This app has been created to assist in yearly compliance to the Data Security and Protection Toolkit (DSPT). The DSPT Audit applies.
-
Recurrent retrieval of cyber alerts from feeds to enrich data analysis
-
Dashboards to ease compliance with the DSPT for audit purposes:
Dashboard Name Description Overview General overview of monitored data Administrator Audit admisitrator activity required for DSPT User Audit user activity required for DSPT Host Audit hosts required for DSPT Malware Audit malware activity required for DSPT Network Audit & Monitor network activity VPN Audit & monitor vpn activity Cyber Alerts Cyber Alerts details Evidence Questionnaire Enables users to fill in the evidence questionnaire
- Splunk Common Information Model App
- Lookup File Editor
- Accelerated Data Models:
- Authentication
- Change
- Endpoint
- Intrusion Detection
- Malware
- Network Sessions
- Network Traffic
- Web
Data required to fully utilise this app:
- Active Directory
- Edge Firewalls
- Windows Event Logs
- Windows Update Logs
- Windows Host Mon (OS Stanza)
- Anti Virus Logs
- VPN Logs
Please refer to the Splunk Documentation for guidance on installing the Add-On in your environment. The app needs to be installed on the SH tier.
By default the app comes with a pre-configured and disabled input named main, that will daily fetch cyber alerts via NHS REST API and store them in the default index.
For customizations or additional feeds, from your Splunk instance Web Interface:
- Browse to Settings / Data Inputs
- Select Splunk App for DSPT Compliance and provide the following info:
- Name of the input
- REST API endpoint to fetch cyber alerts
- Enable Checkpoint - to align with your events duplication policy
- (Optional) More settings - to specify host, interval, index and sourcetype
Dear admins, please first enable the input, if you decide to store cyber alerts in another index, please make sure you update the macro
default_indexwith Definition such asindex=<YOUR_INDEX>
Once installed, from your Splunk instance Web Interface, select the app DSPT Compliance and navigate through the dashboards to verify content.
The app aims to assist in DSPT asertions where IT staff are asked to regularly review certain activity types or provide evidence against ascertions. Where a monitoring requirement is required the dashboards found within the 'Audit" drop down can be used. Where Evidence is required, reports can be found to faciilitate the capture of required information.
Useful SPL searches to:
- Verify Cyber Alerts indexing
index=_internal nhs_cyberalerts.py - Verify the index has been populated with Cyber Alerts
index=mainPlease replace
mainwith the index specified in the configuration and make sure the time range is set onAll time
If you would like to contribute to this app, see CONTRIBUTING.
App has been developed by Kevin Pyart, Senior Splunk SE (UK Public Sector)
For Support please contact kpyart@splunk.com
https://www.apache.org/licenses/LICENSE-2.0.txt
License Copyright 2021 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.