Self Assessment
External Threat Landscape Management

CYFIRMA App for Splunk

Download

Introduction

DeCYFIR is cloud-based threat discovery and cybersecurity platform, designed to defend organizations by uncovering attack surfaces, building digital risk profiles & using personalized cyber-intelligence to predict imminent attacks and decode cyber threats before a cyberattack hits.

The Splunk add-on will help to collect DeCYFIR alert events data using the events API and send it to Splunk events. It will also ingest DeCYFIR IOC data as lookup data in Splunk Enterprise.

The Splunk app will have searches based on Alerts & IOC data. Dashboards are created based on Splunk searches.

Prerequisites/Dependencies

  • Splunk Enterprise version 8.0
  • API key generated from CYFIRMA platform.
  • The app and add-on will use Cyfirma V2 public API endpoints.

Installation of Splunk Enterprise

To install Splunk Enterprise. Follow this manual Splunk Installation Manual.

Installation of Addon and App

  • Login to Splunk Enterprise.
  • Click on Apps > Search for App.
  • Search for Apps & enter the app name to search for.
  • Check the prerequisites and details.
  • Click on Install.

After installation, we can see the Add-on in Apps dropdown.

Installation of Addon and App (From File)

  • Login to Splunk Enterprise.
  • Navigate to manage apps and click.
  • Click on “Install app from File”.
  • “Install App from File” pop-up window will appear.
  • Click on “Choose file”.
  • Choose a file and click on Open
  • Check the Upgrade app checkbox.
  • Click on the Upload button.
  • Successfully installed message will be displayed.
    After installation, we can see the Addon and App in the Apps dropdown list.

Splunk Addon

  • Add-on will poll CYFIRMA’s 1 REST endpoint with 6 different subtypes
    • Domain/IP vulnerability
    • Certificate
    • Configurations
    • Open ports
    • Domain reputation
    • Open bucket

    • at the defined interval to fetch the CYFIRMA’s Attack Surface sub-categories data and ingest into Splunk indexes with sourcetype set as “cip:attack_surface:<sub category>”

  • Add-on will poll CYFIRMA’s 1 REST endpoint with 6 different subtypes.
    • Impersonation & Brand Infringement
      • Domain/IT assets
      • Execute/ people.
      • Social handler
      • Product/solution
    • Data Breach
      • Phishing
      • Ransomware

    • at the defined interval to fetch the CYFIRMA’s Digital Risk sub-categories data and ingest into Splunk indexes with sourcetype set as “cip:digital_risk:<sub category>”

Configuration

Account
After installation of the DeCYFIR Addon to set up the account follow the below steps

  • Navigate to apps and click on DeCYFIR Addon for Splunk.
  • Click on the Configuration tab.
  • In the Accounts sub-tab click on Add.
  • Give a unique name to the configuration and add the URL of the product & API key generated from the Product.
  • Click on Add.

Account should be created successfully.

Inputs

Prerequisites
Users are advised to create a separate index for storing the data before creating the Alerts input. Please create a different index for all clients and select the corresponding index while creating the input for specific clients. For example, create an index named “cyfirma” and select the same index while creating the DeCYFIR Alerts input.

Creating Index
For creating indexes for DeCYFIR Alerts,

  • Login to Splunk Enterprise.
  • Click settings > indexes.
  • Click New index.
  • In the Index name field, specify the index name [eg:cyfirma].
  • Set the Index data types to Events.
  • Fill in all the necessary fields.
  • Click on Save.

DeCYFIR Alerts
For creating input and data collection of API data, follow the below-mentioned steps in DeCYFIR Add-on.

  • Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
  • Click on the Inputs tab.
  • Click on Create New Input -> Select DeCYFIR Alerts.
  • Fill in all the necessary details.
  • Click on Save.
  • Created input will be displayed in the Inputs screen.
  • Go to the Search tab. Enter index=”<index name>(Eg:index name=cyfirma).
  • Verify the data in the index.

