Splunk AWS App and Addon Notes.md 10 KB
Splunk App and Add-on for AWS Notes
Installation
2020-08-27
Prepare the Accounts/roles:
- Update '005-account-standards-c2' to latest
- Update '006-account-standards' to latest
- Repeat for other accounts
Keys:
To get access keys:
cd xdr-terraform-live/test/aws-us-gov/mdr-test-c2/005-account-standards-c2/
terragrunt output
Returns something like:
access_keys = {
"current" = {
"aws_access_key_id" = "BLAHBLAHBLAH"
"aws_secret_access_key" = "SecretBlahBlahBlah"
}
"previous" = {
"aws_access_key_id" = "BLAHBLAHBLAH"
"aws_secret_access_key" = "SecretBlahBlahBlah"
}
}
Use the 'current' values. Previous values are for key rotation.
n.b. on 2020-09-01, actual keys were accidentally leaked here. They were all destroyed and regenerated.
AWS Addon
The addon should be installed on teh search heads and heavy forwarders
scp ~/Downloads/Splunk/Apps/splunk-add-on-for-amazon-web-services_501.tgz dev-moose-splunk-hf:
- Note, may want to install on SH: * You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection. Before installing this add-on to a cluster, make the following changes to the add-on package:
- Remove the eventgen.conf files and all files in the samples folder
Remove the inputs.conf file.
ssh dev-moose-splunk-hf sudo tar cvzf aws_app.backups.`date "+%Y%m%d"`tar.gz /opt/splunk/etc/apps/{TA-AFS_aws,TA-AFS_aws_addon} tar xvzf splunk-add-on-for-amazon-web-services_501.tgz cd /opt/splunk/etc/apps/ sudo mv ~frederick_t_damstra/Splunk_TA_aws . sudo chown -R splunk:splunk Splunk_TA_aws sudo -u splunk /opt/splunk/bin/splunk restart
Configure the add-on
Proxy
- Browse to the HF via mdr okta.
- Click on the add-on
- Click on configuration
- Configure the proxy to proxy.
- Enable: Yes
- Host: proxy.pvt.xdrtest.accenturefederalcyber.com
- Port: 80
C2 Account in other partition
- Go to configuration->Accounts
- Configure the govcloud account:
- mdr-test-c2-gov
- access key
- secret key
- Region
IAM Roles
- Go to configuration->IAM Role
Skip:
- Click on 'Add'
- name: mdrtestc2gov # Doesn't accept dashes or spaces
- arn: arn:aws-us-gov:iam::738800754746:role/instance/splunk-addon-for-aws
- Click 'Add' again
- name: mdrtestc2
- arn: arn:aws:iam::816914342178:role/instance/splunk-addon-for-aws
- Add another account for testing purposes
- name: mdrtestmalwaregov
- arn: arn:aws-us-gov:iam::876942499057:role/instance/splunk_addon_for_aws
Instead:
Edit splunk_ta_aws_iam_roles.conf:
[mdrtestc2]
#arn = arn:aws:iam::816914342178:role/instance/splunk-addon-for-aws
arn = arn:aws:iam::816914342178:role/instance/splunk-addon-for-aws
disabled = 0
[mdrtestc2gov]
#arn = arn:aws-us-gov:iam::738800754746:role/instance/splunk-addon-for-aws
arn = arn:aws-us-gov:iam::738800754746:role/instance/splunk-addon-for-aws
disabled = 0
[mdrtestmalwaregov]
#arn = arn:aws-us-gov:iam::876942499057:role/instance/splunk-addon-for-aws
arn = arn:aws-us-gov:iam::876942499057:role/instance/splunk-addon-for-aws
disabled = 0
...
repeat for other accounts
Cloudtrail Inputs
- Go to configuration->inputs
- Create new inputs -> cloud trail -> SQS based S3
- Set:
- Name: CloudTrail-GovCloud
- AWS Account: mdr-test-c2-gov
- AssumeRole: mdrtestc2gov
- AWS Region: us-gov-east-1
- SQS Queue Name: new objects for ...
