The Splunk for OT Security app requires Splunk Enterprise Security.
This app utilizes the Common Information Model app and ES's Asset and Identify Framework to identify specific threats to the OT environment. In addition, it utilizes two included data models for extended asset info including hardware and software and integration with partner technologies.
Components of this solution include:
Full documentation on the OT Security Add-on for Splunk can be found below (including how to install and configure the Add-on):
Documentation
Update for missing metadata folder preventing the nav menu from showing
Added Baseline Templating
Add Data Source Integration Dashboard to help identify gaps in data or mis-configurations
Added UDF Dashboard of XML Dashboards
The latest edition adds several key features to help you move beyond the perimeter and beyond monitoring your OT Infrastructure as well as great integration with security frameworks. Specifically this update includes:
4 Additional Dashboards focused around Perimeter Security (Monitoring, Auditing, Remote Access, and Traffic Analysis)
5 Additional Reports focused around Perimeter Security
10+ Additional KSI searches
5 Additional Correlation Searches
Added integration with Vulnerabilities Data Model
Added various macros to allow easier customization of dashboards and content
Added lookup to standardize asset types and their name customizable to products and user environment
Added asset and user filters to NERC CIP content dashboards
Added dashboard content around logical ports and services
Added additional documentation on integrating partner technologies into the OT Security Add-on
Updates of MITRE ATT&CK for ICS correlation searches for more improved integration
Updates to Enterprise Security 6.6 for new ES features like Risk Based Alerting
Fixed issue with Operational Security navigation menu missing
Site and System Filtering Added for OT Security dashboards
4 new MITRE ICS Rules detections added
Additional rules for integration with 3rd Party OT Security Solutions
Review and update of existing correlation rules
CIP 006 Dashboards and Reporting Added
CIP 007 Dashboards and Reporting Added
CIP 008 Dashboards and Reporting Added
CIP 009 Dashboards and Reporting Added
Added Splunk Cloud compatibility
Site and System Filtering Added for OT Security dashboards
4 new MITRE ICS Rules detections added
Additional rules for integration with 3rd Party OT Security Solutions
Review and update of existing correlation rules
CIP 006 Dashboards and Reporting Added
CIP 007 Dashboards and Reporting Added
CIP 008 Dashboards and Reporting Added
CIP 009 Dashboards and Reporting Added
Added Dashboard - OT Controls : Network North South Traffic Analysis
Added Dashboard - OT Controls : Network & System Access
Added NERC CIP 004 Dashboards
Incremental updates on existing dashboards and correlation searches
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.