CYFIRMA’s Attack Surface subcategories

  • Attack Surface with Domain/IP Vulnerability
    Eg: index=”cyfirma” sourcetype=”cip:attack-surface:ip-vulnerability”
  • Attack Surface with certificates
    Eg: index=”cyfirma” sourcetype=”cip:attack-surface:certificates”
  • Attack Surface with configurations
    Eg: index=”cyfirma” sourcetype=”cip:attack-surface:configurations”
  • Attack Surface with open-ports
    Eg: index=”cyfirma” sourcetype=”cip:attack-surface:open-ports”
  • Attack Surface with Domain/IP reputation
    Eg: index=”cyfirma” sourcetype=”cip:attack-surface:ip-reputation”
  • Attack Surface with Open bucket/Cloud weakness
    Eg: index=”cyfirma” sourcetype=”cip:attack-surface:cloud-weakness”

CYFIRMA Digital Risk Subcategories

  • Digital Risk with Impersonation:Domain-IT-Asset
    Eg: index=”cyfirma” sourcetype=”cip:digital-risk:impersonation-and-infringement:domain-it-asset”
  • Digital Risk with Impersonation:Execute/People
    Eg: index=”cyfirma” sourcetype=”cip:digital-risk:impersonation-and-infringement:executive-people”
  • Digital Risk with Brand-Infringement:Social/Handlers
    Eg: index=”cyfirma” sourcetype=”cip:digital-risk:impersonation-and-infringement:social-handlers”
  • Digital Risk with Brand-Infringement:Product/Solution
    Eg: index=”cyfirma” sourcetype=”cip:digital-risk:impersonation-and-infringement:product-solution”
  • Digital Risk with Data Breach:Phishing
    Eg: index=”cyfirma” sourcetype=”cip:digital-risk:data-breach-and-web-monitoring:phishing”
  • Digital Risk with Data Breach:Ransomware
    Eg: index=”cyfirma” sourcetype=”cip:digital-risk:data-breach-and-web-monitoring:ransomware”

CYFIRMA Vulnerability category
Vulnerability
Eg: index=”cyfirma” sourcetype=”cip:vulnerability”

Splunk App

Dashboard
App will contain a Dashboard tab that fetches data of Attack Surface, Digital Risk, and Vulnerability from the Splunk index.

Splunk app to display Dashboard. It would include the following 6 tabs:

  • DeCYFIR Attack Surface Alerts
  • DeCYFIR Digital Risks Alerts
  • DeCYFIR Vulnerability Alerts
  • DeCYFIR IOCs
  • Custom Alerts
  • Setup

Note: The Decyfir app must be fully configured by logging to the setup page and providing credentials for the Cyfirma product URL and API key.

DeCYFIR Attack Surface Alerts:
Widgets to display:

  • Count of all the alerts subcategories:
    • IP vulnerability
    • Certificates
    • Configurations
    • Open Ports
    • Domain Reputation
    • Open bucket
  • Trend Line for selected/clicked subcategory. The trend line for each sub-category will be displayed on click on each sub-category.
  • Detailed table of selected/clicked sub-categories. Click on any data table row will display additional information for the sub-category data.

DeCYFIR Digital Risk Alerts:
Widgets to display:

  • Count of all the alerts subcategories:
    • Impersonation & Brand Infringement
      • Domain-IT asset
      • Executive People
      • Product Solution
      • Social Handler
    • Data Breach & Web Monitoring
      • Phishing
      • Ransomware

  • Trend Line for selected/clicked subcategory. The trend line for each sub-category will be displayed on click on each sub-category.
  • Detailed table of selected/clicked subcategory. Click on any data table row will display additional information for the sub-category data.

DeCYFIR Vulnerability Alerts:
Widgets to display:

  • Count of the alert category:
    • Vulnerability

  • Trend Line for the category.
  • Detailed table of the category. Click on any data table row will display additional information for the category data.