To enable Q-Audit to be used in a multi-tenant environment or provided as a shared service across the enterprise, we’ve added the ability to define system boundaries and filter dashboards and capabilities by those system boundaries. This is implemented using Splunk’s dynamic tagging mechanism. This means you can define system boundaries based on any query you can write in Splunk, e.g., based on host names, IP addresses, asset identifiers, meta fields, etc., for the ultimate in flexibility. Once system boundaries are defined you can view and filter the ICS 500-27 event family dashboards by system boundaries. This feature is also integrated with role-based access control (RBAC) so that users can only access the systems for which they’ve been provisioned while admins and super users can still view the entire enterprise.
To support audit review processes and workflows, we added the ability to capture audit records for each event family. This allows you to document any unusual activity observed as well to capture evidence to demonstrate proper audit review procedures. As part of this we added a new Audit Record Summary dashboard to provide an overview of audit review activities across the entire enterprise and/or specific systems. This dashboard provides insight into your enterprise and system-specific audit activities, such as whether audit data across the event families are being reviewed in a timely manner in accordance with your organizational policies, which systems are being reviewed, who are the most active auditors, which event families are reviewed most frequently, etc. So, while automation is critical, most audit policies and requirements still require an aspect of human review, and this insight will help you ensure that your operational procedures are compliant.
And finally, we’ve made some significant performance-boosting enhancements to the event family dashboards and risk scoring jobs. Being built on top of Splunk, Q-Audit inherently gets the performance and scalability of the Splunk platform, but we have made some changes that uses Splunk’s “secret sauce” to take performance to whole other level. These enhancements take advantage of Splunk’s capability to use only accelerated data to speed up queries. If you’re ingesting terabytes of data each day, you can see query times speed up by orders of magnitude. And for maximum flexibility, we’ve added granular configuration options so that organizations can achieve the right balance between high-speed queries vs. real-time data across the event families.
For more details on any of these other features or to see a demo, please contact firstname.lastname@example.org.