release notes 16.3-final

1

©2010-2021 iDefender, LLC. ALL RIGHTS RESERVED.

RELEASE NOTES

Industrial Defender ASM for Splunk v1.5.0/1.5.1

July 2021

Contents

• What’s New in V1.5.0/1.5.1

• About ASM for Splunk

• Setting Up ASM for Splunk

• Upgrading ASM for Splunk

• Release Information

• Appendix: ASM Mapping to CIM/OT Models

What’s New in V1.5.0/1.5.1

Bugs Fixes

• The syslog host field for source type asm:event:syslog is now extracted correctly so the SOC dashboard charts display properly.

About ASM for Splunk

ASM for Splunk is comprised of two components: a Splunk add-on and a Splunk app that you download from Splunkbase and install on your Splunk system to enable viewing of ASM data. You need both Splunk and ASM, and they must be able to communicate with each other over the network. This release note details the ASM for Splunk setup procedure.

The ASM for Splunk app components are:

• Industrial Defender ASM API Add-on for Splunk V1.5.1

• Industrial Defender ASM App for Splunk V1.5.0

Industrial Defender ASM API Add-on for Splunk V1.5.1

The Add-on includes the connections utility, model support, and source types.

Connections Utility

The connections utility enables communication between ASM and Splunk by allowing a special type of data input that passes the ASM REST API data to your Splunk system. On the Splunk system, you create ASM REST API-type data inputs in the procedure below. On the ASM end, the REST API is installed and enabled when you installed your ASM, so no additional steps are required.

Model Support

• CIM Model Support – The Splunk Common Information Model (CIM) is a shared semantic model that enables normalizing your data to match a common standard. This normalization of

Release Notes – ASM Splunk V1.5.0/1.5.1

2


data from different source types allows you to develop reports, searches, and dashboards to present a unified view of a data domain. You can display your normalized data in the dashboards provided by other Splunk applications such as Splunk Enterprise Security and the Splunk App for PCI Compliance. The ASM for Splunk app maps ASM data to three CIM models: Alerts, Authentication, and Vulnerability.

• OT Security Model Support – The Splunk for OT Security add-on expands the capabilities of Splunk’s platform to monitor for threats and attacks, compliance, incident investigation, forensics, and incident response across the broad range of cyber assets and network topologies deployed in today's manufacturing and energy enterprises. The ASM for Splunk app supports this model by mapping ASM data to the OT Asset model so Splunk users to input and display Asset Administration Properties in the OT Security app.

See Appendix: ASM Mapping to CIM/OT Models for more detail on properties mapped to the models.

Source Types

The Source Types provided are:

• asm:event:syslog – for ASM syslog data input

• asm:adminprop:json – for ASM Admin Property API data input

• asm:exception:json – for ASM Baseline Exception API data input

• asm:vulnerability:json – for ASM Vulnerability API data input

Industrial Defender ASM App for Splunk V1.5.0

The App provides Splunk UI components including dashboards and a reports tab.

Dashboards

• The SOC Dashboard displays graphical representations of OT security events to provide an overview of your security posture of your OT environment. Events are fed to the dashboard from an ASM syslog destination, and you can drill-down to raw events or to the Asset Insights Dashboard.

• The Asset Insights Dashboard provides more detailed ASM information on specific assets such as Exceptions, Vulnerabilities, and Administrative Properties. Events fed from the ASM syslog destination combine with asset centric data (Exceptions, Vulnerabilities and Administrative Properties). The Asset Deviations bar chart shows no exception type if the number of exceptions for that type equals “0”.

Reports Tab

• A Reports tab displays supported asset administrative properties and works with the Splunk Enterprise Security app. See Appendix: CIM – ASM Mapping for detail on supported properties.


3


Setting Up ASM for Splunk

Note: These procedures were created using Splunk V8.1. UI layout differences may exist between releases.

Setting up ASM for Splunk involves the following tasks:

1. Installing ASM for Splunk

2. Creating an Index (Recommended)

3. Configuring Syslog Input

4. Configuring the ASM REST API Add-on for Splunk

Installing ASM for Splunk

To install ASM for Splunk:

1. Log onto Splunkbase and locate the Industrial Defender ASM API Add-on and app:

• Industrial Defender ASM API Add-on for Splunk: https://splunkbase.splunk.com/app/5457/

• Industrial Defender ASM for Splunk: https://splunkbase.splunk.com/app/5460/ 2. Download and install both the API add-on and the ASM app on your Splunk system.

