Cisco Security Suite Manual
From Splunk Wiki
The below notes are for the pre-3.0 version of the Splunk Cisco Security Suite which is now depreciated. There is a new Splunk Cisco Security Suite which you'll find here: Splunk Cisco Security Suite 3.0
-->Notes for the new writer<--
This manual covers the Splunk Cisco Security Suite. The Cisco Security Suite is made up of the Cisco Security Suite app and a set of related add-ons.
The Cisco Security Suite provides reports and dashboards that can give you insight into data from a variety of Cisco devices including the Ironport Email Security Appliance (ESA), the Ironport Web Security Appliance (WSA), the Intrusion Protection System (IPS) and the Cisco Security Agent (CSA).
In addition, Splunk for Cisco Security reports on data that is generated by the following add-ons. Follow the links to download the apps or get information on setting them up and using them. Each of these add-ons can be used standalone or in conjunction with the Cisco Security Suite app and other related add-ons. However, if you are using the Cisco Security Suite app, you must download one of these related add-ons to see data.
- Splunk for Cisco Firewalls (download) (set up) (use) - Enables you to search and report on data collected from Cisco firewall devices such as FWSM, Pix, and ASA.
- Splunk for Cisco IPS (download) (set up) (use) - Enables you to search and report on data collected from Cisco IPS (Intrusion Prevention System) devices. Includes a scripted input that collects data from Cisco IPS sensors using the Security Device Event Exchange (SDEE) format.
- Splunk for Cisco IronPort Web Security Appliance (download) (set up) (use) - Enables you to search and report on data collected from Cisco IronPort WSA devices. Includes out-of-the box reports that provide visibility into blocked sites by category or client IP, number of events per host, actions by host over time, and other security-relevant events.
- Splunk for Cisco IronPort Email Security Appliance (download) (set up) (use) - Enables you to search and report on data collected from Cisco ESA devices.
- Splunk for Cisco Client Security Agent (download) (set up) (use) - Enables you to search and report on Cisco CSA devices.
- Splunk for Cisco MARS Archives (download) (set up) (use) - Enables search and reporting on data collected from Cisco Monitoring, Analysis, and Response System (MARS) archives.
Additionally, you must install the MAXMIND app for the map dashboards to work: (download)
Set up Cisco Security Suite
When you first download the Cisco Security Suite, you'll decompress the file and place the resulting folder into either
%PROGRAMFILES%\Splunk\etc\apps (if you use Windows) or
$SPLUNK_HOME/etc/apps (if you use Unix/Linux). Then restart Splunk via the CLI (using the
splunk restart command) or the GUI.
After you restart your Splunk instance you can select the Cisco Security Suite app from the Home page.
When you first enter the Cisco Security Suite, it will give you an opportunity to enable or disable the Cisco add-ons that you have downloaded. Keep in mind that the add-ons provide data and capabilities to the Cisco Security Suite app; if you disable them, you will not receive data from them.
This setup screen also includes download links for each of the add-ons.
Troubleshooting your Cisco Security Suite install
- No Cisco data is present in the reports and dashboards: You must install at least one of the other Cisco add-ons in order to populate the Cisco Security Suite with data. Follow the download links above to obtain the necessary add-ons.
- If you have Cisco add-ons downloaded and running, but data still isn't showing up, first check to make sure the add-ons are enabled by navigating to Manager > Apps and selecting Set up for the Cisco Security Suite app. On the Setup screen, check to make sure your add-ons are enabled.
- Finally, check your inputs and ensure they're configured correctly for each add-on. Check the set up documentation for the add-ons that you have installed (you can find links in the bulleted list at the top of this page) for information about their input configuration.
- The geo maps do not populate, but other charts are displaying results as expected: You must install the MAXMIND app to have the maps populate with data. To get this working, go here and install the MAXMIND app.
Using Cisco Security Suite
The Cisco Security Suite landing page provides an overall view of your Cisco security events both over the recent past and in real time. With each add-on that you download and enable, you get a set of dashboards, reports, and searches that you can use to review your firewalls, detect intrusions, review data from Cisco MARS archivez, and oversee aspects of your web, email, and client security (as reported by your Cisco CSA, ESA, and WSA devices, respectively).
For more information about these dashboards, reports, and searches, click the Use links in the Cisco add-on list at the top of this page.
In addition, the Cisco Security Suite app comes with its own dashboards: a landing page Summary dashboard, a Global Threat Correlation dashboard, and a BotNet Dashboard.
The Cisco Security Suite Summary dashboard looks across all of the Cisco add-ons, plotting events in real time as they happen, as well as providing an overview of the source and destination IP addresses involved.
- A geo-locational map view of recent security events. The map can display the events as they are discovered in real time, or it can show the events that were detected over the past 24 hours.
- You can modify this map to include only the events or environments that are of interest to you by adjusting the search that it is based upon. To do this, navigate to Manager > Searches and Reports, open the detail page for the Cisco Event Map search, and edit the search to fit your requirements.
- A stacked column chart displaying the major categories of security events that have been discovered over the past hour.
- Two charts displaying Cisco security events as they are discovered in real time, broken out by source IP in one and destination IP in the other. (not displayed in the screencap above)
Global Threat Correlation dashboard
The Global Threat Correlation overview dashboard provides analysis of Cisco IPS alerts that surpass defined thresholds for a Global Threat Score. By default this threshold is set to
0. All of the panels that make up the dashboard are driven off of a scheduled saved search that runs every three hours with a Splunk Enterprise license.
To change the schedule for the search, the time frame it reports on, or the GTS threshold, navigate to Manager > Searches and Reports, open the detail page for the Cisco IPS Global Threat Correlation - DataCube search, and edit the search to fit your requirements.
The BotNet overview dashboard utilizes the BotNet filter from Cisco Firewall. It provides a view into the latest BotNet activity in your environment. All of the panels that make up the dashboard are driven off of a scheduled saved search that runs every three hours with a Splunk Enterprise license. This includes the geo-locational BotNet map, which is driven off of the destination IP of the BotNet request.
To change the search, or the schedule and timeframe that it reports on, navigate to Manager > Searches and Reports, open the detail page for the Cisco BotNet Filter - Data Cube search, and edit the search to fit your requirements.