All Apps and Add-ons

How to install and configure Amazon GuardDuty Add-on for Splunk

locose
Path Finder

Does any one have an install and or configuration step for getting GuardDuty Add-on setup in Splunk

risgupta
Path Finder

Use my recent blog to see the integration step by step.

https://www.crestdatasys.com/blogs/how-to-onboard-aws-guardduty-data-into-splunk/

braxtone
Explorer

FYI - The splunk-logging Application uses a deprecated version of Node (6.10). It looks like the splunk-logging blueprint has been updated to Node 8.10, but the serverless application repository hasn't been (per https://github.com/splunk/splunk-aws-serverless-apps/issues/6 ) so you'll have to manually update the version of Node.

0 Karma

amiracle
Splunk Employee
Splunk Employee

The blueprint in AWS does have the updated lambda code for the Splunk-logging function.

0 Karma

braxtone
Explorer

Yep:

It looks like the splunk-logging blueprint has been updated to Node 8.10

The blog post referred to the serverless application repository version which has not been.

0 Karma

ofekrochel
New Member

Node 8.10 is also not supported any longer, so the deployment fails

0 Karma

braxtone
Explorer

True, but it's not a big deal. We upgraded to 10.x in November when the AWS announcement went out and it's been working fine with no code changes since then.

0 Karma

ofekrochel
New Member

That one fails as well as 10 is no longer supported by Lambda.
What worked was to deploy splunk-logging from "Use blueprint" - that one is NodeJS 12.x and is supported. I spent a few hours getting to this solution. I have to say that there are a lot of confusing options, some of them are out of date.
If you can remove the out-of-date blueprints for Node 8+10 from Lambda's templates, it will help avoid some of this confusion.

0 Karma

braxtone
Explorer

10.x is still supported, see https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html and https://docs.aws.amazon.com/lambda/latest/dg/programming-model.html I don't work for Splunk so don't have access to the templates they publish, just a guy that uses some of their Lambda templates and sharing what I've seen.

0 Karma

amiracle
Splunk Employee
Splunk Employee

The documentation tells you to use HEC via a lambda function. Since you cannot send data via HEC, you can setup the GuardDuty events to send through Config Rules to a Kinesis Stream which can be pulled by your HF using the AWS Add-on. (@braxtone mentioned that above). Setting up a DirectConnect to allow the HEC to work might be too much effort for this solution.

Here is a link to my documentation I put together to send GuardDuty data via HEC. Instead of having the data land in a lambda function, just point it to a Kinesis Stream (slide 17).

Edit : Fixed Link (https://github.com/amiracle/cooking_with_Splunk_and_AWS/blob/master/12-%20Setting%20Up%20AWS%20Guard...)

0 Karma

vinceaws
New Member

Links broken.

0 Karma

amiracle
Splunk Employee
Splunk Employee

Fixed the link, sorry about that.

-Kam

0 Karma

tommoore
Path Finder

But how do we PULL events? I can't open up my Splunk instance to Amazon.

0 Karma

braxtone
Explorer

From the diagram on https://www.splunk.com/content/dam/splunk-blogs/images/2018/02/awsserverless_1.png it looks like you could install the Splunk Add-On for AWS and configure the Kinesis inputs to pull events off the stream from a HWF.

You could also set up a Direct Connected VPC to your on-prem network and then run a Lambda function in said VPC to trigger when new events are added and push them into Splunk via an HTTP Event collector.

0 Karma

llee_splunk
Splunk Employee
Splunk Employee

For streaming (using AWS Kinesis Stream) from AWS GuardDuty to Splunk, check out this blog post: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...

To send GuardDuty CloudWatch events to Splunk over HTTP Event Collector, using the Splunk Logging AWS Lambda Blueprint, check out this video: https://www.youtube.com/watch?v=wlPfzUZMS6E

0 Karma

jtlittle
Path Finder

come on splunkers there is no support on this and AWS and splunk made the App... this is not acceptable we all should not have so many issues to use a basic app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...