Author | BAI |
App Version | 1.0.2 |
App Build | 37 |
Has index-time operations | false |
Creates an index | false |
Implements summarization | Currently, the app does not generate summaries |
Data Models | This App makes use of Data Models, and expects them to be accelerated. |
About this App
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download Campus Compliance Toolkit for NIST 800-171 at https://splunkbase.splunk.com/app/3828/.
This app requires the Splunk Common Information Model (CIM) Add-on to be installed. For information regarding the installation of the CIM Add-on, please see the Splunk Common Information Model Add-on documentation.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
While not required, it is highly recommended, and the default, to use Data Model Acceleration with this App, for performance reasons. See the Data Models section for more information about which data models should be accelerated.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it. This documentation can be found here: Data Model Summary Size On Disk.
This app is designed to assist organizations with reaching compliance with the NIST 800-171 standards. Where Splunk can be applied to these standards, dashboards have been created using the Common Information Model for normalizing event data. This means that for the app to provide dashboard results, your data must be properly onboarded, and have the appropriate tags to be consumed by the data model. See the Data Model Acceleration section of the documentation for more information, as well as the table for individual controls.
This app uses the following Data Models:
The following macros can be used to configure the app.
Contains the name of the lookup which states which ports are considered allowed for reports.
Contains a search pattern which returns the indexers for the environment.
Contains a search pattern which returns the search heads for the environment.
Contains the time span, in seconds after which an account is considered inactive. Defaults to 31536000 seconds (one year).
Returns a search pattern which indicated which traffic is considered internal traffic. Takes an argument which should be the field name which is being compared (src, dest, src_ip, dest_ip).
Contains the time span, in seconds, which is considered the review period for the control dashboards in the application. Defaults to 172800 seconds (two days).
Used to control how the tstats command, when using prestats option, is called within the application.
Contains the definition of a lookup which contains the list of users which is considered privileged in the environment.
Contains the time span, in seconds, in which is expected systems will synchronize time. Defaults to 86400 (one day).
Used to control how the tstats command, when not using prestats option, is called within the application.
The following lookups can be used to configure the app.
File name: cc_allowed_ports.csv
This lookup is used for controlling which network ports are considered allowed when viewing reports. The dvc field is wild-carded to allow for the creation of allowed ports across multiple devices.
File name: cc_allowed_processes.csv
This lookup is used for controlling which processes are considered allowed when viewing reports. The dest field is wild-carded to allow for whitelisting processes across multiple destinations.
File name: cc_priv_users.csv
A list of users which are considered privileged users in the applicable environment.
File name: cc_splunk_data_controls.csv
A lookup which allows for the control of data sources which are considered missing. The index, host, and sourcetype fields are wild-carded.
Data model: Authentication
Data model: Authentication
Data model: Authentication
Data model: Authentication, Change_Analysis
Data model: Network_Sessions
This dashboard can be used to provide links to additional Splunk apps which may contain relevant information. By default this provides a link the Splunk App for AWS.
The CIM does not currently contain a model for these events. Events to populate this dashboard should be tagged with the following tags:
Eventtypes and tags have been included for Windows and Linux USB storage insertions.
Provides an overview of Splunk index retention settings and results.
Data model: Change_Analysis
Data model: Splunk_Audit
Provides a report on the last time the relevant dashboards in the app were viewed, and if they need to be reviewed again.
Data model: Change_Analysis
Uses Splunks _internal index.
Data model: Authentication, Network_Traffic, Vulnerabilities, Malware, Intrusion_Detection
Provides a link to the Search and Reporting app.
Data model: Performance, Application_State
Uses REST commands to gather information on Splunk users.
Uses REST commands to gather information on Splunk users.
Data model: Application_State
Data model: Network_Traffic
Data model: Application_State
Data model: Application_State
Software installation is not covered by the current version of the CIM. The panels will display events tagged with the following tags:
Eventtypes and tags for Windows (MSI) installations have been included in this app.
tag=installation tag=software
Data model: Authentication
The CIM does not currently contain a model for these events. Events to populate this dashboard should be tagged with the following tags:
Eventtypes and tags have been included for Windows and Linux USB storage insertions.
Data model: Vulnerabilities
Data model: Vulnerabilities
To effectively drive this dashboard, Vulnerability events should have the following knowledge objects
Knowledge Object | Value/Name | Type |
---|---|---|
tag | campus_compliance | N/A |
tag | vulnerability | N/A |
field | is_mitigated | true/false |
field | first_seen | epoch time |
field | last_seen | epoch time |
3.11.3 Knowledge Objects
Pending
Data model: Network_Traffic
Data model: Web
Data model: Updates, Application_State
Data model: Intrusion_Detection, Malware
Data model: Malware.Malware_Operations
Data model: Malware
Data model: Network_Traffic
Pending
Version 1.0.2 of Campus Compliance Toolkit for NIST 800-171 is compatible with:
Splunk Enterprise versions | 6.6, 7.0 |
Platforms | Splunk Enterprise |
Compatability
Version 1.0.2 of Campus Compliance Toolkit for NIST 800-171 has the following known issues:
No event generator is shipped with this app.
Access questions and answers specific to Campus Compliance Toolkit for NIST 800-171 at https://answers.splunk.com . Be sure to tag your question with the App.
This app has been released under the GNU General Public License, Version 2. Please see this included license.txt for more details.
Version 1.0.2 of Campus Compliance Toolkit for NIST 800-171 incorporates the following Third-party software or third-party services.
See internal README for full list.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.