, we will ensure future versions of our app pass the app inspect process before being made available to customers.
Once you have the app installed, go to Settings -> Data Inputs. Under Data Inputs you should see an entry for SecurityScorecard, click the link and create a new data input.
You will be prompted to answer several questions regarding the type of data you want to log to your Splunk’s instance. We have given you the maximum flexibility when it comes to logging data, you can choose the level of data you want to log about your own scorecard or that of third party companies.
Here is a breakdown of the choices you will need to make:
Unfortunately no, Splunk universal and heavy forwarders do not support apps and only support add-on's. They are designed to be for data collection.
Version 1.3 supports Splunk Enterprise currently, we are planning to add support for Splunk cloud in an upcomming release.
Here is the amount of data indexed into Splunk for 2 weeks worth of data:
|Companies Monitored||Overall Score Only||Factor Level Score Only||Issue Level Events Only||All Data|
|1||0.002 MB||0.02 MB||0.13 MB||0.16 MB|
|2||0.006 MB||0.06 MB||0.29 MB||0.36 MB|
|5||0.016 MB||0.16 MB||0.44 MB||0.62 MB|
|10||0.034 MB||0.34 MB||0.77 MB||1.14 MB|
|20||0.069 MB||0.69 MB||0.99 MB||1.75 MB|
Once the SecurityScorecard app starts logging data to your Splunk instance, you can leverage SPL to query for the data. Below are a couple of examples to help you get started.
Please note that your queries will return the data that is logged within the timeframe specified in the time range picker on the right side of the search box, if you are not seeing the data you are looking for please double check the time range to make sure it’s set correctly. As a reminder, the SecurityScorecard Splunk app will retrieve new grades and event data based on your settings once every 24 hours.
Example #1: Query for all data logged by SecurityScorecard
To query for all data logged by SecurityScorecard you can simply type in sourcetype=SecurityScorecard into the search bar. This query will return all events logged by the SecurityScorecard app.
Example #2: Query for all data logged by SecurityScorecard at the overrall score level
To query for all scores logged at the overall level you can enter the following query: sourcetype=SecurityScorecard cat=Overall into the search bar. Additionally, if you want to filter to a specific domain you can do that by adding a domain to the search criteria like this sourcetype=SecurityScorecard cat=Overall domain=securityscorecard.com
Example #3: Query for all data logged by SecurityScorecard at the factor score and issue level
You can query all factor level data by specifying Factor as the category sourcetype=SecurityScorecard cat=Factor and similarly you can query for all issue level data by specifying Issue as the category sourcetype=SecurityScorecard cat=Issue
Example #4: Query for all data logged by SecurityScorecard for a specific domain
If you want to filter on a specific company you can do that by specifying the domain in the query sourcetype=SecurityScorecard cat=Overall domain=ibm.com
If you want to start monitoring a new company after you have already setup the app, you can simply add the third party company to one of the portfolio’s you included in the app’s configuration. Go to the SecurityScorecard platform and find the portfolio and add the third party company to this portfolio. Data for this company will start getting logged in the next synchronization cycle.
To remove an existing third party company from monitoring, simply remove it from the portfolio in SecurityScorecard. If you want to keep monitoring the company in the SecurityScorecard platform but not in Splunk, add the company to either a new portfolio or in an existing portfolio you did not include in the app’s configuration.
Yes you can, once saved, the configuration will be used the next time the app runs and gets fresh data.
Please see Splunk documentation and recommended steps in Manage app and add-on objects.
If you have problems with the app, please send an email to firstname.lastname@example.org. Splunk will validate whether the issue is with the app or with Splunk. If the issue is with the app please send us an email at email@example.com.
Changes made in version 1.4:
1. Switched to Python for the implementation
2. Gave users the ability to select the index they want to log the data to
3. Support HTTP Proxies for customer sites that require all API requests go through a proxy.
4. Added Portfolio Name along with Portfolio ID
5. Added SecurityScorecard issue type severity field
6. Improved logging capabilities and gave users the ability to set the level of debugging information entered into logs.
Resolves an installation issue for linux based systems including Mac OSX, RedHat Linux, etc.
Resolved issues with 1.2 package that prevented app inspect from passing successfully
Version 1.2 Resolves an installation issue for linux based systems including Mac OSX, RedHat Linux, etc.
Version 1.1 includes fixes for syncing grades and issue level data, as well as cleaning up how we log data to Splunk. Additional fixes for ensuring app inspect passes. Added Readme file as well.
This is the initial version of the app. Version 1.0
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.