Accedian Skylight powered Security
Overview
Details
Gain full security visibility, including north-south and east-west visibility (server to server communication) across all networks, with Accedian Skylight—behaviour-based intrusion detection for today's hybrid environments. This ready-to-use solution, developed specifically for security analytics team, is simple to use, quick to get started, and aimed at helping you focus on what's important so that your time is spent as effectively as possible.
List of Required Apps:
TA Accedian Skylight powered Security https://splunkbase.splunk.com/app/4702/
Lookup File Editor https://splunkbase.splunk.com/app/1724/
Sankey Diagram - Custom Visualization https://splunkbase.splunk.com/app/3112/
Punchcard - Custom Visualization https://splunkbase.splunk.com/app/3129/
Parallel Coordinates - Custom Visualization https://splunkbase.splunk.com/app/3137/
Force Directed App For Splunk https://splunkbase.splunk.com/app/3767/
Splunk Common Information Model (CIM) https://splunkbase.splunk.com/app/1621/
URL Toolbox https://splunkbase.splunk.com/app/2734/
Installation Manual:
Accedian Skylight powered Security Installation Manual for Splunk: https://accedian.com/wp-content/uploads/2020/02/Accedian-Skylight-powered-Security-app-for-Splunk-Installation-manual-v-1.0.6_.pdf
The following features are included in the Skylight powered Security app:
- Visibility of your entire operational environment on the incident posture dashboard available in seconds
- Alerts sent to your preferred messenger(s) with minimal false-positive rates
- Built-in threat intelligence monitoring, plus custom TI feeds
- Enriched user and host context associated with each alert
- Suggested next investigation steps to help you decide if an issue is a true threat and to get to the bottom of it quickly
- Ability to review and adjust incident urgency to improve operations scheduling
- Complete visibility for issue status – new, in progress and resolved
- On-premises and cloud deployment available
- 10+ Gb/s monitoring throughput
- Well-suited and scalable for telecom, large enterprise and distributed physical and virtual networks (SDNs)
- Long-term retention of forensic quality source data including 100% of application security protocol transactions at 1 minute reporting interval (detailed granularity with easy to select time frame options)
Release Notes
Version 1.3.3
Version 1.3.2
- Minor changes in License Validation functionality
Version 1.3.1
- Added compatibility with Windows
Version 1.3.0
- Created a new data model for Alert Manager
- Improved performance of Alert Manager
- Implemented Splunk Licensing Safeguard
- Implemented PoC and Full Modes
- Fixed bugs
Added new security detections:
- SMB share scanning detection
- SMB file enumeration
Improved security detections:
- DNS tunneling
- Web traffic to Dynamic DNS providers
- Protocols or Port mismatch
- VPN traffic
- SQL injection
- Weak encryption
Adjusted throttle of security detections:
- Connection to the host from the high risky country
- Detect Web traffic to dynamic domain providers
- Internal hosts Query to non-corporate DNS
- Outbound SMB Traffic
- Possible Empire Powershell HTTP beacon communication
- Prohibited Network traffic Allowed
- Protocol or port mismatch
- Scanner's User-Agents
- VPN Traffic
Version 1.2.2
- Fixed SMB delete and SMB share scanning detections
- Fixed DGA ML detection
- Changed default schedule for alerts
Added new detection:
- Suspicious DCE/RPC
- Suspicious Named pipes
- Executable Read/Write to admin share
- Cobalt strike SMB beacon
- SMB beaconing by time
- SMB beaconing by size
- HTTP beaconing by size
- DNS beaconing by time
- Threat Activity detected(Connection to malicious IP address)
- Threat Activity detected(Connection to malicious Domain)
Beaconing detection by time changes:
- Begin time used instead of default time
- Time in event changed from 'lastTime' to 'First time'
Version 1.2.1
- Improved Skylight Sensors indicator.
- Improved Network Graph Connection dashboard.
- Fixed some bugs.
- Updated Data Exfiltration alert.
- Added new alert: Empire detection.
Version 1.2.0
Version 1.1.1
- Improved whitelist functionality.
- Added asset inventory
- Added multi-site support
- Fixed bugs
Version 1.1.0
- Improved Dashobards efficiency using Data Model acceleration.
- Improved Alerts efficiency using Data Model acceleration.
- Improved whitelist functionality.
- Fixed bugs.
Version 1.0.6
Version 1.0.5
Version 1.0.4
-New and improved detection scenarios;
-Added detailed cipher info into SSl Activity dashboard;
-Possibility to change the status for several tickets;
-Added white list functionality for alerts;
-Added Skylight sensor connection indicator;
-Fixed bugs.