Visualize Cisco Cyber Vision data with Splunk

Cisco Cyber Vision extends security operations centers to the OT domain. This extension helps you unify security across IT and OT, which protects your enterprise network more effectively. Splunk consolidates event logs across both IT and OT and can function as a Security Information and Event Management (SIEM) platform.

Cisco solutions such as Cyber Vision, Secure Equipment Access, Secure Firewalls, and Identity Services Engine can share data with Splunk. Non-Cisco products can also integrate and share data. Splunk provides a unified view across all domains. It can also correlate events to better detect advanced threats.

Splunk's Security Orchestration, Automation and Response (SOAR) engine lets you build sophisticated automation to remediate threats. Integrate Cyber Vision with Splunk for real-time views of large data sets to better detect and respond to threats and vulnerabilities.

Benefits

Real-time monitoring of data at scale

Splunk processes and analyzes large volumes of data in real time. When integrated with Cyber Vision, Splunk can display OT and IT security, event, and syslog data in near real time.

Custom dashboards

You can create custom dashboards for Cyber Vision in Splunk to focus on specific Cyber Vision data, such as Cyber Vision Center Overview, Operational & Security Insights, and syslog overviews.

Integration with Cisco solutions

Splunk supports integrations with many Cisco solutions. This capability reduces setup complexity and allows you to work with data in a manner that suits your requirements.

Cyber Vision apps in Splunk

To enable data transfer between Cyber Vision and Splunk, install and configure the Cisco Cyber Vision Splunk Add-On and the Cisco Cyber Vision Splunk App in your Splunk Enterprise portal.

For general information about finding and installing Splunk apps and add-ons, see the official Splunk documentation for where to get more apps and add-ons.

Cisco Cyber Vision Splunk Add-On

The Cyber Vision Splunk Add-On app allows Splunk to receive data from Cisco Cyber Vision using Cisco Cyber Vision RESTful APIs. The add-on:

  • Receives data related to devices, vulnerabilities, activities, and events from Cyber Vision.
  • Transforms the received Cyber Vision data into a format that the Cyber Vision Splunk App can use. The data can also be used with other Splunk products such as Asset and Risk Intelligence and Enterprise Security.

Cisco Cyber Vision Splunk App

The Cisco Cyber Vision Splunk App delivers six custom dashboards that allow you to focus on data that matters most to your organizational role and typical requirements.

Dashboard name Use the dashboard to view
Global Overview Provides an overview across all Cyber Vision centers.
Cyber Vision Center Overview Center device, vulnerability, and event overview.
Operational & Security Insights All operational and security data being collected.
Assets Summary Asset data being collected and correlated across the environment.
Vulnerabilities Overview Overview of all detected vulnerabilities.
Syslog Overview Syslog security and operational events.

Prerequisites

Licensing requirements

System

Minimum license required

Cisco Cyber Vision

Advantage

Splunk

Ingest license

Data volumes for your network determine the Splunk Ingest license you need.

System requirements

System

Minimum supported version

Cisco Cyber Vision

5.3.0

Splunk

9.4.x

Splunk Cisco Cyber Vision Apps

2.2.0

Port requirements

If your deployment includes firewalls, you must configure certain port accesses. Define the ports in relevant configurations for both Splunk and Cyber Vision Center systems.

Port

Communication requirement

TCP 443

API communications between Splunk and Cyber Vision Center, initiated by Splunk.

TCP, TCP+TLS, or UDP.

No recommended port number.

Syslog communications from Cyber Vision Center to Splunk.

Getting started

For instructions on installing Splunk Enterprise on Linux, macOS or Windows systems, see the official Splunk documentation.

Set up HTTPS access

Enable HTTPS encryption for Splunk Web before you configure the Cyber Vision integration. For the Splunk Web procedure and certificate guidance, see the official Splunk documentation for turning on HTTPS encryption for Splunk Web.

Step 1

Follow the Splunk Web HTTPS procedure in the official Splunk documentation.

Step 2

After Splunk Web restarts, access Splunk Web using an HTTPS URL.

Install Cyber Vision apps

Use the Splunk app installation workflow to install the Cisco Cyber Vision Splunk App and Cisco Cyber Vision Splunk Add-On from Splunkbase. For general app installation guidance, see the official Splunk documentation for where to get more apps and add-ons.

Step 1

From the Splunk Enterprise main menu, choose Apps.

Step 2

Click Find more apps.

Step 3

In the search field, enter Cisco Cyber Vision.

