Last updated on November 11, 2021
Splunk App for Secure State combines the power of CloudHealth Secure State's revolutionary interconnected cloud security model with Splunk's comprehensive analytics and reporting engine, providing information security teams deep insight into their cloud security and compliance posture. Through this app, security and compliance analysts and managers can easily visualize the timeline and distribution of vulnerabilities across accounts, cloud providers, services, etc., create customized dashboards and PDF reports for security posture management and follow ups, and integrate with important insights from VMware tools across the stack. Download Here
You can install the Splunk App for Secure State by downloading it from the application page on Splunkbase or by installing it from within Splunk. There are a few prerequisites for setting up the Splunk App for Secure State:
CloudHealth Secure State API Access Token (here)
Python 3.x or greater
Pip (Python package manager)
Requests Library
After installation, ensure that the Secure State app appears in the list of apps and add-ons.
Create a new index called "vss" with the default settings.
In the _json SourceType, change the Timestamp field to "creationTime". This can be done by going to the advanced section in the _json SourceType and entering creationTime as the value in the "Timestamp fields".
(Optional) Find the csp-token.txt file in the vss-splunk-app/bin folder and replace your CSP token in there.
Run the vss4.py file to generate findings, rules, and compliance info using the command:
If you placed your token in the csp-token.txt file, use the command:
python vss4.py
Or run the script providing your CSP token inline:
python vss4.py -t TOKEN_VALUE
If you see any errors, make sure you have all the prerequisites listed above.
Verify that new json files are created in the vss-splunk-app/bin/data folder.
Go to the VSS Splunk app dashboard, and you should see all the dashboards displaying your security data now.
For any assistance or questions, please send an email to: vss-splunk@vmware.com
A set of customizable dashboards are provided in the Splunk App for Secure State that enable users to gather great insight into their cloud environment's security and compliance posture. A Violations Overview dashboard presents a view of violations by various breakdowns such as service, region, severity, status, cloud account, etc., combined with filters for time range, service, severity, etc. Violations Overview dashboard is used by information security teams to understand and prioritize their vulnerabilities. A Rules Overview dashboard provides details of the rules configured in Secure State, whether custom or native. Rule name, details, Knowledge Base links are available along with other metadata to better understand the impact of a rule violation. A Compliance Overview dashboard describes the compliance frameworks and controls covered through Secure State. Governance, Risk and Compliance teams use this view for reporting around their cloud environment compliance. All dashboards support export as PDF and drill downs to explore the raw Secure State data.
Splunk App for Secure State provides comprehensive analytics and reporting capabilities on cloud configuration vulnerabilities to information security, SOC, and compliance management teams.