diff --git a/docs/assets/data_source_macros.png b/docs/assets/data_source_macros.png index 020c97e8..779d48cb 100644 Binary files a/docs/assets/data_source_macros.png and b/docs/assets/data_source_macros.png differ diff --git a/docs/assets/honeydb_config.png b/docs/assets/honeydb_config.png deleted file mode 100644 index 124649d2..00000000 Binary files a/docs/assets/honeydb_config.png and /dev/null differ diff --git a/docs/assets/malicious_ip.png b/docs/assets/malicious_ip.png deleted file mode 100644 index ceb0a7c3..00000000 Binary files a/docs/assets/malicious_ip.png and /dev/null differ diff --git a/docs/assets/malicious_ip_collector_config.png b/docs/assets/malicious_ip_collector_config.png deleted file mode 100644 index f1ea0b0a..00000000 Binary files a/docs/assets/malicious_ip_collector_config.png and /dev/null differ diff --git a/docs/assets/malicious_ip_lookupgen_search.png b/docs/assets/malicious_ip_lookupgen_search.png deleted file mode 100644 index 7c338bf2..00000000 Binary files a/docs/assets/malicious_ip_lookupgen_search.png and /dev/null differ diff --git a/docs/assets/other_macros.png b/docs/assets/other_macros.png deleted file mode 100644 index 422f8522..00000000 Binary files a/docs/assets/other_macros.png and /dev/null differ diff --git a/docs/data_onboarding/network_devices/f5_bigip.md b/docs/data_onboarding/network_devices/f5_bigip.md new file mode 100644 index 00000000..9f99c952 --- /dev/null +++ b/docs/data_onboarding/network_devices/f5_bigip.md @@ -0,0 +1,33 @@ +--- +layout: default +title: F5 BIGIP +permalink: /data_onboarding/network_devices/f5_bigip/ +nav_order: 6 +parent: Network Devices +grand_parent: Data Onboarding +--- + +## **F5 BIGIP Data** + +The **Splunk Add-on for F5 BIG-IP** addon is required to collect the F5 BIGIP ASM logs. + +Splunkbase Download: +[https://splunkbase.splunk.com/app/2680/](https://splunkbase.splunk.com/app/2680/) + +Installation Guide: +[https://splunkbase.splunk.com/app/2680/#/details](https://splunkbase.splunk.com/app/2680/#/details) + + +## How to Install and Configure the Palo Alto Add-on: + +1. Install the Add-on on the Heavy Forwarder. + +2. Configure the Add-on on the Heavy Forwarder. + * Getting data into Splunk [https://splunk.paloaltonetworks.com/getting-data-in.html](https://splunk.paloaltonetworks.com/getting-data-in.html). + * Create an index named **f5** or update the macro definition in Cyences' configuration page. + +3. Install the Add-on on the Search Head. + +## Estimated Data Size + +[comment]: <> (TODO_LATER: add estimated data size) \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index 9a322008..58d9b73b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -56,6 +56,7 @@ By default, the Cyences app provides a multitude of alerts and dashboards in the * Palo Alto Networks * Sophos Firewall * Cisco Meraki + * F5 BIGIP * Ransomware @@ -79,7 +80,6 @@ Apart from alerts and dashboards, the Cyences App also integrates with some othe * Intelligence * Device Inventory Table * User Inventory Table -* Globally Detected Malicious IPs How does the Cyences app differentiate itself from Enterprise Security? diff --git a/docs/install_configure/configuration.md b/docs/install_configure/configuration.md index dbc98416..4945f02e 100644 --- a/docs/install_configure/configuration.md +++ b/docs/install_configure/configuration.md @@ -25,12 +25,14 @@ For optimal performance, it is recommended to enable the data model acceleration ## Products Setup (Data Source Macros) -Users can use the Products Setup page to customize the dashboards they want to see/hide and the alerts they want to enable/disable. There is a toggle button on the configuration page on each product page to do that. Users can enable or disable it. Showing status as "Unknown" means it's enabled and dashboards are visible. It's recommended to move toggle it to either "Enabled" or "Disabled" status. +Users can use the Products Setup page to customize the dashboards they want to see/hide, overview page panels to show/hide and the alerts they want to enable/disable. There is a toggle button on the configuration page on each product page to do that. Users can enable or disable it. Showing status as "Unknown" means it's enabled and dashboards are visible. It's recommended to move toggle it to either "Enabled" or "Disabled" status. The Products Setup page allows you to see if the data-source configuration (index macro) is accurate and if your Splunk environment has data for it or not and modify the configuration if required. Navigate to **Cyences Settings > Cyences App Configuration** and **Products Setup** section where you can view and update several macro definitions. Verify that the macro definitions