BitSight Security Performance Management for Splunk -
Bring BitSight Security Ratings observation information into your security program through this integration with Splunk Enterprise and Enterprise Security. BitSight Security Performance Management for Splunk automates the integration of BitSight observations into Splunk for correlation, analysis, and action. This includes observations from BitSight Work From Home Remote Office which helps organizations understand the risk environment in remote offices that lack many of the traditional security controls.
The add-on automatically maps the BitSight observation types to Splunk’s Common Information Model to enable relevant workflows based on the events from the BitSight data. The BitSight observations are summarized in a dashboard within the add-on.
This visibility enables you to integrate BitSight data with security data from other systems processed by Splunk to identify risk and accelerate remediation. BitSight data can help pinpoint the sources of infections and risky configurations in your company infrastructure, seamlessly going from awareness to rapid remediation. The additional visibility and integration allow security and IT teams to respond faster and more effectively to threats.
BitSight Work from Home - Remote Office -
BitSight Work from Home - Remote Office helps security teams identify vulnerabilities and infections on IP addresses known to be associated with remote operating environments. BitSight Security Performance Management for Splunk leverages the Network Sessions data model to quickly identify home office IP addresses using available log sources in Splunk like VPNs logs. Those IPs are then used to gather security risk observations from BitSight. These observations can be used to:
This add-on is compatible with both Splunk Enterprise and Splunk Enterprise Security.
1. The dashboard has been enhanced, including a compromised systems view.
2. Changed BitSight API token user input option from Inputs page to Configuration -> Addon-Settings as per cloud app standards.
3. "BitSight Work From Home Remote Office" enhancement - if the CIM mapping is in place, the user can use that to grab vpn ips instead of manually entering them.
Version : 1.0.3
-> Added macros to avoid searching in all indexes and to increase search performance.
-> Modified "My Company Dashboard" queries using base searches.
-> Modified "Work From Home" functionality by using the VPN dataset of Network Sessions CIM data model to get IP Addresses rather than user search query to get IP Addresses.
The BitSight for Security Performance Management Splunk Add-On has been updated to use the following macros you can modify to better match your Splunk configuration:
Splunk indexes with bitsight data `bitsight_index`: index=""
Example: If you are indexing BitSight data to a `bitsight` index, change macro definition to:
Goto -> Settings -> Advances Search -> Search marcos -> Click on `bitsight_index` and change the definition according to your Splunk configuration.
Default configuration for BitSight Work From Home - Remote Office now uses CIM compliant VPN data mapped to the VPN dataset of the Network Sessions data model.
1. BitSight risk vector data has been separately identified using a new End_Point attribute which makes it easy for differentiation of data for SOC engineers.
2. In this version, the Add-on is modified to import data from the BitSight API by checking against existing data in Splunk and only indexing data that is new. This will help reduce duplication of data. The exception is the findings_summary which returns all results.
3. Added Proxy Configuration support.
4. Modified the Dashboard, Scheduled Alerts Queries & CIM model, and field names for consistency with the new indexing style.
5. Added a drill-down option which enables redirection to matched events data upon clicking on individual graph elements in the dashboard.
6. Added validation for API-URL to prevent unencrypted network (HTTP) calls if the user enters an HTTP URL. (Credentials are encrypted.)
V1 of BitSight Security Performance Management for Splunk Add-On
V1 of the BitSight Security Performance Management for Splunk Add-On
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.