All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to install and configure Amazon GuardDuty Add-on for Splunk

locose
Path Finder
‎07-17-2018 08:39 AM

Does any one have an install and or configuration step for getting GuardDuty Add-on setup in Splunk

Reply

risgupta
Path Finder
‎05-25-2019 12:40 AM

Use my recent blog to see the integration step by step.

https://www.crestdatasys.com/blogs/how-to-onboard-aws-guardduty-data-into-splunk/

Reply

braxtone
Explorer
‎05-29-2019 10:32 AM

FYI - The splunk-logging Application uses a deprecated version of Node (6.10). It looks like the splunk-logging blueprint has been updated to Node 8.10, but the serverless application repository hasn't been (per https://github.com/splunk/splunk-aws-serverless-apps/issues/6 ) so you'll have to manually update the version of Node.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎05-29-2019 10:40 AM

The blueprint in AWS does have the updated lambda code for the Splunk-logging function.

0 Karma
Reply

braxtone
Explorer
‎05-29-2019 10:44 AM

Yep:

It looks like the splunk-logging blueprint has been updated to Node 8.10

The blog post referred to the serverless application repository version which has not been.

0 Karma
Reply

ofekrochel
New Member
‎01-30-2020 02:51 AM

Node 8.10 is also not supported any longer, so the deployment fails

0 Karma
Reply

braxtone
Explorer
‎01-30-2020 09:05 AM

True, but it's not a big deal. We upgraded to 10.x in November when the AWS announcement went out and it's been working fine with no code changes since then.

0 Karma
Reply

ofekrochel
New Member
‎01-30-2020 10:47 AM

That one fails as well as 10 is no longer supported by Lambda.
What worked was to deploy splunk-logging from "Use blueprint" - that one is NodeJS 12.x and is supported. I spent a few hours getting to this solution. I have to say that there are a lot of confusing options, some of them are out of date.
If you can remove the out-of-date blueprints for Node 8+10 from Lambda's templates, it will help avoid some of this confusion.

0 Karma
Reply

braxtone
Explorer
‎01-30-2020 11:02 AM

10.x is still supported, see https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html and https://docs.aws.amazon.com/lambda/latest/dg/programming-model.html I don't work for Splunk so don't have access to the templates they publish, just a guy that uses some of their Lambda templates and sharing what I've seen.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎02-05-2019 07:17 AM

The documentation tells you to use HEC via a lambda function. Since you cannot send data via HEC, you can setup the GuardDuty events to send through Config Rules to a Kinesis Stream which can be pulled by your HF using the AWS Add-on. (@braxtone mentioned that above). Setting up a DirectConnect to allow the HEC to work might be too much effort for this solution.

Here is a link to my documentation I put together to send GuardDuty data via HEC. Instead of having the data land in a lambda function, just point it to a Kinesis Stream (slide 17).

Edit : Fixed Link (https://github.com/amiracle/cooking_with_Splunk_and_AWS/blob/master/12-%20Setting%20Up%20AWS%20Guard...)

0 Karma
Reply

vinceaws
New Member
‎02-24-2019 03:15 PM

Links broken.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎02-24-2019 06:25 PM

Fixed the link, sorry about that.

-Kam

0 Karma
Reply

tommoore
Path Finder
‎11-27-2018 06:51 AM

But how do we PULL events? I can't open up my Splunk instance to Amazon.

0 Karma
Reply

braxtone
Explorer
‎12-27-2018 01:55 PM

From the diagram on https://www.splunk.com/content/dam/splunk-blogs/images/2018/02/awsserverless_1.png it looks like you could install the Splunk Add-On for AWS and configure the Kinesis inputs to pull events off the stream from a HWF.

You could also set up a Direct Connected VPC to your on-prem network and then run a Lambda function in said VPC to trigger when new events are added and push them into Splunk via an HTTP Event collector.

0 Karma
Reply

llee_splunk
Splunk Employee
Splunk Employee
‎09-04-2018 02:20 PM

For streaming (using AWS Kinesis Stream) from AWS GuardDuty to Splunk, check out this blog post: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...

To send GuardDuty CloudWatch events to Splunk over HTTP Event Collector, using the Splunk Logging AWS Lambda Blueprint, check out this video: https://www.youtube.com/watch?v=wlPfzUZMS6E

0 Karma
Reply

jtlittle
Path Finder
‎07-23-2018 02:32 PM

come on splunkers there is no support on this and AWS and splunk made the App... this is not acceptable we all should not have so many issues to use a basic app.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...