Version 1.1.0
Developed by Anthony Perez (anthony at splunk.com)
The CIS Controls app for Splunk was designed to provide a consolidated, easily-extensible framework for baseline security “best-practices” based on the Top 20 Critical Security Controls v6.1 published by the Center for Internet Security.
This app provides a data-agnostic framework that leverages Splunk tags, event types, and fields from Splunk's common information model (CIM) to easily visualize and report on these controls regardless of the size or sophistication of an organization’s security team.
This app was designed for any security team or Splunk administrator seeking pre-configured, easily extended visibility into an organization’s CIS Top 20 Critical Controls compliance - regardless of what type of data, equipment, or architecture that organization may use.
In order for this app to visualize your data in the context of the controls framework, users must conform to the following basic prerequisites:
a. Ingest data relevant to the various Critical control families into a Splunk Enterprise (or Splunk Cloud) instance * https://www.cisecurity.org/critical-controls/
b. Leverage CIM-compliant Splunk Technology Add-ons (TAs), freely available on splunkbase.splunk.com, to apply the CIM tags and event types to their raw data
Note that this is not a comprehensive list and that any CIM-compliant TAs will drive the reports and visuzlizations in this app
a. https://splunkbase.splunk.com/app/2790/ (bit9 TA)
b. https://splunkbase.splunk.com/app/1640/ (bro TA)
c. https://splunkbase.splunk.com/app/1620/ (Cisco ASA TA)
d. https://splunkbase.splunk.com/app/1761/ (Cisco ESA TA)
e. https://splunkbase.splunk.com/app/1903/ (Cisco IPS TA)
f. https://splunkbase.splunk.com/app/1915/ (Cisco ISE TA)
g. https://splunkbase.splunk.com/app/1747/ (Cisco WSA TA)
h. https://splunkbase.splunk.com/app/2847/ (Juniper TA)
i. https://splunkbase.splunk.com/app/1819/ (McAfee TA)
j. https://splunkbase.splunk.com/app/1710/ (Nessus TA)
k. https://splunkbase.splunk.com/app/833/ (*nix TA)
l. https://splunkbase.splunk.com/app/742/ (Windows TA)
m. https://splunkbase.splunk.com/app/1621/ (Splunk Common Information Model (CIM))
This app should be deployed on a search head that meets or exceeds the hardware specification for a dedicated search head due to the use of tags and event types (and to a lesser degree a high number of accelerated searches). In simpler terms, this app trades search efficiency in exchange for data/vendor agnostic queries via the Common Information Model.
Please reference the detailed PDF documentation available via the app navigation menu (or located in:$SPLUNK_HOME/etc/apps/cis-controls-app-for-splunk/appserver/static/documentation.pdf
) for detailed hardware, app configuration, and customization notes.
Control 2:
Created workstation_list.csv
Updated Control 2 reports and dashboards to utilize the new workstation lookup
Control 4:
Updated "Control #4 - Vulnerability Severity Trend" report from 7days to 30days to provide better visibility into week-over-week changes
Updated Control #4 dashboard to afford wider view of the above report's data
Control 5:
Updated table header in "Control #5 - Privileged Actions/Activities (excluding auth and account creation/deletion events)" report FROM "signature" TO "system_message_(where_applicable)" to more clearly indicate a service account is conducting the activity and highlight the corresponding message
Control 7:
Updated field name used in SPL in reports FROM 'user_agent' to 'http_user_agent' to adhere to current CIM (CIM v. 4.4.0)
Control 8:
Added ransomware tracker threatinfo
Python scripts to auto-download ransomware tracker ip, domain, url blocklists and create lookup files in Splunk with these blocklists
Created reports under Control #8 to provide visibility for users to see if they've had contact with ransomware indicators
Created Control #8 dashboard to provide consolidated visibility in to contact with ransomware indicators
Control 12:
Updated 'Contact to known-bad destination IPs - Spamhaus DROP nets list' to only show matches against the 'known_bad' list
Control 15:
Updated SPL to reference a field for 'action' versus a tag
App Dependencies:
Updated in-app documentation to clearly call out that the current version of Splunk's Common Information Model add-on is a prerequisite installation since it contains the current CIM data models, etc.: https://splunkbase.splunk.com/app/1621/
Hardware Resources:
Lower system resource requirements for systems running Splunk Enterprise version 6.4 and higher
App should be acceptably performant on a 12 CPU core x12GB RAM Searchhead with low search concurrency
Threat Info Scripts
Updated all scripts to specify HTTPS vs. HTTP for threat info downloads
Removed legacy bash scripts - all python for this iteration
Check the 'Details' tab for v.1.1.0 changelog info
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.