All Apps and Add-ons
Highlighted

Splunk AWS Security

Explorer

Anyone primarily using Splunk to monitor AWS from a security perspective? If so, how are you doing it? Splunk Enterprise Security? Splunk AWS app? Splunk Security Essentials App? Splunk Enterprise - Custom dashboards/reports? Other add-on's/Apps? Other outside tools? Is Splunk alone enough?

Please let me know what you’re using and if you could go into detail that would be awesome!

Tags (2)
0 Karma
Highlighted

Re: Splunk AWS Security

Ultra Champion

A little bit of all of the above!

The Splunk AWS app is great - it gives a very detailed view into your AWS environment, and provides some very detailed security focused dashboards to show you what security relevant actions are being taken on your account.

The AWS add-in is (as you would expect) fully CIM compliant which means all of your event data is immediately available to premium apps such as ES and ITSI should you have them. ES (and the ES updates) include a number of correlation searches which can leverage the AWS data to trigger notables along with any of your other security data sources, but there is huge value just in the AWS app!

Is Splunk alone enough? - Quite probably, it depends on your exact use case, but if you can think of a use case the app does not support out of the box, its relatively simple to add your own alerts/dashboards to cover it.

View solution in original post

Highlighted

Re: Splunk AWS Security

Explorer

Nick, thanks for your detailed reply. What are some of the things you are monitoring? Here is a short list of what I was able to find/monitor in Splunk, but I feel like I couldn't find some items in Splunk I needed to monitor (i.e. Seeing if all s3 buckets were encrypted):

  • Ensure ingress traffic isn't open to All
  • Ensure EBS, RDS encryption
  • Monitor changes in Bucket Policy, Sec Groups, NACL
  • AMI versions up to date
  • Monitor root access, MFA is used, etc
  • OS level monitoring (patches,etc)
  • Anti Virus monitoring
  • Looking further into CloudTrail logs - figuring out what's important and how to display it

I've also referenced the following but some of the items are best practices VS monitoring: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

0 Karma
Highlighted

Re: Splunk AWS Security

Communicator

As @nickhillscpl said, The Splunk Enterprise Security Content Updates App has some great use cases around cross-account activity, cryptomining, user activity, provisioning activity, NACL etc. Here is the link: https://splunkbase.splunk.com/app/3449/

0 Karma
Highlighted

Re: Splunk AWS Security

SplunkTrust
SplunkTrust

we have monitoring in place for 1, 3, 5 and the last bullet in your list and we based our searches around https://www.cisecurity.org/controls/ - Top 20 controls.

As @nickhillscpl says, it would depend on your case and hardening in your network/environment/SOC etc..

0 Karma