icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Forescout OT Network Security Monitoring for Splunk
SHA256 checksum (forescout-ot-network-security-monitoring-for-splunk_110.tgz) a18ca986b6cb102f9ff294b64c32945476ceb80832115c25281f4141deba07da SHA256 checksum (forescout-ot-network-security-monitoring-for-splunk_101.tgz) 487f34df3f6a355378514adc9f13df816f877a8be7abfe30be83b663c3d70efb SHA256 checksum (forescout-ot-network-security-monitoring-for-splunk_100.tgz) 13276291cc4667bb60e852dfa53755a1d4b92314302a32740f134d04d70f9211
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Forescout OT Network Security Monitoring for Splunk

Splunk Cloud
Overview
Details
The Forescout OT Network Security Monitoring App for Splunk (Forescout OT NSM App) enables users to act on OT/ICS threats and vulnerabilities using three intuitive Splunk dashboards. By integrating configurable alert data from Forescout eyeInspect (previously named SilentDefense) with device information and other relevant network activity, this App provides Splunk users with unparalleled contextual information required to identify threats, manage remediation workflows and secure their ICS environment.

The Forescout OT NSM App for Splunk is the ideal solution for industrial asset owners who want to integrate rich OT asset intelligence and threat detection data from across all OT sites within Splunk. Users can leverage the exceptional OT asset and threat data from Forescout eyeInspect to increase compliance and defend their OT/ICS networks from both operational failures and cyberattacks, such as Ripple 20, EKANS, WannaCry, NotPetya, TRITON and many more.

The Forescout OT NSM App for Splunk contains three pre-built Splunk Dashboards:
- The Security Dashboard helps the user to identify alert trends and correlate them with other network activity, enabling a faster detection of anomalies, cyber threats, dangerous commands sent to OT devices and device misbehavior. It allows to reduce Mean Time to Response by providing the context needed to determine the best mitigation action
- The Asset Inventory Dashboard lets analysts access high-value device information and context to better identify unexpected changes in the network, prioritize investigations, and quickly acknowledge new assets, communication patterns, or protocols seen within the network to help asset inventory and maintenance processes.
- The Administrative Dashboard provides deep insights on system health status and user activity performed on the Forescout eyeInspect appliances, to prevent system failure and detect undesired user activity.

The Forescout OT NSM App for Splunk automatically maps data to the Splunk Common Information Model (CIM) and the Splunk OT Asset Model. Valuable Forescout eyeInspect alerts and asset data can also be easily leveraged by other Splunk Apps and Add-ons such as Splunk Enterprise Security and OT Security Add-on for Splunk.

Questions the Forescout OT Network Security Monitoring App for Splunk Can Help Answer

This App provides valuable insight via three pre-built dashboards that display real-time OT asset and threat intelligence data provided by Forescout's premium OT security solution, eyeInspect (previously named SilentDefense).

Forescout Security Dashboard

Overarching question answered:

Are there any urgent threats that I need to focus on and what should I do to respond? The Security Dashboard helps the user to identify alert trends and correlate them with other network activity, enabling a faster detection of anomalies, cyber threats, dangerous commands sent to OT devices and device misbehavior. It allows to reduce Mean Time to Response by providing the context needed to determine the best mitigation action.

Subquestions:

What are the latest alerts in my network? The “Recent OT Network Security Monitoring Alerts” widget displays the most recent alerts with details like originating Sensor, Severity, Description, Source IP, Destination IP, Destination Port and Layer 7 Protocol. The ”ITL Alerts (24h/1h)” widget helps to monitor whether the alert trend has been increasing or decreasing in the selected time interval.

Are there any critical alerts I need to focus on immediately? The “Alerts by Severity” widget categorizes alerts as Informational, Low, Medium, High, and Critical for immediate visibility and response to urgent issues.

From where do my problems/threats originate? The “Alerts by Sensor Name”, “Alerts by L7 Protocol” and “Alerts by Sensor Name by Protocol” widgets help to identify the origin of the alert. In particular, originating sensor information helps to identify the network affected and protocol information allows to better drill down into potential threat vectors and the processes involved.

Is my network affected by cyber, operational or networking issues? The “ITL Alerts by Category” widget displays the alerts generated by the eyeInspect Industrial Threat Library (ITL). The ITL detects threats that may impact one of the following three areas of responsibility: Operations, Security, and Networking. This allows to immediately assign the investigation and initiate response through the most appropriate personnel.

What type of problems/threats am I dealing with? The “Alerts by Event Type” widget displays statistics about the number of events per type. This allows to identify which problems or threats occur more frequently.

Which assets are the most impacted? The “Alert Types by IP” widget displays the number of alerts associated with the top 15 assets (source and/or destination). The “Alert Types by Source IP” widget helps identify the source of the anomalous changes of behavior.