Step 4

To download the Cisco Cyber Vision Splunk App and Cisco Cyber Vision Splunk Add-On apps, click Install on the relevant selections.

Step 5

For each app, follow the instructions displayed on the screen. You must validate your Splunk credentials and complete the installations.

The Apps left pane displays the apps when the installations are successful.

Create a new index

After you install the Cisco Cyber Vision apps, create the vulnerability summary index in Splunk Enterprise. For general index creation and storage options, see the official Splunk documentation for creating custom indexes.

Step 1

From the Splunk Enterprise main menu, choose Settings > Indexes.

Step 2

Click New Index.

Step 3

On the New Index page, provide the following details:

  • Index Name: Enter summary_cv_vulnerabilities.
  • Index type: Select Events.
  • Max size of entire index: Enter 50 GB.
  • App: Select Cisco Cyber Vision Add-on for Splunk.

Step 4

Click Save.

The summary_cv_vulnerabilities index is created.

Configure data share between Cyber Vision and Splunk

Connecting Cyber Vision center and Splunk involves multiple steps:

  • Generate an API token in Cyber Vision Center.
  • Configure a certificate verification method for the Cyber Vision and Splunk connection.
  • Add an account to Cisco Cyber Vision Splunk Add-On
  • Add input methods for the account.

Generate an API token in Cyber Vision Center

Step 1

In Cyber Vision Center, choose Admin > API > Token.

Step 2

To create an API token:

  1. Enter a name for the token.

  2. Click the Status button to enabled state.

  3. (Optional) Set an expiry date for the token.

  4. Click Create.

Step 3

In the Token, click the copy to clipboard icon for the newly added API token to view or copy the token.

Disable certificate verification for app

You can choose to connect Cyber Vision Center with Splunk without a certificate validation step. This method is recommended for non-production environments such as test or proof-of-concept networks.

Before you begin, note the following requirements:

  • Use the Splunk command line tool to disable certificate verification.
  • Splunk stores installed apps in the /opt/splunk/etc/apps directory.
  • To edit the necessary files, you need sudo or root access to the directory.

Step 1

Using the Splunk CLI tool, access Cisco Cyber Vision app files.

Example:

root@splunk:~# cd /opt/splunk/etc/apps/TA-cisco_cybervision/bin/

Step 2

Edit the TA_cisco_cybervision_utils.py file.

Example:

root@splunk:/opt/splunk/etc/apps/TA-cisco_cybervision/bin# vi TA_cisco_cybervision_utils.py

Step 3

Change VERIFY_SSL = True to VERIFY_SSL = False.

Step 4

Save the changes to the Python file, then exit the directory.

Use self-signed certificates from Cyber Vision Center

Step 1

In a web browser, enter https://<Center IP address>.ca.pem

Step 2

Copy the contents of the certificate for use in the Splunk account creation task.

Add Account to Cisco Cyber Vision Splunk Add-On

Before you begin

In this task, you must choose a certificate verification method.

Step 1

From the Apps menu, choose Cisco Cyber Vision Splunk Add-On.

Step 2

Select Configuration.

Step 3

Click Add.

Step 4

To add an account:

  1. Enter a unique name for the account.

  2. Enter the Cyber Vision Center FQDN.

  3. Enter the API token you generated in the Generate an API token in Cyber Vision Center task.

  4. To use certificate verification, check the Use Custom CA Certificate check box.

  5. In the Custom CA certificate text field, enter the contents of the Center’s self-signed or CA-signed certificate.

  6. Click Add.

The Cyber Vision Center is listed in the Account section of the Configuration page.
If you encounter certificate verification errors, check if DNS server resolution is configured accurately in Splunk.

Add an input to Splunk

Add an input type to Splunk to specify the data to import from Cisco Cyber Vision. You can configure these input types:
  • Cyber Vision Events
  • Cyber Vision Devices
  • Cyber Vision Flows
  • Cyber Vision Activities
  • Cyber Vision Sensors

Repeat this task for each input type you want to configure.

Step 1

From the Apps menu, choose Cisco Cyber Vision Splunk Add-On.

Step 2

Click the Inputs tab.

Step 3

From the Create New Input drop-down list, choose the input type you want to configure and enter the following details:

  1. Enter a name for the input type.

  2. Enter an interval in seconds for input retrieval.

    Start with a long interval that spans several hours. Update the interval value when deployment activity changes or when your requirements change.

