Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I send AWS GuardDuty Logs to Splunk?

cody_richardson
Path Finder
‎04-10-2019 11:35 AM

Hello all,

I'm currently trying to send AWS GuardDuty logs to Splunk and am hoping someone here can help.

I'm using a method I've seen documented several places online:

  1. Create an AWS CloudWatch Rule specifying AWS GuardDuty traffic.
  2. Create a Lambda Function using the "splunk-logging" blueprint. Specify the desired sourcetype within the Node.js code for this to function properly.
  3. Add the Lambda Function trigger to the CloudWatch Rule from Step 1.
  4. Create a Splunk HTTP Event Collector and copy the HEC Token.
  5. Enter the HEC Token and HEC URL to the Lambda Function so the logs are pointed to the correct resource (Splunk server).

I have completed the above and tried several variations, but no luck.

Any troubleshooting steps, alternative ways to accomplish this goal, or guides I have not found would be greatly appreciated. I would post the links to the resources I have found so far, but given a low "karma" count on this site, I am told my link would not publish in the final post.

Thank you.

0 Karma
Reply

jawaharas
Motivator
‎02-12-2020 06:21 PM

Another interesting blog that guide to ingest 'AWS GuardDuty' data into Splunk
https://www.splunk.com/en_us/blog/cloud/serving-it-up-with-aws-and-splunk-aws-serverless-application...

This solution uses:

  1. AWS Serverless Application
  2. AWS Kinesis stream
  3. Splunk GuardDuty Add-on
  4. Splunk Http Event Collector
0 Karma
Reply

risgupta
Path Finder
‎06-14-2019 12:41 AM

Follow the steps mentioned in this blog for getting Guardduty logs to Splunk :

https://www.crestdatasys.com/blogs/how-to-onboard-aws-guardduty-data-into-splunk/

0 Karma
Reply

cody_richardson
Path Finder
‎04-18-2019 09:26 AM

Resolution:

The initial setup described in my opening post is correct, but the Lambda script needs to contain the following:

1) Correct VPC
2) Correct Subnet
3) Correct Security Group
4) Correct Role

Without these, the Lambda script will not be able to access a non-default VPC, and the Lambda script will continuously timeout (the error I was originally receiving).

Also, this can be done with an AWS Kinesis stream, though I have not set this up myself: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...

This Kinesis Stream resolution may be required moving forward if Splunk does not update their blue-print for the AWS Lambda script. As of April 30, 2019, node.js v6.10 will be EOL in AWS and therefore the blueprint will be unavailable after this point.

Finally, the GuardDuty Add-on for Splunk should be installed to correctly parse the data that is ingested into Splunk.

Feel free to reach out if any questions on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...