match the data source (index) used in your Splunk environment. +Also, **App Dependencies** table shows you the product specific dependent app installation status, enabled/disabled status if it's installed and app installation link information. + ![alt]({{ site.baseurl }}/assets/data_source_macros.png) ## Macro Setup @@ -40,53 +42,7 @@ Navigate to **Cyences Settings > Cyences App Configuration > Macro Setup** where ![alt]({{ site.baseurl }}/assets/other_macros.png) -## Honey DB Configuration - -We are using an IP block list from HoneyDB to detect malicious IP addresses coming in and out of the firewall. HoneyDB is a paid service that is used to obtain the list of blocked hosts/IPs. We are using API calls to get the most recent lists and then we correlate it with firewall logs. - -A scheduled saved search is used to update the blocklist every two hours. Internally, the search query uses custom commands to make API calls to HoneyDB's API to update the blocked list lookup. - -### Configuration of API and Secret Key for HoneyDB - -The Splunk user has to add the API ID and API key to make HoneyDB API calls to retrieve the blocked IP list. Follow these steps to update the API ID and API key for the Cyences App: - -1. Navigate to the Cyences app and from the navigation bar go to **Cyences Settings > Cyences App Configuration**. - -2. On the left panel of the dashboard there is a section for **HoneyDB Configuration** - -3. Update the **API ID** and **API Key** for the HoneyDB API. - -![alt]({{ site.baseurl }}/assets/honeydb_config.png) - - -## Configuration of Malicious IP Collector Server - -The Splunk user has to add the API URL and Auth token to make API calls to Cyences Malicious IP List server to create malicious IP list and retrieve the latest malicious IP list from the server. Follow these steps to update the same for the Cyences App: - -1. Navigate to the Cyences app and from the navigation bar go to **Cyences Settings > Cyences App Configuration**. - -2. On the left panel of the dashboard there is a section for **MaliciousIP Collector Configuration**. - -3. Update the **API URL** and **Auth Token** for the Cyences Server API. - -![alt]({{ site.baseurl }}/assets/malicious_ip_collector_config.png) - -**Note:** Contact the CrossRealms Cyences team to get API URL and Authentication Token. - -How to test whether the configuration is functioning correctly? - -Run the search below and it should return events with no errors: - - | maliciousiplookupgen update_lookup=False generate_events=True - -![alt]({{ site.baseurl }}/assets/malicious_ip_lookupgen_search.png) - - -## Sophos Central API Endpoints Configuration - -Refer to the [Data Onboarding > Sophos Central Metadata through API]({{ site.baseurl }}/data_onboarding/antivirus_antimalware/sophos_endpoint_protection/#sophos-central-metadata-through-api) section for more information. - - + ## Cyences Email Settings for Alerts The way Splunk currently handles alerts, users are only able to set up email notifications, which is not always optimal as some alerts may generate a lot of false positives. Not every alert needs to be received by email, especially those labeled with lower severity levels. diff --git a/docs/install_configure/installation.md b/docs/install_configure/installation.md index f4d3e84f..b6d1fffe 100644 --- a/docs/install_configure/installation.md +++ b/docs/install_configure/installation.md @@ -34,7 +34,6 @@ There are dependent apps which also need to be installed on the Search Head alon |--------|--------|-------------| | ES Content Update App | [https://splunkbase.splunk.com/app/3449](https://splunkbase.splunk.com/app/3449) | For some lookups | Splunk Common Information Model (CIM) | [https://splunkbase.splunk.com/app/1621/](https://splunkbase.splunk.com/app/1621/) | For data models -| Splunk Add-on for RWI - Executive Dashboard | [https://splunkbase.splunk.com/app/5063/](https://splunkbase.splunk.com/app/5063/) | For field extraction (VPN data) | Flow Map Viz | [https://splunkbase.splunk.com/app/4657](https://splunkbase.splunk.com/app/4657) | For internal network traffic visualization | * Note - Additional add-ons are necessary depending on the data present in your Splunk environment. For example, if there is Windows data present, then you need to install and configure the Splunk Add-on for Windows. Please visit the Data Onboarding section for more information. diff --git a/docs/release_notes/release_notes.md b/docs/release_notes/release_notes.md index 8de75962..b9713852 100644 --- a/docs/release_notes/release_notes.md +++ b/docs/release_notes/release_notes.md @@ -25,19 +25,19 @@ has_children: true * Added new dashboard named **F5 BIGIP ASM**. * Added new