Splunk App for Secure State

This content has moved and will no longer be updated. Please go to https://docs.vmware.com/en/CloudHealth-Secure-State/ for the latest version. Please see the latest What's new for the more details about the move.

Last updated on November 11, 2021

General Overview

Splunk App for Secure State combines the power of CloudHealth Secure State's revolutionary interconnected cloud security model with Splunk's comprehensive analytics and reporting engine, providing information security teams deep insight into their cloud security and compliance posture. Through this app, security and compliance analysts and managers can easily visualize the timeline and distribution of vulnerabilities across accounts, cloud providers, services, etc., create customized dashboards and PDF reports for security posture management and follow ups, and integrate with important insights from VMware tools across the stack. Download Here

Setup

Overview

You can install the Splunk App for Secure State by downloading it from the application page on Splunkbase or by installing it from within Splunk. There are a few prerequisites for setting up the Splunk App for Secure State:

  • CloudHealth Secure State API Access Token (here)

  • Python 3.x or greater

  • Pip (Python package manager)

  • Requests Library

Setup Instructions

  1. After installation, ensure that the Secure State app appears in the list of apps and add-ons.

  2. Create a new index called "vss" with the default settings.

  3. In the _json SourceType, change the Timestamp field to "creationTime". This can be done by going to the advanced section in the _json SourceType and entering creationTime as the value in the "Timestamp fields".

  4. (Optional) Find the csp-token.txt file in the vss-splunk-app/bin folder and replace your CSP token in there.

  5. Run the vss4.py file to generate findings, rules, and compliance info using the command:

    1. If you placed your token in the csp-token.txt file, use the command: python vss4.py

    2. Or run the script providing your CSP token inline: python vss4.py -t TOKEN_VALUE

    3. If you see any errors, make sure you have all the prerequisites listed above.

  6. Verify that new json files are created in the vss-splunk-app/bin/data folder.

  7. Go to the VSS Splunk app dashboard, and you should see all the dashboards displaying your security data now.

For any assistance or questions, please send an email to: vss-splunk@vmware.com

Dashboards

A set of customizable dashboards are provided in the Splunk App for Secure State that enable users to gather great insight into their cloud environment's security and compliance posture. A Violations Overview dashboard presents a view of violations by various breakdowns such as service, region, severity, status, cloud account, etc., combined with filters for time range, service, severity, etc. Violations Overview dashboard is used by information security teams to understand and prioritize their vulnerabilities. A Rules Overview dashboard provides details of the rules configured in Secure State, whether custom or native. Rule name, details, Knowledge Base links are available along with other metadata to better understand the impact of a rule violation. A Compliance Overview dashboard describes the compliance frameworks and controls covered through Secure State. Governance, Risk and Compliance teams use this view for reporting around their cloud environment compliance. All dashboards support export as PDF and drill downs to explore the raw Secure State data.

Conclusion

Splunk App for Secure State provides comprehensive analytics and reporting capabilities on cloud configuration vulnerabilities to information security, SOC, and compliance management teams.