Integrating with Splunk is easy all you need to do is to follow the setup guide on our Integrations page.
How to get setup?
Our setup is essentially in two parts;
Install an add on.
Then configure the behaviour events to be sent to CybSafe.
Install the Add on
First follow the steps to install the add on so you can see the CybSafe App in Splunk.
All instructions can be found in the Splunk section on our Integrations page.
Configure your integration to send events to Cybsafe
Use our pre built connector or map a specific piece of data to one of our security behaviours.
Using pre-built connector
Create a search which isolates data from a supported data source (currently Management Activity data as obtained from the Splunk Add-On for Microsoft 365)
Create a new alert based on this search
Add the custom trigger action "Forward MS 365 Management Event" to the alert.
Click "Save".
Reporting identified behaviour events
Identify the data of interest in a normal Splunk search.
Transform the data to extract;
A field
user_emailwhich contains the email address of the cybsafe user associated with the event.
A field
timestampwhich contains the time in ISO 8601 format at which the event occurred.
*Hint: thetableandrenamesearch functions are very useful.
Set up an alert based on this transformed search.
Add the custom trigger action “Report security behaviour event”.
Select the appropriate security behaviour if available.
Choose whether the event identified is positive of negative.
Click "Save".
Supported security behaviours
The following security behaviours can be mapped using the reporting identified behaviour events setup.
Security Behaviours
Security Behaviours
SB009 Reporting old accounts
SB010 Doesn't share passwords
SB013 Reporting security incidents
SB014 Asking for help
SB015 Completing security awareness training
SB022 Installs antivirus on all compatible devices
SB023 Enabling firewalls
SB032 Doesn't plug unknown devices into work devices
SB091 Does not forward work information to personal email addresses
SB150 Does not use a password that has been compromised in a data breach
SB151 Does not use weak passwords
SB152 Does not log in with shared credentials
SB153 Does not run a file from an unknown source
SB154 Does not visit unauthorised websites
SB155 Does not download content or material from unauthorised websites
SB156 Discloses credentials to a phishing site
SB158 Downloads a file from an unknown source
SB159 Does not click a phishing link
SB161 Reports a suspected phishing email
SB163 Does not open a phishing email
SB164 Does not open an attachment in a phishing email
SB167 Reports a suspected phishing message
SB169 Does not open an attachment in a message from an unknown source
SB173 Does not use work email addresses for non-work purposes
SB174 Does not log in from a device running out of date operating software
SB175 Does not log in from a rooted mobile device
SB178 Does not share a desktop device
SB182 Does not send sensitive information out of the business (email or otherwise)
SB184 Does not share a file containing confidential information
SB185 Does not post confidential information in a public messaging channel
SB186 Does not post PII in a public channel
SB187 Does not share a file containing PII
SB188 Does not share sensitive information with unauthorised recipients
SB192 Does not disable MFA
SB195 Completes policy attestation
SB196 Doesn't share documents or files containing malicious links
SB198 Does not use unapproved device for work purposes
SB203 Uses biometrics to access online account
SB204 Uses biometrics to access mobile device
SB209 Uses a stand-alone password manager application
SB210 Saves passwords or passphrases into a browser
Still have questions?
If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!