5/18/2023 0 Comments Splunk phantom![]() You can get the userids/username mapping from your Phantom instance under Administration -> User Management -> Users and click on each individual user to get the userid. Each entry should map the phantom userid to the phantom username. This can be done by following the steps highlighted in the Splunk Phantom Remote Search manual which can be found here:ģ- Deploy the Splunk App for Phantom Reporting on search head(s) in your environmentĤ- Edit phantomusers.csv file under /etc/apps/splunk_app_phantom/lookups and add new entries. This add-on creates the indices and roles used by Phantom when configured to use an external Splunk instance for search data.Ģ- To enable the integration, go through the steps to configure "External Splunk" in Phantom. Note that the integration relies on forwarding events from the Security Hub to the SQS queue, so the app will only know about any findings that were created after the Cloud Formation template was run in Step 1.This app relies on using Phantom with Splunk as external instance.ġ- Start by deploying the Phantom Remote Search add-on: You are now ready to start consuming Security Hub Findings in Phantom!Īny new Security Hub Findings will now appear on your Phantom "Events" page according to your polling interval. Once you have configured the Asset Info, Ingest Settings, and Asset Settings select Save to finalize your app configuration. SQS URL - The URL provided by the Cloud Formation template from part 1 of this guide.AWS Secret Key - The secret key associated with an IAM account.AWS Access Key - The access key associated with an IAM account.Modify the polling interval as desired to suit your organization's needs.Select "Interval" to enable periodic polling of the SQS Queue.Select a Label to apply to all Findings consumed from security hub, or create a new one by typing in the drop down box.It is a good idea to use a name which reminds you which AWS environment the app connects to. Setting up the Security Hub Phantom app requires input on 3 configuration tabs. Impoprtant These instructions require the Phantom Security Hub app v1.1 or higher - if you are running an older version, be sure to upgraded it by selecting "Upgrade Apps" in your phantom instance or downloading the latest version of the app from my./apps and manually installing it. Select "Configure New Asset" for the v1.1+ Security Hub App. Search for the Security Hub app - if you don't find it in your search results, you may need to select the New Apps and install the app before proceeding. If you are new to Phantom you can easily launch the Phantom Communinity Edition availabile in the AWS Marketplace. Next, login to your Splunk Phantom instance. The template will generate a new CloudWatch Event Rule which will forward all new Security Hub findings to an SQS Queue.Īfter the Cloud Formation stack has been created be sure to take note of the securityHubToPhantomSQSURL field in the output - you will need it later. Start by navigating to the CloudFormation page on your AWS console and running CloudFormation template linked below. Instructions 1 - Forward Security Hub Alerts to a SQS Queue Phantom in turn uses a standard IAM access credentials to communicate with Security Hub. ![]() The integration is built on leveraging AWS Cloud Watch Events to forward Findings into a SQS Queue, from which they are picked up and consumed by Phantom. ![]() This document explains how to configure a bi-direction integration between Splunk Phantom and AWS Security Hub. Connecting Splunk Phantom to AWS Security Hub
0 Comments
Leave a Reply. |