Skip to content

This app provide assistance in yearly compliance to the Data Security and Protection Toolkit (DSPT)

License

Notifications You must be signed in to change notification settings

splunk/splunk-app-for-dspt-compliance

Repository files navigation

Splunk App for DSPT Compliance

This app has been created to assist in yearly compliance to the Data Security and Protection Toolkit (DSPT). The DSPT Audit applies.

Features

  • Recurrent retrieval of cyber alerts from feeds to enrich data analysis

  • Dashboards to ease compliance with the DSPT for audit purposes:

    Dashboard Name Description
    Overview General overview of monitored data
    Administrator Audit admisitrator activity required for DSPT
    User Audit user activity required for DSPT
    Host Audit hosts required for DSPT
    Malware Audit malware activity required for DSPT
    Network Audit & Monitor network activity
    VPN Audit & monitor vpn activity
    Cyber Alerts Cyber Alerts details
    Evidence Questionnaire Enables users to fill in the evidence questionnaire

Getting Started

Requirements

  1. Authentication
  2. Change
  3. Endpoint
  4. Intrusion Detection
  5. Malware
  6. Network Sessions
  7. Network Traffic
  8. Web

Data required to fully utilise this app:

  • Active Directory
  • Edge Firewalls
  • Windows Event Logs
  • Windows Update Logs
  • Windows Host Mon (OS Stanza)
  • Anti Virus Logs
  • VPN Logs

Installation

Please refer to the Splunk Documentation for guidance on installing the Add-On in your environment. The app needs to be installed on the SH tier.

Configure Cyber Alerts Indexing

By default the app comes with a pre-configured and disabled input named main, that will daily fetch cyber alerts via NHS REST API and store them in the default index.

For customizations or additional feeds, from your Splunk instance Web Interface:

  • Browse to Settings / Data Inputs
  • Select Splunk App for DSPT Compliance and provide the following info:
    • Name of the input
    • REST API endpoint to fetch cyber alerts
    • Enable Checkpoint - to align with your events duplication policy
    • (Optional) More settings - to specify host, interval, index and sourcetype

Dear admins, please first enable the input, if you decide to store cyber alerts in another index, please make sure you update the macro default_index with Definition such as index=<YOUR_INDEX>

Usage

Once installed, from your Splunk instance Web Interface, select the app DSPT Compliance and navigate through the dashboards to verify content.

The app aims to assist in DSPT asertions where IT staff are asked to regularly review certain activity types or provide evidence against ascertions. Where a monitoring requirement is required the dashboards found within the 'Audit" drop down can be used. Where Evidence is required, reports can be found to faciilitate the capture of required information.

Troubleshooting

Useful SPL searches to:

  • Verify Cyber Alerts indexing index=_internal nhs_cyberalerts.py
  • Verify the index has been populated with Cyber Alerts index=main

    Please replace main with the index specified in the configuration and make sure the time range is set on All time

Contributing

If you would like to contribute to this app, see CONTRIBUTING.

References

Credits

App has been developed by Kevin Pyart, Senior Splunk SE (UK Public Sector)

For Support please contact kpyart@splunk.com

License

https://www.apache.org/licenses/LICENSE-2.0.txt

License Copyright 2021 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.