Does any one have an install and or configuration step for getting GuardDuty Add-on setup in Splunk
FYI - The
splunk-logging Application uses a deprecated version of Node (6.10). It looks like the
splunk-logging blueprint has been updated to Node 8.10, but the serverless application repository hasn't been (per https://github.com/splunk/splunk-aws-serverless-apps/issues/6 ) so you'll have to manually update the version of Node.
That one fails as well as 10 is no longer supported by Lambda.
What worked was to deploy splunk-logging from "Use blueprint" - that one is NodeJS 12.x and is supported. I spent a few hours getting to this solution. I have to say that there are a lot of confusing options, some of them are out of date.
If you can remove the out-of-date blueprints for Node 8+10 from Lambda's templates, it will help avoid some of this confusion.
10.x is still supported, see https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html and https://docs.aws.amazon.com/lambda/latest/dg/programming-model.html I don't work for Splunk so don't have access to the templates they publish, just a guy that uses some of their Lambda templates and sharing what I've seen.
The documentation tells you to use HEC via a lambda function. Since you cannot send data via HEC, you can setup the GuardDuty events to send through Config Rules to a Kinesis Stream which can be pulled by your HF using the AWS Add-on. (@braxtone mentioned that above). Setting up a DirectConnect to allow the HEC to work might be too much effort for this solution.
Here is a link to my documentation I put together to send GuardDuty data via HEC. Instead of having the data land in a lambda function, just point it to a Kinesis Stream (slide 17).
From the diagram on https://www.splunk.com/content/dam/splunk-blogs/images/2018/02/awsserverless_1.png it looks like you could install the Splunk Add-On for AWS and configure the Kinesis inputs to pull events off the stream from a HWF.
You could also set up a Direct Connected VPC to your on-prem network and then run a Lambda function in said VPC to trigger when new events are added and push them into Splunk via an HTTP Event collector.
For streaming (using AWS Kinesis Stream) from AWS GuardDuty to Splunk, check out this blog post: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...
To send GuardDuty CloudWatch events to Splunk over HTTP Event Collector, using the Splunk Logging AWS Lambda Blueprint, check out this video: https://www.youtube.com/watch?v=wlPfzUZMS6E