Access AWS Security Hub findings in Splunk Enterprise Security

The Splunk Add-on for AWS Security Hub ingests AWS Security Hub findings within Splunk Enterprise Security so that you investigate AWS Cloud security incidents using the ES app. Findings ingested from the AWS Security Hub using the add-on appears as new content in Splunk Enterprise Security. These findings or intermediate findings can be surfaced using the detections available in Splunk Enterprise Security.

View AWS Security Hub findings in Splunk Enterprise Security

Follow these steps to view AWS Security Hub findings in Splunk Enterprise Security:

  1. Go to Security content and select Content management.
  2. In the Search filter drop-down, select AWS security Hub to manage detections that can surface the AWS Security Hub findings.
  3. Use these OOTB AWS specific detections in Splunk Enterprise Security to drill-down on findings. For example, AWS-Security Hub V2-OCSF Vulnerability Finding; AWS-Security Hub V2-OCSF Updated Exposure Finding 4.
    Note: You must turn on the detections in Splunk Enterprise Security. For more information on turning on the detections, see Turn on detections in Splunk Enterprise Security.
  4. Create investigations as required. For more information, see Start investigations in SPlunk Enterprise Security.
  5. Use Splunk dashboards to view and drill-down on the security posture of AWS data based on your specific requirements.