alert named **F5 BIGIP - Not Blocked Attacks**. -* Added new alerts for the Sophos Firewall: +* Added new alerts for the **Sophos Firewall**: * Sophos Firewall - Lost Connection to Sophos Central * Sophos Firewall - VPN Tunnel Down * Sophos Firewall - Gateway Down * Sophos Firewall - Advanced Threat Detected -* Added new alerts for the MSSQL and Oracle databases: +* Added new alerts for **MSSQL** Database and **Oracle** Database: * MSSQL - Database Changes * MSSQL - Role Changes * Oracle - Database Changes * Oracle - Role Changes -* Added new alerts for the Defender ATP: +* Added new alerts for the **Defender ATP**: * Defender ATP - System is Offboarded * Defender ATP - System is not Connected since a Week @@ -49,10 +49,6 @@ has_children: true * Authentication - Successful VPN Login Outside Home Country * Linux - Change in Sudo Access of Local Linux Account -* Removed the following other app dependent macros and defined related macro in app itself: - * Added **cs_drop_dm_object_name** macro to replace the **drop_dm_object_name** macro. - * Added **cs_cim_authentication_indexes** macro to replace the **cim_Authentication_indexes** macro. - * Removed **Google Workspace - Suspicious File Shared by External User on Google Drive** alert and related panel from **Google Workspace** dashboard as it contains static lookup causing many false positives. * Removed the [Splunk Add-on for RWI - Executive Dashboard](https://splunkbase.splunk.com/app/5063/) app dependency. @@ -89,11 +85,17 @@ has_children: true * Fixed the typo in the macro name from **cs_authentication_vpn_login_attemps_outside_working_hour_filter** to **cs_authentication_vpn_login_attempts_outside_working_hour_filter** +* ### For Splunk Admins + + * Removed the following other app dependent macros and defined related macro in app itself: + * Added **cs_drop_dm_object_name** macro to replace the **drop_dm_object_name** macro. + * Added **cs_cim_authentication_indexes** macro to replace the **cim_Authentication_indexes** macro. + ## Upgrade Guide from 4.9.0 to 5.0.0 * After upgrade, only SOC related alerts will be received to existing configured critical emails. To make more changes, configure the SOC and Compliance teams related configs under **Cyences Settings > Cyences App Configuration > Cyences Alerts Configuration** section. -* In order to use the sophos firewall alerts, onboard the **sophos_events** data from [Sophos Central Addon for Splunk](https://splunkbase.splunk.com/app/6186/). +* In order to use the sophos firewall alerts, onboard the **sophos_events** data from [Sophos Central Addon for Splunk](https://splunkbase.splunk.com/app/6186/). For more details, refer [Sophos Firewall Data Onboarding]({{ site.baseurl }}/data_onboarding/network_devices/sophos_firewall) diff --git a/docs/troubleshooting/troubleshooting.md b/docs/troubleshooting/troubleshooting.md index a7f7997c..7e962b01 100644 --- a/docs/troubleshooting/troubleshooting.md +++ b/docs/troubleshooting/troubleshooting.md @@ -13,8 +13,6 @@ has_children: false ![alt]({{ site.baseurl }}/assets/vpn_dashboard_not_loading.png) -* Verify that the [Splunk Add-on for RWI - Executive Dashboard](https://splunkbase.splunk.com/app/5063/) is installed. - * Verify that the [Splunk CIM](https://splunkbase.splunk.com/app/1621/) is installed and the Authentication data model is accelerated. * Verify that the CIM Authentication data model does not filter the VPN index (check the macro definition for `cim_Authentication_indexes`). diff --git a/docs/user_guide/alerts_dashboards.md b/docs/user_guide/alerts_dashboards.md index 69de02f5..a93886e0 100644 --- a/docs/user_guide/alerts_dashboards.md +++ b/docs/user_guide/alerts_dashboards.md @@ -50,6 +50,8 @@ There are several security related alerts to choose from and they are all locate * Virus Found and Passed * Office 365 Defender ATP Alerts: * Defender ATP - Defender ATP Alerts + * Defender ATP - System is Offboarded + * Defender ATP - System is not Connected since a Week * Office 365 Defender ATP Dashboard panels: * All Alerts * Sophos Endpoint Protection Alerts: @@ -142,7 +144,6 @@ There are several security related alerts to choose from and they are all locate * Google Workspace - Alerts Center Alert * Google Workspace - Google Drive objects shared Outside or with External User * Google Workspace - Google Drive objects accessed by External User - * Google Workspace - Suspicious File Shared by External User on Google Drive * Google Workspace - Failed Login From Unusual Country * Google Workspace Dashboard panels: * Login Types @@ -175,12 +176,10 @@ There are several security related alerts to choose from and they are all locate * O365 - External User Added to Microsoft