Display AWS findings in Splunk Enterprise Security using the Splunk Add-on for AWS Security Hub
Use the Splunk Add-on for AWS Security Hub to ingest real-time events from AWS Security Hub and convert them into findings and intermediate findings in Splunk Enterprise Security. Consolidating findings in Splunk Enterprise Security helps to centralize data management across AWS Cloud platforms and services and leverage the threat detection capabilities of Splunk Enterprise Security.
How the Splunk Add-on for AWS Security Hub works
The Splunk Add-on for AWS Security Hub ingests the Open Cybersecurity Schema Framework (OCSF) compliant events from AWS Security Hub in real-time using the AWS event bridge and sends them to Splunk Platform deployments using HEC tokens. These events are normalized using the data models in Common Information Model, where required, and converted to findings or intermediate findings in the analyst queue of Splunk Enterprise Security to provide a streamlined SOC experience and proactively track threats in AWS.
For example, Amazon Macie monitors sensitive data such as IP addresses, account credentials whereas AWS Security Hub continuously scans for mis-configurations that might expose resources to threats. This generates a finding of a mis-configured and publicly exposed Amazon S3 bucket, which passes through Amazon EventBridge and is converted to findings on the analyst queue in Splunk Enterprise Security. AWS specific detections in Splunk Enterprise Security can help to surface these findings and open investigations to track threats.