haogift.blogg.se - Desktop splunk forwarder

DESKTOP SPLUNK FORWARDER UPDATE

It’s helpful to include the destination (e.g. See Also: Getting Started: Custom Filters for the Data Forwarderįrom Settings -> Data Forwarders, create one data forwarder per data type.This should be determined in collaboration with your SIEM team based on their data budget and use cases.

DESKTOP SPLUNK FORWARDER UPDATE

Carbon Black Cloud API key with ttings CREATE, UPDATE.If you’re creating data forwarders from the Carbon Black Cloud Data Forwarder API.Carbon Black Cloud user in a role with the “View/Manage Data Forwarders” permissions.If you’re creating data forwarders from the Carbon Black Cloud console:.AWS team has created an S3 bucket in the specified region with the correct access policy.Watchlist Hits: arn:aws:sqs:us-east-1:535601802221:cbc-demo-queue-watchlist-hits Here’s the sample hand-off from the demo video: Handoff to Carbon Black Cloud TeamĪrn:aws:iam::535601802221:role/cbc-demo-roleĪlerts: arn:aws:sqs:us-east-1:535601802221:cbc-demo-queue-alertsĮvents: arn:aws:sqs:us-east-1:535601802221:cbc-demo-queue-events The ARNs of the queues you created and which data types they correspond to.The AWS Access Key ID and Secret Key associated with the AWS user.The S3 prefixes you defined for each data type in the event notifications.The team with Carbon Black Cloud Access who will create the Data Forwarder will need: If another team in your organization is handling the Carbon Black Cloud or Splunk configuration, here’s what they’ll need. Handoff: Copy the role ARN this will be handed off to the SIEM team.

A sample policy can be found in the Appendix: Sample Role Trusted Entity. Then replace the Principal -> AWS field with ARN of the user created above. Once the role is created, open the role in the AWS console, go to the Trust relationships tab and click "edit trust relationship". In the demo video, the role name is cbc-demo-role. Attach the role’s policy that was created in the previous step. The AWS role’s “trusted entity” should be “another AWS Account” however the account ID should be your own, which can be found in the upper-right of the AWS Console. That sample policy is available in the Appendix: Sample Role Policy (or Appendix: Sample Policy for KMS Encryption) AWS Role In the demo video, the policy name is cbc-demo-policy. Required permissions for KMS (if you are using KMS Encryption on your S3 bucket) Required permissions for S3 buckets and objects: These permissions are documented by Splunk in the AWS Add-on documentation, Configure AWS permissions for the SQS-based S3 input. This policy defines what access Splunk requires for the SQS-based S3 input. Handoff: Copy the Access Key ID and Secret Key these will be handed off to the SIEM team.

Specify the deadletter queue created in the step above.

A sample policy can be found in the Appendix: Sample Queue Policy

Attach a queue policy that enables the S3 bucket sqs:sendmessage permissions.

Primary QueuesĬreate one queue per data type. In the demo video, this queue was named cbc-demo-queue-deadletter. Most SQS consumers require a deadletter queue, essentially a place the consumer can dump bad or malformed messages from the primary queues if something goes wrong to avoid data loss or reprocessing bad data. See the Appendix: Sample Policy for KMS Encryption for additional details and examples. This requires granting additional permissions to allow Carbon Black Cloud's principal to access the key. KMS Encryption: The Carbon Black Cloud Data Forwarder now supports KMS Encryption (Symmetric keys only). Each type should get its own forwarder, its own prefix (directory) in the S3 bucket, its own SQS queue, its own Splunk input, and its own Splunk Source Type. The native input works well for lower-volume data sets but if you're an enterprise SOC where scale and reliability is critical, the data forwarder is our recommended solution.Ĭarbon Black Cloud currently offers three data types in the Data Forwarder. You configure the app with a Carbon Black Cloud API key, and it does the rest. Our Carbon Black Cloud Splunk App offers native inputs for data sets Alerts, Audit Logs, Live Query Results, and Vulnerabilities. If your organization has high-volume alerts, or you're looking to bring the visibility that Watchlist Hits and Endpoint Events provide into Splunk, the Data Forwarder is your solution. The Data Forwarder was built for low-latency data streaming, reliably, at scale.