icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Forescout OT Network Security Monitoring for Splunk
SHA256 checksum (forescout-ot-network-security-monitoring-for-splunk_101.tgz) 487f34df3f6a355378514adc9f13df816f877a8be7abfe30be83b663c3d70efb SHA256 checksum (forescout-ot-network-security-monitoring-for-splunk_100.tgz) 13276291cc4667bb60e852dfa53755a1d4b92314302a32740f134d04d70f9211
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Forescout OT Network Security Monitoring for Splunk

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The Forescout OT Network Security Monitoring App for Splunk enables users to act on OT/ICS threats and vulnerabilities using three intuitive Splunk dashboards. By integrating configurable alert data from Forescout eyeInspect (previously named SilentDefense) with device information and other relevant network activity, this App provides Splunk users with unparalleled contextual information required to identify threats, manage remediation workflows and secure their ICS environment.

The Forescout OT Network Security Monitoring App for Splunk is the ideal solution for industrial asset owners who want to integrate rich OT asset intelligence and threat detection capabilities into their Splunk installation. With the App, users can leverage the exceptional OT device visibility and threat detection capabilities of Forescout eyeInspect to defend their OT/ICS networks from both operational failures and cyberattacks, such as Ripple 20, EKANS, WannaCry, NotPetya, TRITON and many more.

The Forescout OT Network Security Monitoring App for Splunk contains three pre-built Splunk Dashboards:
- The Security Dashboard helps the user to identify alert trends and correlate them with other network activity, enabling a faster detection of anomalies, cyber threats, dangerous commands sent to OT devices and device misbehavior. It allows to reduce Mean Time to Response by providing the context needed to determine the best mitigation action
- The Asset Inventory Dashboard lets analysts access high-value device information and context to better identify unexpected changes in the network, prioritize investigations, and quickly acknowledge new assets, communication patterns, or protocols seen within the network helping to help asset inventory and maintenance processes.
- The Administrative Dashboard provides deep insights on system health status and user activity performed on the Forescout eyeInspect appliances, to prevent system failure and detect undesired user activity.

Questions the Forescout OT Network Security Monitoring App for Splunk Can Help Answer

This App provides valuable insight via three pre-built dashboards that display real-time OT asset and threat intelligence data provided by Forescout's premium OT security solution, eyeInspect (previously named SilentDefense).

Forescout Security Dashboard

Overarching question answered:

Are there any urgent threats that I need to focus on and what should I do to respond? The Security Dashboard helps the user to identify alert trends and correlate them with other network activity, enabling a faster detection of anomalies, cyber threats, dangerous commands sent to OT devices and device misbehavior. It allows to reduce Mean Time to Response by providing the context needed to determine the best mitigation action.

Subquestions:

What are the latest alerts in my network? The “Recent OT Network Security Monitoring Alerts” widget displays the most recent alerts with details like originating Sensor, Severity, Description, Source IP, Destination IP, Destination Port and Layer 7 Protocol. The ”ITL Alerts (24h/1h)” widget helps to monitor whether the alert trend has been increasing or decreasing in the selected time interval.

Are there any critical alerts I need to focus on immediately? The “Alerts by Severity” widget categorizes alerts as Informational, Low, Medium, High, and Critical for immediate visibility and response to urgent issues.

From where do my problems/threats originate? The “Alerts by Sensor Name”, “Alerts by L7 Protocol” and “Alerts by Sensor Name by Protocol” widgets help to identify the origin of the alert. In particular, originating sensor information helps to identify the network affected and protocol information allows to better drill down into potential threat vectors and the processes involved.

Is my network affected by cyber, operational or networking issues? The “ITL Alerts by Category” widget displays the alerts generated by the eyeInspect Industrial Threat Library (ITL). The ITL detects threats that may impact one of the following three areas of responsibility: Operations, Security, and Networking. This allows to immediately assign the investigation and initiate response through the most appropriate personnel.

What type of problems/threats am I dealing with? The “Alerts by Event Type” widget displays statistics about the number of events per type. This allows to identify which problems or threats occur more frequently.