Teams * O365 - Login Failure Due To Multi Factor Authentication * O365 - Login Failure From Unusual Country Due To Multi Factor Authentication - * O365 - Login Failure Outside Home Country Due To Multi Factor Authentication * O365 - Login From Unknown User * O365 - O365 Service is not Operational * O365 - Security Compliance Alert * O365 - Successful Login From Unusual Country - * O365 - Successful Login Outside Home Country * O365 - Failed Login From Unusual Country * O365 - OneDrive or SharePoint File Sharing with External User * O365 - OneDrive or SharePoint Link Accessed By External User @@ -211,10 +210,14 @@ There are several security related alerts to choose from and they are all locate * MSSQL Alerts: * MSSQL - User Changes + * MSSQL - Database Changes + * MSSQL - Role Changes * MSSQL Dashboard panels: * Audit Logs * Oracle Alerts: * Oracle - User Changes + * Oracle - Database Changes + * Oracle - Role Changes * Oracle Dashboard panels: * Audit Logs @@ -249,13 +252,15 @@ There are several security related alerts to choose from and they are all locate * Palo Alto Firewall - Network Compromise - Palo Alto High Threats Alert * Palo Alto Firewall - Network Compromise - Palo Alto WildFire Alert * Palo Alto Networks Dashboard panels: - * DDoS Attack Prevented by Palo Alto Firewall - * Inbound Traffic from Blocked IPs * License Events * List of Firewall Devices - * Outbound Traffic to Blocked IPs * Palo Alto Firewall Login Failures * System Alerts and Threats +* Sophos Firewall Alerts: + * Sophos Firewall - Lost Connection to Sophos Central + * Sophos Firewall - VPN Tunnel Down + * Sophos Firewall - Gateway Down + * Sophos Firewall - Advanced Threat Detected * Sophos Firewall Dashboard panels: * ATP & IPS Events * List of Firewall Devices @@ -266,7 +271,18 @@ There are several security related alerts to choose from and they are all locate * Cisco Meraki Dashboard panels: * Organizational Security Events * Config Changes - +* F5 BIGIP Alerts: + * F5 BIGIP - Not Blocked Attacks +* F5 BIGIP Dashboard panels: + * Top 10 Attack Type + * Top 10 Source IP + * Top Rules Over Time + * Top Action + * Top Blocked Source IPs + * Top Blocked Destionation IPs + * Blocked Source IPs + * All Events + * Attacks by IP ## Network Telemetry Cyences has a dashboard called "Network Telemetry" which shows if there is active traffic on a port on a machine which is vulnerable (or has known vulnerability detected by vulnerability scanner in your environment), showing if vulnerability in your environment is actively being exploited. This is very critical information for security team. @@ -440,7 +456,6 @@ The Lansweeper dashboard also provides information about whether the IT asset is * Authentication - Excessive Failed VPN Logins from a Source * Authentication - Long Running VPN Session Disconnected * Authentication - Successful VPN Login From Unusual Country - * Authentication - Successful VPN Login Outside Home Country * Authentication - VPN Login Attempts Outside Working Hours * Dashboard panels: * Connected Workforce by Location diff --git a/docs/user_guide/intelligence_dashboard.md b/docs/user_guide/intelligence_dashboard.md index 3cea1f1a..f261f792 100644 --- a/docs/user_guide/intelligence_dashboard.md +++ b/docs/user_guide/intelligence_dashboard.md @@ -13,26 +13,9 @@ parent: User Guide * Intelligence * Device Inventory * User Inventory - * Globally Detected Malicious IPs * The "Intelligence" dashboard has been added to the Cyences app in version 1.4.0, initially named "Asset Intelligence", later renamed to "Intelligence" in version 4.3.0. -## Globally Detected Malicious IPs - -The Globally Detected Malicious IPs list is generated from a combination of dashboards, scheduled reports, and a paid service through HoneyDB's APIs. It goes into extensive detail by providing the location of the bad IP address to the last seen time. This list covers the following topics: - -* DDoS attacks on Palo Alto firewalls -* Inbound traffic from blocked IPs -* Outbound traffic to blocked IPs - -If an IP address is involved in any of the above scenarios, then it will automatically be added to the list. The goal of Globally Detected Malicious IPs is to assist Splunk users to learn even more about their environment and to help identify suspicious activity in order to take the appropriate security measures to strengthen their network. Do not let your business become the next victim. For more information, please refer to the **Globally Detected Malicious IPs** dashboard. - -![alt]({{ site.baseurl }}/assets/malicious_ip.png) - -Beginning with version 1.1.0, the Globally Detected Malicious IPs list is now being generated on the Malicious IP list server, which