icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading SecurityScorecard
SHA256 checksum (securityscorecard_100.tgz) 50aac0dbfa4b052c9d90b8f7234bc04a9947e942d0271a9260cebfdfaf31dbb1
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
SecurityScorecard is a security ratings platform that enables enterprises to instantly rate and understand the security risk of companies, non-intrusively and from an outside-in perspective. We use an A-F rating scale. Companies with a C, D or F rating are 5.4 times more likely to be breached or face compliance penalties than companies with an A or B rating. Our platform is used by hundreds of customers for use-cases including vendor risk management, cyber insurance, board reporting, and M&A. Headquartered in New York City, we are funded by top investors like Sequoia Capital, Google Ventures, NGP, Moody’s, Intel, and others. Our vision is to create a new language for companies and their partners to communicate, understand, and improve each other’s security posture.

Check out the details tab for more information!

What does the SecurityScorecard addon for Splunk do?

The SecurityScorecard addon for Splunk offers customers the ability to monitor three components of the SecurityScorecard platform:

  • SecurityScorecard’s overall letter-grade security ratings, which give customers the ability to quickly and easily understand the cybersecurity posture of an organization via an easy-to-understand A-F rating scale
  • SecurityScorecard’s underlying factor data in key risk categories, including Application Security, Malware, Patching Cadence, Network Security, Hacker Chatter, Social Engineering, and Passwords Exposed. Each of these factors is predictive.For example, companies with a C, D, or F rating in Social Engineering are more than 400% more likely to experience a data breach than those with an A or B rating.
  • SecurityScorecard issue-related data, which offers a breadth and depth of critical data points across 87 different issue types not available from any other security ratings provider.

You can choose to monitor your own scorecard or third party scorecards or both. Once the addon is installed, the addon will begin pulling scores and issue level event information on a daily basis and logging them to Splunk. You can leverage the power of Splunk to search, visualize, create alerts and take action, enabling you to efficiently monitor your own cybersecurity risk as well as the risk posed by your 3rd parties.

What can I do with the SecurityScorecard data?

Once our data begins flowing into your Splunk instance, there are numerous applications you can use it for. Some examples include the ability to:

  • Monitor and alert for changes in the overall & factor level scores on your own or 3rd party scorecards
  • Monitor and alert for new issues being added, removed or resolved on your own or 3rd party scorecards
  • Monitor and alert for new threats (malware events) and adverse score events

Additional you can merge:
SecurityScorecard data with other private and 3rd party threat intelligence data you may be tracking.
Internal cyber security event and log data with SecurityScorecard ratings and issue level event information (e.x combine your firewall log data with network security findings from SecurityScorecard).

On top of alerting capabilities, you can also leverage the power of Splunk’s visualization features to create dashboard with SecurityScorecard data included. Attached are some examples of the type of dashboards you can build to monitor for changes in scores and issue level events.

Top 10 Critical Vendor Dashboard

How does the addon fetch data and how often does it get new data?

The SecurityScorecard Splunk addon leverages the SecurityScorecard API to retrieve scores and issue level findings information, this is why the addon requires an API key as part of the setup process. The SecurityScorecard Splunk addon gets fresh data every 24 hours.

When the SecurityScorecard Splunk addon runs, it will retrieve the following data points:

  • List of companies in any monitored portfolio’s (if portfolios have been configured)
  • For your own scorecard or third party scorecards
    -- Overall score
    -- Factor Level score
    -- New changes detected in the scorecard from the previous day (Scorecard Event Log)

How do I install the addon?

SecurityScorecard’s Splunk addon is now available on Splunkbase. Sign into Splunkbase and download the latest version available. Once you have downloaded the package:

To install apps and add-ons from within Splunk Enterprise

  • Log into Splunk Enterprise.
  • On the Apps menu, click Manage Apps.
  • Click Install app from file.
  • In the Upload app window, click Choose File.
  • Locate the .tar.gz file you just downloaded, and then click Open or Choose.
  • Click Upload.
  • Click Restart Splunk, and then confirm that you want to restart.

