The SecurityScorecard addon for Splunk offers customers the ability to monitor three components of the SecurityScorecard platform:
You can choose to monitor your own scorecard or third party scorecards or both. Once the addon is installed, the addon will begin pulling scores and issue level event information on a daily basis and logging them to Splunk. You can leverage the power of Splunk to search, visualize, create alerts and take action, enabling you to efficiently monitor your own cybersecurity risk as well as the risk posed by your 3rd parties.
Once our data begins flowing into your Splunk instance, there are numerous applications you can use it for. Some examples include the ability to:
Additional you can merge:
SecurityScorecard data with other private and 3rd party threat intelligence data you may be tracking.
Internal cyber security event and log data with SecurityScorecard ratings and issue level event information (e.x combine your firewall log data with network security findings from SecurityScorecard).
On top of alerting capabilities, you can also leverage the power of Splunk’s visualization features to create dashboard with SecurityScorecard data included. Attached are some examples of the type of dashboards you can build to monitor for changes in scores and issue level events.
The SecurityScorecard Splunk addon leverages the SecurityScorecard API to retrieve scores and issue level findings information, this is why the addon requires an API key as part of the setup process. The SecurityScorecard Splunk addon gets fresh data every 24 hours.
When the SecurityScorecard Splunk addon runs, it will retrieve the following data points:
SecurityScorecard’s Splunk addon is now available on Splunkbase. Sign into Splunkbase and download the latest version available. Once you have downloaded the package:
To install apps and add-ons from within Splunk Enterprise
To install apps and add-ons directly into Splunk Enterprise
Once the addon is installed, you should see it on the left hand menu under Apps.
Yes, please make sure you have completed the following steps before installing our addon:
Please note: You must have an active SecurityScorecard license & API token in order to setup the addon. If you do not have a SecurityScorecard license you can reach out to us at firstname.lastname@example.org
Yes, our addon has passed Splunk’s App inspect process. Going forward, we will ensure future versions of our addon pass the app inspect process before being made available to customers.
Once you have the addon installed, you can configure by launching the addon using the link on the left hand navigation on the home page.
Once you open the addon you will see 3 tabs:
On the configuration tab you will be prompted to answer several questions regarding the type of data you want to log to your Splunk’s instance. We have given you the maximum flexibility when it comes to logging data, you can choose the level of data you want to log about your own scorecard or that of third party companies.
For either your own scorecard or 3rd party scorecards, you will need to make a decision on the depth of data you want to monitor in Splunk.
|For your own scorecard||For 3rd party scorecards|
|Monitor Overall Score||(y/n)||(y/n)|
|Log overall scores if no changes occured||(y/n)||(y/n)|
|Monitor Factor Level Score||(y/n)||(y/n)|
|Log factor scores if no changes occured||(y/n)||(y/n)|
|Monitor Issue Level Events||(y/n)||(y/n)|
Please note that if you are doing trend analysis, it would be best to log the overall score and factor level scores even if the score does not change, otherwise you will start seeing gaps in your graphs
Additionally you will need to provide the following information:
Here is an example of the choices you will need to make:
Yes, this addon support's HTTP proxies today and we are working to support SOCKS proxy.
Yes, you can run the addon on demand or manually by disabling and then enabling a defined input. If an input is disabled and then enabled, the addon will run immediately with the defined settings.
Yes, this addon can be installed on a forwarder. Please note that the addon pulls data from SecurityScoreard via API and logs them to Splunk. The addon is python based and does not require search capabilities within Splunk.
The addon currently supports Splunk Enterprise, however, we are working with Splunk to get the addon certified for Splunk cloud. If you are using a forwarder, then you can install this addon on the forwarder and data will be pushed to our Splunk cloud instance.
Here is the amount of data indexed into Splunk for 2 weeks worth of data:
|Companies Monitored||Overall Score Only||Factor Level Score Only||Issue Level Events Only||All Data|
|1||0.002 MB||0.02 MB||0.13 MB||0.16 MB|
|2||0.006 MB||0.06 MB||0.29 MB||0.36 MB|
|5||0.016 MB||0.16 MB||0.44 MB||0.62 MB|
|10||0.034 MB||0.34 MB||0.77 MB||1.14 MB|
|20||0.069 MB||0.69 MB||0.99 MB||1.75 MB|
Once the SecurityScorecard addon starts logging data to your Splunk instance, you can leverage SPL to query for the data. Below are a couple of examples to help you get started.
Please note that your queries will return the data that is logged within the timeframe specified in the time range picker on the right side of the search box, if you are not seeing the data you are looking for please double check the time range to make sure it’s set correctly. As a reminder, the SecurityScorecard Splunk addon will retrieve new grades and event data based on your settings once every 24 hours.
To query for all data logged by SecurityScorecard you can simply type in index=<index_specified_in_configuration> sourcetype=SecurityScorecard into the search bar. This query will return all events logged by the SecurityScorecard addon.
To query for all scores logged at the overall level you can enter the following query: index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Overall into the search bar. Additionally, if you want to filter to a specific domain you can do that by adding a domain to the search criteria like this sourcetype=SecurityScorecard cat=Overall domain=securityscorecard.com
You can query all factor level data by specifying Factor as the category index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Factor and similarly you can query for all issue level data by specifying Issue as the category index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Issue
If you want to filter on a specific company you can do that by specifying the domain in the query index=<index_specified_in_configuration> sourcetype=SecurityScorecard cat=Overall domain=ibm.com
If you want to start monitoring a new company after you have already setup the addon, you can simply add the third party company to one of the portfolio’s you included in the addon’s configuration. Go to the SecurityScorecard platform and find the portfolio and add the third party company to this portfolio. Data for this company will start getting logged in the next synchronization cycle.
To remove an existing third party company from monitoring, simply remove it from the portfolio in SecurityScorecard. If you want to keep monitoring the company in the SecurityScorecard platform but not in Splunk, add the company to either a new portfolio or in an existing portfolio you did not include in the addon’s configuration.
Yes you can, once saved, the configuration will be used the next time the addon runs and gets fresh data.
Please see Splunk documentation and recommended steps in Manage app and add-on objects.
If you have problems with the addon, please send an email to email@example.com. Splunk will validate whether the issue is with the addon or with Splunk. If the issue is with the addon please send us an email at firstname.lastname@example.org.
Version 1.0 of the SecurityScorecard Technical Addon for Splunk Enterprise.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.