Are there any relevant DNS requests that could provide useful context for my analysis? The “DNS Queries - Top 15, DNS Queries – Fewest 10, Resolved DNS Queries – Top 10, Resolved DNS Queries - Fewest 10” widget allows the user to ensure that assets only communicate with legitimate domains. Suspicious or blacklisted domain names my indicate that the asset is infected (e.g. trying to reach out to malware C&C) or attempting unauthorized communications.

Is there any unauthorized network access to my assets? Many OT protocols allow authentication on clear text protocols. It is important to monitor successful and failed authentication attempts to critical assets for both accountability and security reasons. The “Authentication Success”, ”Authentication Failures”,” Authentication Details” supports the user in this analysis.

Are there any encrypted connections with unauthorized SSL certificates in my network? The “SSL Certificates Requested” widget Identifies SSL certificates used in the network in listing their Issuer, Validity, Expiration, Cipher Suite used, Source IP and Destination IP. This allows the user to identify (attempted) encrypted communications with unauthorized or invalid certificates.

Are there any unexpected file transfers that may indicate lateral movement? The “File Activity” widget shows file access and transfers happening on the network, such as file reads, writes, or deletes. The file name indicated in the widget allows users to identify whether the operation is legitimate or represents, for instance, an exfiltration attempt of sensitive information or malware lateral movement.

Forescout Asset Inventory Dashboard

Overarching question answered:

Are there any unexpected changes in my network? The Asset Inventory Dashboard lets analysts access high-value device information and context to better identify unexpected changes in the network, prioritize investigations, and quickly acknowledge new assets, communication patterns, or protocols seen within the network to help the asset inventory and maintenance processes.

Subquestions:

Is there any new device or relevant change in my network? The “Assets – Added to Inventory” widget displays the list of assets seen by eyeInspect listing IP, MAC Address(es), Vendor/Model, Firmware version, Hardware version. In addition, the ”Assets with Modules – Added to Inventory” widget shows if new backplane modules have been added to PLCs.

Is there any new communication I’ve never seen? The “Links - Last Seen 20” widget displays the last 20 communication links seen on the network within the selected time interval.

Are there any network connectivity issues? The “Failed Connections” widget displays failed connections seen within the network that may indicate connectivity problems.

Did some asset go offline? Or are my assets attempting to communicate with unknown assets? The “Ghost Nodes” widget displays ghost assets, i.e. assets receiving network requests but never responding.

Is someone using insecure protocols like TELNET, or uncommon protocols for OT like DHCP? The “TELNET Protocol Used” and “DHCP Protocol Used” widgets help the user to identify the usage of these protocols.

Forescout Administrative Dashboard

Overarching question answered:

How is the health of my Forescout eyeInspect installation? The Administrative Dashboard provides deep insights on system health status and user activity performed on the eyeInspect appliances, to prevent system failure and detect undesired user activity.

Subquestions:

What is my eyeInspect system health status? The “Health Changes” and “Connect/Disconnect Changes” widgets displays the latest health status changes of the eyeInspect components. For example, it displays when sensors are at a critical memory usage level and when sensors frequently connect and disconnect from a Command Center to enable quick response on issues that – if unattended – may leave to system failure.

Can I have complete accountability of the users’ behavior on eyeInspect? The “User Activity” widget shows the activity being performed by eyeInspect users, such as logins or changes to sensor configuration. The “Failed Logins” widget shows recent login attempts and failures to highlight potential breaches.

Release Notes

Version 1.1.0
Feb. 25, 2021

Forescout OT Network Security Monitoring App for for Splunk v1.1.0 introduces the following new features:

Multi-eyeInspect Command Center (CC) support: The Forescout OT App can now receive events from multiple CCs,
identifying which CC generated the event. This enables streamlined, integrated intelligence for all OT environment sites across the globe. Added field in the widgets displays which CC generated the event so you know exactly where the event originated from. Includes new filter in the dashboards to display the events from one or all CCs.

Automatic data mapping to the Splunk Common Information Model (CIM) and Splunk OT Asset Model makes it easy to leverage valuable eyeInspect data by other Splunk Apps such as Splunk Enterprise Security and the OT Security Add-on for Splunk:
o Automated mappings of the Alerts on the Alert component of the Splunk CIM
o Automated mappings of the Asset Inventory to the Splunk OT Asset Model
o Initial mappings of Vulnerability information for the Splunk OT Asset Model

Version 1.0.1
Sept. 15, 2020

Fixed typo in source naming

Version 1.0.0
Aug. 7, 2020

The Forescout OT Network Security Monitoring App for Splunk enables users to act on OT/ICS threats and vulnerabilities using three intuitive Splunk dashboards. By integrating configurable alert data from Forescout eyeInspect (previously named SilentDefense) with device information and other relevant network activity, this App provides Splunk users with unparalleled contextual information required to identify threats, manage remediation workflows and secure their ICS environment.

Version 1.0

43
Installs
297
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.