- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk AWS Security
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone primarily using Splunk to monitor AWS from a security perspective? If so, how are you doing it? Splunk Enterprise Security? Splunk AWS app? Splunk Security Essentials App? Splunk Enterprise - Custom dashboards/reports? Other add-on's/Apps? Other outside tools? Is Splunk alone enough?
Please let me know what you’re using and if you could go into detail that would be awesome!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little bit of all of the above!
The Splunk AWS app is great - it gives a very detailed view into your AWS environment, and provides some very detailed security focused dashboards to show you what security relevant actions are being taken on your account.
The AWS add-in is (as you would expect) fully CIM compliant which means all of your event data is immediately available to premium apps such as ES and ITSI should you have them. ES (and the ES updates) include a number of correlation searches which can leverage the AWS data to trigger notables along with any of your other security data sources, but there is huge value just in the AWS app!
Is Splunk alone enough? - Quite probably, it depends on your exact use case, but if you can think of a use case the app does not support out of the box, its relatively simple to add your own alerts/dashboards to cover it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have monitoring in place for 1, 3, 5 and the last bullet in your list and we based our searches around https://www.cisecurity.org/controls/ - Top 20 controls.
As @nickhillscpl says, it would depend on your case and hardening in your network/environment/SOC etc..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little bit of all of the above!
The Splunk AWS app is great - it gives a very detailed view into your AWS environment, and provides some very detailed security focused dashboards to show you what security relevant actions are being taken on your account.
The AWS add-in is (as you would expect) fully CIM compliant which means all of your event data is immediately available to premium apps such as ES and ITSI should you have them. ES (and the ES updates) include a number of correlation searches which can leverage the AWS data to trigger notables along with any of your other security data sources, but there is huge value just in the AWS app!
Is Splunk alone enough? - Quite probably, it depends on your exact use case, but if you can think of a use case the app does not support out of the box, its relatively simple to add your own alerts/dashboards to cover it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nick, thanks for your detailed reply. What are some of the things you are monitoring? Here is a short list of what I was able to find/monitor in Splunk, but I feel like I couldn't find some items in Splunk I needed to monitor (i.e. Seeing if all s3 buckets were encrypted):
- Ensure ingress traffic isn't open to All
- Ensure EBS, RDS encryption
- Monitor changes in Bucket Policy, Sec Groups, NACL
- AMI versions up to date
- Monitor root access, MFA is used, etc
- OS level monitoring (patches,etc)
- Anti Virus monitoring
- Looking further into CloudTrail logs - figuring out what's important and how to display it
I've also referenced the following but some of the items are best practices VS monitoring: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @nickhillscpl said, The Splunk Enterprise Security Content Updates App has some great use cases around cross-account activity, cryptomining, user activity, provisioning activity, NACL etc. Here is the link: https://splunkbase.splunk.com/app/3449/
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
