Splunk Enterprise Security

How do I send AWS GuardDuty Logs to Splunk?

cody_richardson
Path Finder

Hello all,

I'm currently trying to send AWS GuardDuty logs to Splunk and am hoping someone here can help.

I'm using a method I've seen documented several places online:

  1. Create an AWS CloudWatch Rule specifying AWS GuardDuty traffic.
  2. Create a Lambda Function using the "splunk-logging" blueprint. Specify the desired sourcetype within the Node.js code for this to function properly.
  3. Add the Lambda Function trigger to the CloudWatch Rule from Step 1.
  4. Create a Splunk HTTP Event Collector and copy the HEC Token.
  5. Enter the HEC Token and HEC URL to the Lambda Function so the logs are pointed to the correct resource (Splunk server).

I have completed the above and tried several variations, but no luck.

Any troubleshooting steps, alternative ways to accomplish this goal, or guides I have not found would be greatly appreciated. I would post the links to the resources I have found so far, but given a low "karma" count on this site, I am told my link would not publish in the final post.

Thank you.

0 Karma

jawaharas
Motivator

Another interesting blog that guide to ingest 'AWS GuardDuty' data into Splunk
https://www.splunk.com/en_us/blog/cloud/serving-it-up-with-aws-and-splunk-aws-serverless-application...

This solution uses:

  1. AWS Serverless Application
  2. AWS Kinesis stream
  3. Splunk GuardDuty Add-on
  4. Splunk Http Event Collector
0 Karma

risgupta
Path Finder

Follow the steps mentioned in this blog for getting Guardduty logs to Splunk :

https://www.crestdatasys.com/blogs/how-to-onboard-aws-guardduty-data-into-splunk/

0 Karma

cody_richardson
Path Finder

Resolution:

The initial setup described in my opening post is correct, but the Lambda script needs to contain the following:

1) Correct VPC
2) Correct Subnet
3) Correct Security Group
4) Correct Role

Without these, the Lambda script will not be able to access a non-default VPC, and the Lambda script will continuously timeout (the error I was originally receiving).

Also, this can be done with an AWS Kinesis stream, though I have not set this up myself: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...

This Kinesis Stream resolution may be required moving forward if Splunk does not update their blue-print for the AWS Lambda script. As of April 30, 2019, node.js v6.10 will be EOL in AWS and therefore the blueprint will be unavailable after this point.

Finally, the GuardDuty Add-on for Splunk should be installed to correctly parse the data that is ingested into Splunk.

Feel free to reach out if any questions on this.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...