Which assets are the most impacted? The “Alert Types by IP” widget displays the number of alerts associated with the top 15 assets (source and/or destination). The “Alert Types by Source IP” widget helps identify the source of the anomalous changes of behavior.

Are there any relevant DNS requests that could provide useful context for my analysis? The “DNS Queries - Top 15, DNS Queries – Fewest 10, Resolved DNS Queries – Top 10, Resolved DNS Queries - Fewest 10” widget allows the user to ensure that assets only communicate with legitimate domains. Suspicious or blacklisted domain names my indicate that the asset is infected (e.g. trying to reach out to malware C&C) or attempting unauthorized communications.

Is there any unauthorized network access to my assets? Many OT protocols allow authentication on clear text protocols. It is important to monitor successful and failed authentication attempts to critical assets for both accountability and security reasons. The “Authentication Success”, ”Authentication Failures”,” Authentication Details” supports the user in this analysis.

Are there any encrypted connections with unauthorized SSL certificates in my network? The “SSL Certificates Requested” widget Identifies SSL certificates used in the network in listing their Issuer, Validity, Expiration, Cipher Suite used, Source IP and Destination IP. This allows the user to identify (attempted) encrypted communications with unauthorized or invalid certificates.

Are there any unexpected file transfers that may indicate lateral movement? The “File Activity” widget shows file access and transfers happening on the network, such as file reads, writes, or deletes. The file name indicated in the widget allows users to identify whether the operation is legitimate or represents, for instance, an exfiltration attempt of sensitive information or malware lateral movement.

Forescout Asset Inventory Dashboard

Overarching question answered:

Are there any unexpected changes in my network? The Asset Inventory Dashboard lets analysts access high-value device information and context to better identify unexpected changes in the network, prioritize investigations, and quickly acknowledge new assets, communication patterns, or protocols seen within the network to help the asset inventory and maintenance processes.

Subquestions:

Is there any new device or relevant change in my network? The “Assets – Added to Inventory” widget displays the list of assets seen by eyeInspect listing IP, MAC Address(es), Vendor/Model, Firmware version, Hardware version. In addition, the ”Assets with Modules – Added to Inventory” widget shows if new backplane modules have been added to PLCs.

Is there any new communication I’ve never seen? The “Links - Last Seen 20” widget displays the last 20 communication links seen on the network within the selected time interval.

Are there any network connectivity issues? The “Failed Connections” widget displays failed connections seen within the network that may indicate connectivity problems.

Did some asset go offline? Or are my assets attempting to communicate with unknown assets? The “Ghost Nodes” widget displays ghost assets, i.e. assets receiving network requests but never responding.

Is someone using insecure protocols like TELNET, or uncommon protocols for OT like DHCP? The “TELNET Protocol Used” and “DHCP Protocol Used” widgets help the user to identify the usage of these protocols.

Forescout Administrative Dashboard

Overarching question answered:

How is the health of my Forescout eyeInspect installation? The Administrative Dashboard provides deep insights on system health status and user activity performed on the eyeInspect appliances, to prevent system failure and detect undesired user activity.

Subquestions:

What is my eyeInspect system health status? The “Health Changes” and “Connect/Disconnect Changes” widgets displays the latest health status changes of the eyeInspect components. For example, it displays when sensors are at a critical memory usage level and when sensors frequently connect and disconnect from a Command Center to enable quick response on issues that – if unattended – may leave to system failure.

Can I have complete accountability of the users’ behavior on eyeInspect? The “User Activity” widget shows the activity being performed by eyeInspect users, such as logins or changes to sensor configuration. The “Failed Logins” widget shows recent login attempts and failures to highlight potential breaches.

Release Notes

Version 1.0.1
Sept. 15, 2020

Fixed typo in source naming

Version 1.0.0
Aug. 7, 2020

The Forescout OT Network Security Monitoring App for Splunk enables users to act on OT/ICS threats and vulnerabilities using three intuitive Splunk dashboards. By integrating configurable alert data from Forescout eyeInspect (previously named SilentDefense) with device information and other relevant network activity, this App provides Splunk users with unparalleled contextual information required to identify threats, manage remediation workflows and secure their ICS environment.

Version 1.0

24
Installs
49
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.