Splunk Enterprise Security

How do I send AWS GuardDuty Logs to Splunk?

cody_richardson
Path Finder

Hello all,

I'm currently trying to send AWS GuardDuty logs to Splunk and am hoping someone here can help.

I'm using a method I've seen documented several places online:

  1. Create an AWS CloudWatch Rule specifying AWS GuardDuty traffic.
  2. Create a Lambda Function using the "splunk-logging" blueprint. Specify the desired sourcetype within the Node.js code for this to function properly.
  3. Add the Lambda Function trigger to the CloudWatch Rule from Step 1.
  4. Create a Splunk HTTP Event Collector and copy the HEC Token.
  5. Enter the HEC Token and HEC URL to the Lambda Function so the logs are pointed to the correct resource (Splunk server).

I have completed the above and tried several variations, but no luck.

Any troubleshooting steps, alternative ways to accomplish this goal, or guides I have not found would be greatly appreciated. I would post the links to the resources I have found so far, but given a low "karma" count on this site, I am told my link would not publish in the final post.

Thank you.

0 Karma

jawaharas
Motivator

Another interesting blog that guide to ingest 'AWS GuardDuty' data into Splunk
https://www.splunk.com/en_us/blog/cloud/serving-it-up-with-aws-and-splunk-aws-serverless-application...

This solution uses:

  1. AWS Serverless Application
  2. AWS Kinesis stream
  3. Splunk GuardDuty Add-on
  4. Splunk Http Event Collector
0 Karma

risgupta
Path Finder

Follow the steps mentioned in this blog for getting Guardduty logs to Splunk :

https://www.crestdatasys.com/blogs/how-to-onboard-aws-guardduty-data-into-splunk/

0 Karma

cody_richardson
Path Finder

Resolution:

The initial setup described in my opening post is correct, but the Lambda script needs to contain the following:

1) Correct VPC
2) Correct Subnet
3) Correct Security Group
4) Correct Role

Without these, the Lambda script will not be able to access a non-default VPC, and the Lambda script will continuously timeout (the error I was originally receiving).

Also, this can be done with an AWS Kinesis stream, though I have not set this up myself: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...

This Kinesis Stream resolution may be required moving forward if Splunk does not update their blue-print for the AWS Lambda script. As of April 30, 2019, node.js v6.10 will be EOL in AWS and therefore the blueprint will be unavailable after this point.

Finally, the GuardDuty Add-on for Splunk should be installed to correctly parse the data that is ingested into Splunk.

Feel free to reach out if any questions on this.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...