    Use these recommended intervals for input retrieval:

    • Events: 900 seconds
    • Devices: 14400 seconds
    • Flows: 14400 seconds
    • Activities: 14400 seconds
    • Sensors: 900 seconds

  3. Enter an index value to specify a repository location. The Splunk Search feature uses the index value for efficient search and retrieval.

  4. In the Global Account field, choose the Center from which to gather inputs.

  5. Enter a start date. The start date only applies to the first time information is retrieved from the connected Cyber Vision Center.

    For subsequent data pulls, the start date is not used. Only new data from the configured interval is retrieved.

The input type is configured in Splunk.

Run saved searches and set up schedules

Saved searches are part of the Cisco Cyber Vision Splunk Add-On. They run periodically and summarize complex raw data so the app can search the simplified summary data faster.

For general saved search scheduling options, see the official Splunk documentation for scheduling reports.

Step 1

From the Splunk Enterprise main menu, choose Settings, then click Searches, Reports, and Alerts.

Step 2

In the App field, select Cisco Cyber Vision Add-on for Splunk (TA-cisco_cybervision).

Step 3

In the Owner field, select All.

Step 4

For the Generate CV Asset Lookup for OT Security Add-on search, open the schedule settings.

Step 5

Use a cron schedule with the Cron Expression value set to 0 */4 * * *.

This interval runs the search every 4 hours, or every 14400 seconds.

Step 6

Save the schedule, then run the Generate CV Asset Lookup for OT Security Add-on search.

Step 7

If Splunk prompts you to confirm the query, click Run Query Anyway.

What's next

Repeat the schedule and run actions for the Populate CV Vulnerabilities Summary Index search.

Add syslog data source in Splunk

Use the Splunk network input workflow to add the syslog data source. For general TCP and UDP input guidance, see the official Splunk documentation for getting data from TCP and UDP ports.

Step 1

From the Splunk main menu, choose Settings > Data > Data inputs.

Step 2

From the Local inputs section, select the protocol you want to use, and click Add new.

Step 3

Enter a port number. You must use the same port number in the syslog configurations in Splunk and in Cisco Cyber Vision Center.

Step 4

Click Next at the top of the page.

Step 5

Configure the input settings:

  1. From the Source type drop-down list, choose cisco:cybervision:syslog.

  2. From the App context drop-down list, choose Cisco Cyber Vision Splunk Add-On.

  3. In the Host field, choose IP.

  4. In the Index field, choose Default.

  5. Click Review.

Step 6

To add the data input method, click Submit.

It is not recommended to enable Events input and syslog data source for a single Cyber Vision center. The same information is collected from both sources.

Define Syslog port using Splunk CLI

If you prefer to configure the syslog port for Splunk using CLI, carry out the steps of this task. Alternatively, use the Port field in the Add syslog data source in Splunk task to define the syslog port.

For general network input configuration guidance, see the official Splunk documentation for getting data from TCP and UDP ports.

Step 1

Log into the Splunk command line tool.

Step 2

Access the inputs configuration file. An example of a typical inputs file path is <splunk-home>/etc/system/local/inputs.conf.

Step 3

Add the port configuration details to the configuration file. Here is an example of a TCP+TLS port configuration.

Example

[tcp-ssl:6514]
disabled = false
serverCert = /opt/splunk/etc/certs/<cert-file-name>.pem
sslRootCAPath = /opt/splunk/etc/certs/ca.pem
sslPassword = <passphrase of the private key generated above>

Add syslog configuration in Cyber Vision Center

Step 1

From the Cyber Vision Center main menu, choose Admin > System.

Step 2

In the Syslog Configuration area, click Configure.

Step 3

In the Protocol and Port fields, enter the same values that you used in the Splunk syslog configuration.

Step 4

In the Host field, enter the address of the Splunk instance to connect to.

Step 5

Select a CEF syslog format to apply.

Step 6

Click Save Configuration.

Cyber Vision dashboards and source APIs

If the Cisco Cyber Vision Splunk Add-On app is configured correctly, it retrieves inputs from connected Cyber Vision centers. The gathered data is displayed in Cisco Cyber Vision App for Splunk dashboards.

To view the dashboards, from the Apps menu, choose Cisco Cyber Vision App for Splunk.

Dashboards and the APIs that fetch the required data
Dashboard Input used (API)
Global Overview Devices, Sensors
Cyber Vision Center Overview Devices, Events, Sensors
Operational & Security Insights Events
Assets Summary Activities, Devices, Flows
Vulnerabilities Overview Devices
Syslog Overview Syslog