Splunk license server and indexer cluster master, co-located.
In the latter case, the search heads are distributed across the number of Availability Zones you specify.
Splunk search heads, either stand-alone or in a cluster, based on your input during deployment.
Splunk indexer cluster with the number of indexers you specify (3-10), distributed across the number of Availability Zones you specify.
In the public subnets, EC2 instances for Splunk Enterprise, including the following:.
Appropriate security groups for each instance or function to restrict access to only necessary protocols and ports.
An AWS Identity and Access Management (IAM) user with fine-grained permissions for access to AWS services necessary for the deployment process.
Two Elastic Load Balancing (ELB) load balancers: one to load-balance HTTP web traffic to the search head instances, and the other to load-balance HTTP event traffic destined for the Splunk HTTP Event Collector (HEC) across all indexer instances.
An internet gateway to allow access from the internet to the public subnets.
A virtual private cloud (VPC) configured across two Availability Zones, with a public subnet provisioned in each Availability Zone.
Make sure the time period is set to a range of time where you would expect events.Ģ.) Ensure the CloudFormation template was launched in an AWS region where AWS Security Hub is available.ģ.) If there are no findings in the AWS Security Hub console, either wait for new findings, or generate sample findings from the GuardDuty -> Settings -> Generate Sample findings option.Ĥ.) Refer to Project Trumpet's Troubleshooting Guide for more.Use this Quick Start to automatically set up the following Splunk Enterprise environment on AWS: Troubleshootingġ.) Check if events are being sent to Splunk by searching sourcetype="aws:securityhub*". After Security Hub findings are received and indexed by Splunk, the dashboards will begin to populate. Install the AWS_SecurityHub.spl file in this repository containing the Splunk example app for AWS Security Hub. Be sure to select Security Hub Findings - Imported in the AWS CloudWatch Events dropdown. Instructions: Sending Security Hub Findings to Splunk:įollow the Trumpet Setup and Configuration guide. If AWS Security Hub is subscribed to AWS GuardDuty findings, check in the settings tab of the GuardDuty console that updated findings are sent the minimum of every 15 minutes through CloudWatch Events. Load the AWS_SecurityHub.spl file in this repository containing the example dashboards for Security Hub. Part 1:įollow the Trumpet instructions to build a Cloudformation template that will create a data pipeline for sending AWS Security Hub findings to Splunk. There are two parts to setting up the AWS Security Hub to Splunk integration. Setting up the AWS Security Hub to Splunk integration. This is a much simpler path for "Getting Data In" than the older method of polling the AWS Security Hub API. Using automation provided by Project Trumpet, AWS Security Hub Events are sent from AWS CloudWatch Events through a AWS Kinesis Data Firehose to a Splunk HTTP Event Collector. The integration in this repository will send all findings in AWS Security Hub to Splunk for further analysis and correlation with relevant data sources (AWS CloudTrail, AWS CloudWatch, AWS Config, custom/on-prem data, etc.). About the AWS Security Hub to Splunk integration.
0 kommentar(er)