To install apps and add-ons directly into Splunk Enterprise

  • Put the downloaded file in the $SPLUNK_HOME/etc/apps directory.
  • Untar and ungzip your app or add-on, using a tool like tar -xvf (on *nix) or WinZip (on Windows).
  • Restart Splunk.
  • After you install a Splunk app, you will find it on Splunk Home. If you have questions or need more information, see Manage app and add-on objects.

Once the addon is installed, you should see it on the left hand menu under Apps.

SecurityScorecard Splunk app is installed

Are there any prerequisites for installing the addon?

Yes, please make sure you have completed the following steps before installing our addon:

  • Please make sure you are running at a minimum Splunk version 7.1
  • The application is built using python which should be included by default in Splunk

Please note: You must have an active SecurityScorecard license & API token in order to setup the addon. If you do not have a SecurityScorecard license you can reach out to us at info@securityscorecard.io

Is your addon Splunk certified?

SecurityScorecard Splunk app Certified

Yes, our addon has passed Splunk’s App inspect process. Going forward, we will ensure future versions of our addon pass the app inspect process before being made available to customers.

How do I configure the addon?

Once you have the addon installed, you can configure by launching the addon using the link on the left hand navigation on the home page.

SecurityScorecard Splunk app

Once you open the addon you will see 3 tabs:

Application configuration tabs

  • The inputs tab: Here you will setup what type of data you want to pull from SecurityScorecard
  • The configuration tab: Here you will setup proxy servers and the level of the logging capabilities of the addon.
    -- By default the addon will store informational messages to logs, but you can increase or decrease the depth of information stored by the addon. You only need to change this if you are experiencing issues with the addon.

Addon Configuration

On the configuration tab you will be prompted to answer several questions regarding the type of data you want to log to your Splunk’s instance. We have given you the maximum flexibility when it comes to logging data, you can choose the level of data you want to log about your own scorecard or that of third party companies.

For either your own scorecard or 3rd party scorecards, you will need to make a decision on the depth of data you want to monitor in Splunk.

For your own scorecard For 3rd party scorecards
Monitor Overall Score (y/n) (y/n)
Log overall scores if no changes occured (y/n) (y/n)
Monitor Factor Level Score (y/n) (y/n)
Log factor scores if no changes occured (y/n) (y/n)
Monitor Issue Level Events (y/n) (y/n)

Please note that if you are doing trend analysis, it would be best to log the overall score and factor level scores even if the score does not change, otherwise you will start seeing gaps in your graphs

Additionally you will need to provide the following information:

  • Name - The name of this configuration set.
  • Interval - How often data should be pulled. By default this is 86400 and you should leave this setting as is.
  • Index - The index where you want to log SecurityScorecard data to.
  • Domain Name: If you want to monitor your own scorecard, you will need to provide the domain of your own scorecard.
  • API Token: Please enter your SecurityScorecard API token (example value 33EqgUGLTv69AV3S528hLiNYxCTK). If you do not already have a token, you can create one by going to the API Access area in your Settings page and then clicking Generate New Token. Please note tokens do not expire and you can re-use them over and over again. If you have a token and generate another one, the first token will no longer be valid and cannot be used for API calls.
  • The SecurityScorecardURL: Please set this to https://api.securityscorecard.io/)
  • PortfolioIds: If you want to monitor third party companies, enter in either 1 or more ID’s of portfolio from SecurityScorecard that contain the third party companies you wish to monitor (Example value: 7ba3fb72e4b07c6277a26d31,8bfc267ce4b024107dcc19db) If you want to monitor all the companies in all your portfolios, you can just enter ‘all’. You can get the portfolio ID’s either via an API call or by looking at the browser’s URL bar when you have a specific portfolio loaded.
  • The dateOffSet should be set to 3, this ensures you are pulling full days worth of data.

Here is an example of the choices you will need to make:

Example configuration

Does the addon support proxy servers?

Proxy Configuration

Yes, this addon support's HTTP proxies today and we are working to support SOCKS proxy.