Note: If upgrading an installed prior version of the apps, select Upgrade when installing the new versions.

3. When prompted, restart your Splunk system.

Creating an Index (Recommended)

We recommend creating an Index in your Splunk to store the ASM data that will come into your Splunk environment.

• Consult your Splunk Administrator regarding creating the Index.

https://splunkbase.splunk.com/app/5457/

https://splunkbase.splunk.com/app/5460/


4


Configuring Syslog Input

ASM event data can be streamed to Splunk in syslog format. Steps to have this set up is described in this section.

1. Set up a syslog destination on the ASM as follows. Brief instructions are provided here but, if you need more detail, see “Configuring a Destination” in the ASM Administrator Guide.

a. With Windows Explorer on the ASM system, locate: C:\Program Files\Industrial Defender\idefender\destination-utility\bin\destination-utility.bat

b. Right-click the utility and select Run as Administrator.

The Manage Destinations menu appears.

c. Select Create New Destination and create a Syslog destination using the Splunk host name.

d. When completing the fields to configure the new destination, keep in mind the following:

• Syslog Host: IP address of the Splunk server that is responsible for receiving data.

• Syslog Server Port: Port 514 is the default value, but you can change it. This port must be listening and not blocked by your firewall rules on the Splunk server that will receive the data.

• IP Transport protocol: UDP is the default value, but it can also be TCP.

2. In the Splunk UI, create a new TCP/UDP type Data Input as follows. This procedure assumes the Syslog destination is set to use UDP protocol and port 514. (TCP syslog data input is also supported. Refer to the Splunk documentation or consult with your Splunk administrator for more detail.)

a. In the Splunk UI, click Settings > Data inputs.

b. In the left panel, select TCP / UDP.

c. In the right panel, select UDP and enter 514 in the Port field, as shown below.

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureSplunkforwardingtousesignedcertificates


5


d. Click Next.

e. On the Input Settings screen, choose asm:event:syslog for Source Type.

Note: If asm:event:syslog does not appear in the selectable list, simply choose “New” and type asm:event:syslog in the Source Type field.

f. You may keep the rest of the settings as default and click Review.

g. When ready, click Submit to complete the data input creation.

You should see the ASM event data flowing in shortly.


6


Configuring the ASM REST API Add-on for Splunk

To configure the REST API Input component on your Splunk system:

1. In the Splunk UI, click Settings > Data inputs.

2. In the left panel, select ASM REST API.

3. In the right panel, enter the following information:

Note: There is minimal data validation on this screen. Please follow the instructions when entering the information to ensure functionality.

• Name: Identifier of the data input. This can be any valid object name allowed by Splunk.

• API Data Type: The type of API data to retrieve. The ASM app uses all three of the following types


7


of API data, so create a data input for each type, one at a time:

• AdminProp (for asset administrative properties)

• Exception (for asset baseline exception information)

• Vulnerability (for vulnerability information.)

• API URL: The base URL used to access your ASM REST API. This is typically the URL you use to access your ASM (without the "ASMWebApplication") with the path "asmdataservice" appended to the end. For example, https://192.0.2.0/asmdataservice.

Tip: If multiple ASMs will send data into the Splunk, create additional ASM REST API type data inputs using different API URLs for each.

• API Client ID and API Client Secret: The authentication credentials for the API. These can be found on your ASM at System Administration > Settings > API Management. You may use the values for the client with the Client Name "asm".

• Verify SSL Certificate: Whether the API add-on should check the validity of your ASM's SSL certificate when making an API call. When checked, if your SSL certificate is invalid, then the API calls will fail. When unchecked, the API calls will succeed regardless the SSL certificate's validity. However, there will be more log messages in your Splunkd log to indicate the lack of the validity checking.

4. Check More settings and scroll down to enter additional settings.

• Interval: Allows you to set the schedule for this input. We recommend you set the API inputs to run once a day at an off-peak hour. The schedule setting uses the Splunk standard scheduling format. For more information, contact your Splunk Administrator.

• Source type. Use the "Manual" method and type the correct source type into the “Source type” field.

The correct source types for ASM REST API type of data inputs are:

API Data Type Source Type

AdminProp asm:adminprop:json

Exception asm:exception:json

Vulnerability asm:vulnerability:json


8


The rest of the settings can be left with the default values.

5. Click Next to save the data input.

Shown below is an example of the data inputs created to accept the ASM REST API data from two different ASMs:

Tip: Once you have created one ASM REST API type of data input, you can use the "Clone" feature to quickly create the other similar data inputs by only changing a small amount of data.