is deployed by CrossRealms International. This list is based on bad IP address activity that's detected in Splunk environments across all installations where Cyences is configured. This list provides Splunk users with the latest globally detected malicious IP list and stores it back into the lookup within the Cyences app. This will result in a more robust list for Splunk users to rely on. For Splunk Admins, please refer to the **Configuration of Access Token for Malicious IP List** section to learn more about the API configuration process. - -**Note**: The Malicious IP List Gen does not disclose any private information from a Splunk user's environment. - ## Device Inventory The Device Inventory dashboard contains a list of every asset or device present in an environment. diff --git a/docs/user_guide/overview_dashboard.md b/docs/user_guide/overview_dashboard.md index 7e292f1c..c956ee9c 100644 --- a/docs/user_guide/overview_dashboard.md +++ b/docs/user_guide/overview_dashboard.md @@ -15,15 +15,10 @@ The Overview dashboard displays the overall security status of the Splunk enviro ### Alerts * Each alert is inspired by common security use cases to detect problems in your environment (i.e., Sophos Endpoint Protection Service is not Running is an alert that identifies when a Sophos antivirus service stops running on an endpoint). -* All of the dashboard panels (except for Globally Detected Malicious IPs) in the Overview dashboard displays the status for each alert in the selected time-range. +* All of the dashboard panels in the Overview dashboard displays the status for each alert in the selected time-range. * All of the alerts are distributed in a categorized fashion, so some alerts may fall into multiple categories (i.e., Fake Windows Processes alert is present in both Ransomware and Windows). This allows for a more thorough breakdown for any Splunk environment and can easily assist with all sorts of security vulnerabilities that may appear. * If the **Notable Events** count is greater than zero and changes from green to another color, then that indicates a security violation for the specified alert. Notable events are the number of security issues that the Cyences App has detected via Splunk events (logs). The severity of a security violation for a notable event is highlighted in either: green, yellow, orange, or red (green = informational and low severity; yellow = medium severity; orange = high severity; red = critical severity). A multi-select filter for severity is present to allow Splunk users a more customizable view based on their security needs. * Clicking on any row within a dashboard panel retrieves more information about the selected alert. By doing so, it will automatically redirect the Splunk user to the Forensics dashboard. Refer to the **Forensics Dashboard** section for more information. * The **Monthly Alerts** section focuses on important aspects of your environment that are less active, but are still necessary to keep track of (i.e., Windows Hosts Missing Update). **Note**: After installing the Cyences App, the Overview dashboard will be empty by default. The Overview dashboard only displays enabled alerts and they each have to be manually enabled. Refer to the **Enable Alerts and Reports** section to find out how to enable alerts/reports within the Cyences App. - -### Globally Detected Malicious IPs -* The Globally Detected Malicious IPs is a list of all IP addresses found by Cyences' reports. -* It is important to review this list as you may discover some bad IP addresses coming in and out of your firewall. -* Refer to the **Globally Detected Malicious IPs** section for more information. \ No newline at end of file diff --git a/docs/user_guide/user_guide.md b/docs/user_guide/user_guide.md index ebb0cbac..82ad0c30 100644 --- a/docs/user_guide/user_guide.md +++ b/docs/user_guide/user_guide.md @@ -34,11 +34,6 @@ Please follow the steps below to enable various alerts and reports in Splunk. 4. Click on **Edit > Enable** to enable the desired alert/report. A few of the included alerts and reports are dependent on other reports being enabled. The additional reports that are essential for these three dependent reports to function are outlined below: -* Palo Alto Firewall - Malicious IP List Gen - * Palo Alto Firewall - Network Compromise - DDoS Attack Prevented - * Palo Alto Firewall - Network Compromise - Inbound Traffic from Blocked IPs - * Palo Alto Firewall - Network Compromise - Outbound Traffic to Blocked IPs - * Dynamically Update Blocked IPs with HoneyDB * Ransomware - Spike in File Writes * Ransomware - Calculate UpperBound for Spike in File Writes * Network Compromise - DDoS Behavior Detected