Can I run the addon on demand or manually?

Inputs Configuration

Yes, you can run the addon on demand or manually by disabling and then enabling a defined input. If an input is disabled and then enabled, the addon will run immediately with the defined settings.

Does the addon work on Splunk universal and or heavy forwarder

Yes, this addon can be installed on a forwarder. Please note that the addon pulls data from SecurityScoreard via API and logs them to Splunk. The addon is python based and does not require search capabilities within Splunk.

Does the addon work on Splunk cloud

The addon currently supports Splunk Enterprise, however, we are working with Splunk to get the addon certified for Splunk cloud. If you are using a forwarder, then you can install this addon on the forwarder and data will be pushed to our Splunk cloud instance.

How much data does your addon consume?

Here is the amount of data indexed into Splunk for 2 weeks worth of data:

Companies Monitored Overall Score Only Factor Level Score Only Issue Level Events Only All Data
1 0.002 MB 0.02 MB 0.13 MB 0.16 MB
2 0.006 MB 0.06 MB 0.29 MB 0.36 MB
5 0.016 MB 0.16 MB 0.44 MB 0.62 MB
10 0.034 MB 0.34 MB 0.77 MB 1.14 MB
20 0.069 MB 0.69 MB 0.99 MB 1.75 MB

How do I search for data?

Splunk allows users to search for data by leveraging Search Processing language (or SPL), if you are not familiar with SPL please check out the reference guide and other documentation first.

Once the SecurityScorecard addon starts logging data to your Splunk instance, you can leverage SPL to query for the data. Below are a couple of examples to help you get started.

Please note that your queries will return the data that is logged within the timeframe specified in the time range picker on the right side of the search box, if you are not seeing the data you are looking for please double check the time range to make sure it’s set correctly. As a reminder, the SecurityScorecard Splunk addon will retrieve new grades and event data based on your settings once every 24 hours.

Example #1: Query for all data logged by SecurityScorecard

To query for all data logged by SecurityScorecard you can simply type in index=<index_specified_in_configuration> sourcetype=SecurityScorecard into the search bar. This query will return all events logged by the SecurityScorecard addon.

Example #2: Query for all data logged by SecurityScorecard at the overrall score level

To query for all scores logged at the overall level you can enter the following query: index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Overall into the search bar. Additionally, if you want to filter to a specific domain you can do that by adding a domain to the search criteria like this sourcetype=SecurityScorecard cat=Overall domain=securityscorecard.com

Example #3: Query for all data logged by SecurityScorecard at the factor score and issue level

You can query all factor level data by specifying Factor as the category index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Factor and similarly you can query for all issue level data by specifying Issue as the category index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Issue

Example #4: Query for all data logged by SecurityScorecard for a specific domain

If you want to filter on a specific company you can do that by specifying the domain in the query index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Overall domain=ibm.com

How do I add a new third party company for monitoring?

If you want to start monitoring a new company after you have already setup the addon, you can simply add the third party company to one of the portfolio’s you included in the addon’s configuration. Go to the SecurityScorecard platform and find the portfolio and add the third party company to this portfolio. Data for this company will start getting logged in the next synchronization cycle.

How do I remove a existing third party company for monitoring?

To remove an existing third party company from monitoring, simply remove it from the portfolio in SecurityScorecard. If you want to keep monitoring the company in the SecurityScorecard platform but not in Splunk, add the company to either a new portfolio or in an existing portfolio you did not include in the addon’s configuration.

Can I make configuration changes to the addon?

Yes you can, once saved, the configuration will be used the next time the addon runs and gets fresh data.

How do I uninstall the addon?

Please see Splunk documentation and recommended steps in Manage app and add-on objects.

How do I get support?

If you have problems with the addon, please send an email to support@splunk.com. Splunk will validate whether the issue is with the addon or with Splunk. If the issue is with the addon please send us an email at support@securityscorecard.io.

Release Notes

Version 1.0.0
April 30, 2019

Version 1.0 of the SecurityScorecard Technical Addon for Splunk Enterprise.


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.