Once the scheduled data inputs execute, the ASM REST API data should appear in your searches.

Tip: Setting the Interval field to empty and saving the data input allows one-time immediate execution. This is great for testing the data input.

This concludes the setup process.


9


Upgrading ASM for Splunk

If you are upgrading a previously installed version of ASM for Splunk, do the following:

1. Install V1.5.0 as described in Installing ASM for Splunk, but select the Upgrade checkbox. 2. Once you have restarted Splunk, click Settings > Data inputs > Input settings. 3. Edit all data inputs previously created to select the appropriate source type per this table:

Input type API Data type Appropriate Source Types

UDP/TCP N/A asm:event:syslog

API AdminProp asm:adminprop:json

API Exception asm:exception:json

API Vulnerability asm:vulnerability:json

Release Information

Products ASM Spunk App V1.5.0/1.5.1

Criticality Recommended

Patch Dependencies None

Hardware Dependencies None

Version Dependencies ASM V7.3.0 or later

These release notes and a list of third-party software used are available at support.industrialdefender.com. If you do not have access to this site, contact your Industrial Defender Service Representative for assistance at [email protected].

https://support.industrialdefender.com/


10


Appendix: ASM Mapping to CIM/OT Models

This appendix details ASM data mappings to the following models:

• CIM – Alerts

• CIM – Authentication

• CIM – Vulnerabilities

• OT Security – OT Asset

CIM – Alerts

Data source: ASM syslog events, where metric category is NOT Authentication OR metric category is Authentication but metric name is not either Login fail events or Login valid events

Alerts Model Field Name Syslog Event Field Name

app Static value: "asm"

description occurrence.description. If your syslog has “MITRE” information, it is appended to the description.

dest occurrence.target.targetName

id occurrence.sequenceNumber_occurrence.agentName_ occurrence.agentAsset.name_occurrence.metric.asset.name

severity

priority.

0: unknown 6: informational 5: informational 4: low 3: medium 2: high 1: critical Custom priority that is greater than 7 is mapped to informational

severity_id priority

signature occurrence.description, if signature_id has a value.

signature_id occurrence.signatureID (available only for snort rules currently).

src occurrence.metric.asset.name

type Static value: "event"

user occurrence.user


11


CIM – Authentication

Data source: syslog events, where metric category is Authentication AND metric name is Login fail events or Login valid events

Authentication Model Field Name

Syslog Event Field Name

action

• For occurrence_metric_category=Authentication AND occurrence_metric_name="Login valid events", static value "success".

• For occurrence_metric_category=Authentication AND occurrence_metric_name="Login fail events", static value "failure".

app occurrence.description

dest occurrence.target.targetName

src occurrence.metric.asset.name

src_user occurrence.masterUser

user occurrence.user

CIM – Vulnerabilities

Data source: ASM REST API vulnerability information

Vulnerabilities Model Field Name

Syslog Event Field Name

category Static value: "vulnerability"

cve cveId

cvss vulnerabilityCvssscore

dest assetName

dvc asmName

severity vulnerabilitySeverity

signature vulnerabilitySummary

url vulnerabilitySourceUrl

vendor_product Static value: “ID ASM”


12


OT Security – OT Asset

Source: ASM REST API Administrative Properties information

OT Asset Model Field Name ASM Administrative Properties Field Name

asset_criticality <name = Criticality>

asset_id assetUuid

asset_model <name = AssetModel>

asset_system assetName

asset_type <name = Asset Model Type>

asset_vendor <name = Vendor>

bunit <name = Division>

category ot|<name = OS Type>|<name = Asset Type>

city <name = City>, <name = State/Province>

country <name = Country>

description <name = Asset Description>

ip <name = IP Address>

location <name = Room>, <name = Rack>, <name = Rack Position>

owner <name = Owner Organization>

serial <name = Serial Number>

site_id <name = Location>

zone <name = Esp>

Note: Values for ASM Administrative Properties map to the OT Asset model in two ways: as direct values such as “assetUuid”, and as variable values such as “<name = Location>”. With the direct value, the value maps directly; with variable values, the value of a variable maps to the model. For example, in the sample data below, <name = Location> has the value “Science Bldg”. … { description: By AOD import name: Location updateDate: 2021-05-18T15:17:10.44Z value: Science Bldg } ] assetName: SiemensBMS2

release notes 16.3-final

Documents