This App provides valuable insight via three pre-built dashboards that display real-time OT asset and threat intelligence data provided by Forescout's premium OT security solution, eyeInspect (previously named SilentDefense).
Overarching question answered:
Are there any urgent threats that I need to focus on and what should I do to respond? The Security Dashboard helps the user to identify alert trends and correlate them with other network activity, enabling a faster detection of anomalies, cyber threats, dangerous commands sent to OT devices and device misbehavior. It allows to reduce Mean Time to Response by providing the context needed to determine the best mitigation action.
What are the latest alerts in my network? The “Recent OT Network Security Monitoring Alerts” widget displays the most recent alerts with details like originating Sensor, Severity, Description, Source IP, Destination IP, Destination Port and Layer 7 Protocol. The ”ITL Alerts (24h/1h)” widget helps to monitor whether the alert trend has been increasing or decreasing in the selected time interval.
Are there any critical alerts I need to focus on immediately? The “Alerts by Severity” widget categorizes alerts as Informational, Low, Medium, High, and Critical for immediate visibility and response to urgent issues.
From where do my problems/threats originate? The “Alerts by Sensor Name”, “Alerts by L7 Protocol” and “Alerts by Sensor Name by Protocol” widgets help to identify the origin of the alert. In particular, originating sensor information helps to identify the network affected and protocol information allows to better drill down into potential threat vectors and the processes involved.
Is my network affected by cyber, operational or networking issues? The “ITL Alerts by Category” widget displays the alerts generated by the eyeInspect Industrial Threat Library (ITL). The ITL detects threats that may impact one of the following three areas of responsibility: Operations, Security, and Networking. This allows to immediately assign the investigation and initiate response through the most appropriate personnel.
What type of problems/threats am I dealing with? The “Alerts by Event Type” widget displays statistics about the number of events per type. This allows to identify which problems or threats occur more frequently.
Which assets are the most impacted? The “Alert Types by IP” widget displays the number of alerts associated with the top 15 assets (source and/or destination). The “Alert Types by Source IP” widget helps identify the source of the anomalous changes of behavior.
Are there any relevant DNS requests that could provide useful context for my analysis? The “DNS Queries - Top 15, DNS Queries – Fewest 10, Resolved DNS Queries – Top 10, Resolved DNS Queries - Fewest 10” widget allows the user to ensure that assets only communicate with legitimate domains. Suspicious or blacklisted domain names my indicate that the asset is infected (e.g. trying to reach out to malware C&C) or attempting unauthorized communications.
Is there any unauthorized network access to my assets? Many OT protocols allow authentication on clear text protocols. It is important to monitor successful and failed authentication attempts to critical assets for both accountability and security reasons. The “Authentication Success”, ”Authentication Failures”,” Authentication Details” supports the user in this analysis.
Are there any encrypted connections with unauthorized SSL certificates in my network? The “SSL Certificates Requested” widget Identifies SSL certificates used in the network in listing their Issuer, Validity, Expiration, Cipher Suite used, Source IP and Destination IP. This allows the user to identify (attempted) encrypted communications with unauthorized or invalid certificates.
Are there any unexpected file transfers that may indicate lateral movement? The “File Activity” widget shows file access and transfers happening on the network, such as file reads, writes, or deletes. The file name indicated in the widget allows users to identify whether the operation is legitimate or represents, for instance, an exfiltration attempt of sensitive information or malware lateral movement.
Overarching question answered:
Are there any unexpected changes in my network? The Asset Inventory Dashboard lets analysts access high-value device information and context to better identify unexpected changes in the network, prioritize investigations, and quickly acknowledge new assets, communication patterns, or protocols seen within the network to help the asset inventory and maintenance processes.
Is there any new device or relevant change in my network? The “Assets – Added to Inventory” widget displays the list of assets seen by eyeInspect listing IP, MAC Address(es), Vendor/Model, Firmware version, Hardware version. In addition, the ”Assets with Modules – Added to Inventory” widget shows if new backplane modules have been added to PLCs.
Is there any new communication I’ve never seen? The “Links - Last Seen 20” widget displays the last 20 communication links seen on the network within the selected time interval.
Are there any network connectivity issues? The “Failed Connections” widget displays failed connections seen within the network that may indicate connectivity problems.
Did some asset go offline? Or are my assets attempting to communicate with unknown assets? The “Ghost Nodes” widget displays ghost assets, i.e. assets receiving network requests but never responding.
Is someone using insecure protocols like TELNET, or uncommon protocols for OT like DHCP? The “TELNET Protocol Used” and “DHCP Protocol Used” widgets help the user to identify the usage of these protocols.
Overarching question answered:
How is the health of my Forescout eyeInspect installation? The Administrative Dashboard provides deep insights on system health status and user activity performed on the eyeInspect appliances, to prevent system failure and detect undesired user activity.
What is my eyeInspect system health status? The “Health Changes” and “Connect/Disconnect Changes” widgets displays the latest health status changes of the eyeInspect components. For example, it displays when sensors are at a critical memory usage level and when sensors frequently connect and disconnect from a Command Center to enable quick response on issues that – if unattended – may leave to system failure.
Can I have complete accountability of the users’ behavior on eyeInspect? The “User Activity” widget shows the activity being performed by eyeInspect users, such as logins or changes to sensor configuration. The “Failed Logins” widget shows recent login attempts and failures to highlight potential breaches.
Forescout OT Network Security Monitoring App for for Splunk v1.1.0 introduces the following new features:
Multi-eyeInspect Command Center (CC) support: The Forescout OT App can now receive events from multiple CCs,
identifying which CC generated the event. This enables streamlined, integrated intelligence for all OT environment sites across the globe. Added field in the widgets displays which CC generated the event so you know exactly where the event originated from. Includes new filter in the dashboards to display the events from one or all CCs.
Automatic data mapping to the Splunk Common Information Model (CIM) and Splunk OT Asset Model makes it easy to leverage valuable eyeInspect data by other Splunk Apps such as Splunk Enterprise Security and the OT Security Add-on for Splunk:
o Automated mappings of the Alerts on the Alert component of the Splunk CIM
o Automated mappings of the Asset Inventory to the Splunk OT Asset Model
o Initial mappings of Vulnerability information for the Splunk OT Asset Model
Fixed typo in source naming
The Forescout OT Network Security Monitoring App for Splunk enables users to act on OT/ICS threats and vulnerabilities using three intuitive Splunk dashboards. By integrating configurable alert data from Forescout eyeInspect (previously named SilentDefense) with device information and other relevant network activity, this App provides Splunk users with unparalleled contextual information required to identify threats, manage remediation workflows and secure their ICS environment.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.