Video: Integrating 3rd Party Monitoring Tools with Industrial Defender

April 21, 2020

Learn how Industrial Defender integrates with 3rd party applications like Splunk in order to share ICS security data with more members of your security team.

Questions Answered in this Video

Why Integrate Industrial Defender with 3rd Party Apps?

By integrating Industrial Defender with monitoring and CMDB tools like Splunk, ServiceNow and IBM QRadar, you can give more members of your security team access to your ICS asset and security data. This is important for organizations that are trying to converge security monitoring for IT and OT assets into one pane of glass or one team.

How does ASM integrate with 3rd party apps?

ASM uses a RESTful API to share data via Syslog and also file-level integrations. This allows a number of different integration configurations to take place, for example, sending syslog data to Splunk, or having the ability to check baselines in ServiceNow, or pulling a list of all of your assets into QRadar.

What types of advanced visualizations does the integration allow me to see?

In Splunk, for example, you can show security event data as a Pareto chart to monitor MAC and IP address changes, create a dashboard to show the number of removable media events in the last 24 hours, and also dial into the raw data for each event without leaving Splunk.

Video Transcript & Slides

Hi, this is Peter Lund, Director of Product Management here at Industrial Defender. I’d like to spend a few minutes today talking about how you can leverage the great data collection capabilities of Industrial Defender with your existing tools within your enterprise.
So, why integrate? Basically, the more teams that have access to your ICS security and asset data, the better. You need to know your assets and how they are changing — there are no shortage of cybersecurity standards and best practices out there that talk about. I just pulled out the NIST CSF as a great standard to follow, and the first thing you see right in there is “understand your physical devices and your inventory”.
You might be trying to bridge the gap between the IT and the OT teams. You’ve got Industrial collecting all your ICS security data, and you want to forward that off to somewhere or you want to share that with a different CMDB system. We’ll talk a bit about the ways you can do that within the Industrial Defender architecture.
If you take a look at how Industrial Defender was designed, we’re really designed to fit in within the ICS environment. The Purdue model essentially looks at all types of data collection. You might have our native agents running on systems that have operating systems, you might be doing agentless data collection. You might have passive monitoring within the Industrial Defender framework. All that feeds up to the Industrial Defender. So once you have this great repository of data with Industrial Defender, you can integrate that data quickly and easily a few different ways.
Out of Industrial Defender, we have a RESTful API to share data. You can forward security data via Syslog. We even have same basic file level integrations that we’ve had some customers use as well. You might have that Syslog data flowing into Splunk. You might have ServiceNow calling the RESTful API looking at baseline changes or deviations. You might have QRadar reaching into gather some assets in their properties to get to a central repository within the enterprise.
We’re going to do a quick demo to show what that would look like with sending Industrial Defender data to Splunk.
Ok, so you can see we switched over to an instance of Splunk here. If we take a look at the data summary and what we’re actually gathering from Industrial Defender, we’re actually looking at a few things. We’ve got our Syslog data feed coming out of Industrial Defender. That’s based on all the data we’re collecting, whether it be from an agent on an operating system, it might be a passive monitoring data feed that we have, it might be a Schwietzer relay gathering serial information. We’ve also got our RESTful API. This is where Splunk is gathering baseline deviations or exceptions and vulnerabilities out of Industrial Defender.
We’ll take a quick look at some of the data visualizations in Splunk here. If you take a look at these Pareto charts we’ve got basically the event trends over time for this specific environment. We’ve been monitoring it since last March. We’ve got a number of spikes in events — some non-standard protocols being used. We see some MAC and IP addresses changes and we’ve made some major network changes here at Industrial Defender back in March. You can kind of trend aggregate metric categories. We see some IDS alerts that have spiked over time. We can also visualize it in a pie chart, seeing authentication type events, agent status events, things happening in the audit logs, or we can start to look at that by busiest host. Just a couple quick visualizations.
As with all of these charts in Splunk, you can drill through and look at that raw data. You can see it’s anything related to USB for this specific host name, and I just want to view those events. Now you can quickly drill in and see all the raw event data, where it’s coming from, and what that removable media looked like.
That wraps up our brief demo of using Industrial Defender with 3rd party tools and in this case we highlighted a Splunk use case. If you’re looking for more info, feel free to reach out to us at Thanks for listening.