Additional Configuration Steps for CMMC Levels 3 and Above¶
Import types of training¶
Dashboards AT.3.058 and AT.4.59 include a panel for users to submit their training entries, including the type of training completed. Training types can be added to the KV Store collection training_types_collection\ Required fields: - dashboard: enter dashboard ID (e.g. AT_3_058) - activity_type: name of training type - default_follow_up_date: enter number of days before training expires (e.g. 365 for annual training)
Premium Security Product Data¶
Data from Splunk Security Suite products is assumed to be collected and available to the solution for reporting and analysis in a variety of controls. Depending on a combination of the desired use case, using individuals, architecture, and desired level of effort, combinations of data and links to the appropriate products may be appropriate. The following datasets of security products are used in the solution:
Enterprise Security (ES)¶
Datasets used: - Notable Events - Investigation Data - Correlation Searches
Splunk for CMMC should be installed on the same search head as Enterprise Security to surface ES investigation metadata more easliy. An alternative is using the ES Mothership App to pull data from ES and into a summary index.
SOAR (Phantom)¶
Datasets used:
- Containers
- Actions Playbooks
Dataset can be pulled via Phantom App
External Product link¶
External links to Splunk Premium apps (Enterprise Security, Soar, and User Behavior Analytics (UBA)) can be added in the 'Practice Family Collection Setup' by clicking the 'Update' button on the dashboard you want to update, and adding a link under 'External Link'. Absolute links are supported (e.g. https://\<splunk instance>/en-US/app/SplunkEnterpriseSecuritySuite/ess_investigation_list)