Configure Splunk Add-on for AWS Security Hub

Prerequisites

  • Ensure that AWS Event Bridge is configured. For more information, see https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html
  • Ensure that you have the required AWS credentials so that you can access your AWS Cloud stack and Cloud Formation template from the AWS Management Console.
  • Ensure that you have AWS Security Hub credentials.
Note: The AWS Security Hub Extended Plan add-on is pre-installed on the Splunk deployment that you purchase on AWS Security Hub.

Access the Splunk Add-on for AWS Security Hub

Follow these steps to access the Splunk Platform deployment and Splunk Enterprise Security using the Splunk Add-on for AWS Security Hub:

  1. Access the Splunk Add-on for AWS Security Hub from Splunkbase.
  2. Check your email to receive confirmation that you have access to an un-configured Splunk Cloud Platform deployment with Splunk Enterprise Security installed on a search head.
  3. Log in to the search head on which Splunk Enterprise Security is installed using your sc_admin credentials.
    Note: The sc_admin role is the default Splunk Platform administrator role that also allows you to administer a Splunk Enterprise Security installation. For more information, see Configure users and roles in Splunk Enterprise Security

Define an index

Follow these steps to create an index to ingest AWS event data:

  1. In Splunk Platform app, select Settings and then select Indexes.
  2. Select New index and enter all the information to define your AWS event index and select Save. For more information, see Create custom indexes.
    Note: Verify that the new index appears in the list of indexes. You can customize retention and size for your index.

Update macros to access AWS indexes

Follow these steps to update the macros on your Splunk Platform app so that you can access the AWS index:

  1. In Splunk Platform app, select Settings, then select Advanced Search.
  2. Select Search Macros.
  3. In the App dropdown list, select AWS Security Hub.
  4. Select the macro: aws_security_hub_indexes
  5. In the Defintion field for the macro, enter the name of the index that you created. For example, index=aws
  6. Select Save.

Define a HEC token to ingest AWS data

Follow these steps to define a Splunk HTTP Event Collector (HEC) token to ingest data from AWS into the index that was created:

  1. In Splunk Platform, select Settings and then select Data inputs.
  2. Select HTTP Event Collector.
  3. Select New token.
  4. Enter a token name. For example, security_hub
  5. Select Yes to turn on indexer acknowledgement.
  6. Select Next.
  7. Setup a default sourcetype. For example, ocsf:aws:securityhub:finding
  8. In Select Allow Indexes, add the newly created index. For example, aws
  9. Specify the same index as the default index. For example, aws
  10. Select Save to save the HEC token: security_hub.

For more information, see Set up and use HTTP Event Collector .

Derive the URL from the HEC token

Follow these steps to derive the URL based on the HEC token:

  1. Copy the HEC token. For example, 74474a12-22bc-4276-91bc-df52603cba7a
  2. Derive the Splunk Cloud HEC URL from the Splunk Cloud stack name.
    Note: To derive your Splunk Cloud HTTP Event Collector (HEC) URL, you must add a prefix to your stack name and use a specific port depending on your account type. For example, https://http-inputs-<stack_name>.splunkcloud.com:<port>/services/collector . If your stack name is "fuzzyslippers", then the HEC URL is https://http-inputs-ack.fuzzyslippers.splunkcloud.com/services/collector/.

    For more information, see Set up and use HTTP Event Collector.

Log in to access AWS Security Hub

  1. Access you AWS credentials.
  2. Using your AWS account credentials, log in to the region that is the primary hub for aggregating findings on the AWS Security Hub.

Deploy a AWS CloudFormation template

Follow these steps to deploy a CloudFormation template that turns on the AWS EventBridge to deliver data from the AWS Security Hub to your Splunk Cloud stack.

  1. Copy and paste your Splunk Cloud URL so that it is accessible. For example, https://http-inputs-ack.(STACKNAME).splunkcloud.com
  2. Copy and paste the HEC token value so that it is accessible. For example, 74474a12-22bc-4276-91bc-df52603cba7a
  3. Access the AWS CloudFormation template and copy the Splunk Cloud URL and the HEC token to deploy the AWS CloudFormation template from the AWS CloudFormation stacks.
  4. Select Submit to submit the AWS CloudFormation template.

Optional steps

Following are some optional actions you can take based on your deployment and configuration:

  1. Turn on Security Assertion Markup Language (SAML) to turn on single sign on for secure communication.
  2. Add AWS Trusted Advisor to evaluate your cloud environment against best practices.
  3. Turn on AWS Cloudtrail for an audit trail to record API calls and user activity within your AWS account..
  4. Turn on VPC Flow Logs to capture information about IP traffic moving to and from network interfaces in your virtual private cloud.
  5. Turn on other AWS data sources such as Amazon S3, RDS, Aurora, DynamoDB and other third-party SaaS applications.