- Index: app_aws
- ... and defaults * Probably want a separate index for production *
Repeat for CloudTrail-Commercial Repeat for Config-{GovCloud,Commercial}
CM
ssh dev-moose-splunk-cm
sudo su - splunk
cd /opt/splunk/etc/master-apps/
mkdir -p splunk_app_aws/local
vim splunk_app_aws/local/indexes.conf
Paste:
[aws_topology_history]
coldPath = volume:normal_primary/$_index_name/colddb
homePath = volume:normal_primary/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600
repFactor = auto
[aws_topology_daily_snapshot]
coldPath = volume:normal_primary/$_index_name/colddb
homePath = volume:normal_primary/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
#frozen time is about 6 months
frozenTimePeriodInSecs = 15552000
maxHotIdleSecs = 3600
repFactor = auto
[aws_topology_monthly_snapshot]
coldPath = volume:normal_primary/$_index_name/colddb
homePath = volume:normal_primary/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
# frozen time is 365 days
frozenTimePeriodInSecs = 31536000
maxHotIdleSecs = 86400
repFactor = auto
[aws_topology_playback]
coldPath = volume:normal_primary/$_index_name/colddb
homePath = volume:normal_primary/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
#frozen time is about 6 months
frozenTimePeriodInSecs = 15552000
maxHotIdleSecs = 3600
repFactor = auto
[aws_vpc_flow_logs]
coldPath = volume:normal_primary/$_index_name/colddb
homePath = volume:normal_primary/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600
repFactor = auto
[aws_anomaly_detection]
coldPath = volume:normal_primary/$_index_name/colddb
homePath = volume:normal_primary/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
repFactor = auto
validate and push cluster bundle
SH
scp ~/Downloads/Splunk/Apps/{python-for-scientific-computing-for-linux-64-bit_202.tgz,splunk-app-for-aws_601.tgz,splunk-add-on-for-amazon-web-services_501.tgz} dev-moose-splunk-sh:
ssh dev-moose-splunk-sh
sudo tar cvzf aws_app.backups.`date "+%Y%m%d"`tar.gz /opt/splunk/etc/apps/{TA-AFS_aws,TA-AFS_aws_addon}
for i in *.tgz; do tar xvzf $i; done
# The add-on
sudo cp -r /opt/splunk/etc/apps/TA-AFS_aws_addon/local Splunk_TA_aws/local
# check this again, find which two of these three are actually
sudo cp /opt/splunk/etc/apps/TA-AFS_aws_addon/lookups/{aws_console_login_signature.csv,aws_config_action_lookup.csv,cloudtrail_change_type.csv} Splunk_TA_aws/lookups/
sudo rm -rf /opt/splunk/etc/apps/TA-AFS_aws_addon
sudo mv Splunk_TA_aws /opt/splunk/etc/apps/
# The app:
sudo cp -r /opt/splunk/etc/apps/TA-AFS_aws/local splunk_app_aws/local
sudo cp /opt/splunk/etc/apps/TA-AFS_aws/lookups/{account_name.csv,billing_report_s3key.csv,tags_config.csv,tags_description.csv,topology_billing_metrics.csv,topology_playback_checkpoint.csv} splunk_app_aws/lookups/
sudo rm -rf /opt/splunk/etc/apps/TA-AFS_aws
sudo mv splunk_app_aws /opt/splunk/etc/apps/
# The scientific computing
sudo mv Splunk_SA_Scientific_Python_linux_x86_64 /opt/splunk/etc/apps/
# Fix perms
sudo chown -R splunk:splunk /opt/splunk/etc/apps
# validate
sudo -u splunk /opt/splunk/bin/splunk btool check
sudo -u splunk /opt/splunk/bin/splunk restart
Browse to app. It'll warn you about acclerations. Then:
1) In settings->Data Models, for each acceleration in splunk_app_aws, click edit->edit acclerations, check the box, and click 'save'
2) In settings->advanced search, click 'Search Macros', select aws-data-model-acceleration, set summariesonly=t
3) In Settings > Searches, reports, and alerts, select the app Splunk App for AWS:
- Run the Addon Synchronization and App Upgrader
- For each of those, click edit->edit schedule, enable, and click 'okay' 4) Hide the add-on on the search head. Go to apps->manage apps, find the app, click properties, change visible to 'no'
On the HF:
5) In settings->Searches, Reports, and Alerts, find the search Addon Metadata - Summarize AWS Inputs, run it, and then enable it.
6) Also run an schedule Addon Metadata - Migrate AWS Accounts
DIY:
In the end, you need the following set up:
- Accounts:
- The local instance profile ('splunk-aws-instance-role')
- The opposing partition ('mdr-test-c2-gov')
IAM Roles (splunk_ta_aws_iam_roles.conf):
- mdrtestc2
- mdrtestc2gov
One for each other account e.g.:
[mdrtestc2] arn = arn:aws:iam::816914342178:role/instance/splunk_addon_for_aws
Inputs:
- For the two c2 accounts:
- Cloudtrail - sqs-based-s3
- Config - sqs-based-s3
- ELB Logs - sqs-based-s3
- For the c2 and the remaining accounts:
- cloudwatch
- Description
- Config Rules
Log - Test
cloudwatch: x cloudwatch-mdr-test-c2 x cloudwatch-mdr-test-c2-gov x cloudwatch-mdr-test-malware-gov x cloudwatch-mdr-test-modelclient-gov x cloudwatch-legacy-mdr-test
Description: x description-mdr-test-malware-gov x description-mdr-test-modelclient-gov x description-legacy-mdr-test
Config Rules x configrules-mdr-test-c2 x configrules-mdr-test-c2-gov x configrules-mdr-test-malware-gov x configrules-mdr-test-modelclient-gov x configrules-legacy-mdr-test
Log - prod
cloudwatch: x cloudwatch-mdr-prod-c2 x cloudwatch-mdr-prod-c2-gov x cloudwatch-legacy-mdr-prod x cloudwatch-mdr-commonservices x cloudwatch-mdr-commonservices-gov x cloudwatch-mdr-service-root x cloudwatch-mdr-cyber-range x cloudwatch-mdr-prod-bas x cloudwatch-mdr-prod-ca-c19 x cloudwatch-mdr-prod-dc-c19 x cloudwatch-mdr-prod-doed x cloudwatch-mdr-prod-frtib x cloudwatch-mdr-prod-la-c19 x cloudwatch-mdr-prod-ma-c19 x cloudwatch-mdr-prod-nga x cloudwatch-mdr-tiaas x cloudwatch-mdr-prod-root-ca x cloudwatch-mdr-prod-afs-gov x cloudwatch-mdr-prod-dgi-gov
Description: x description-mdr-prod-c2 x description-mdr-prod-c2-gov x description-legacy-mdr-prod x description-mdr-commonservices x description-mdr-commonservices-gov x description-mdr-service-root x description-mdr-cyber-range x description-mdr-prod-bas x description-mdr-prod-ca-c19 x description-mdr-prod-dc-c19 x description-mdr-prod-doed x description-mdr-prod-frtib x description-mdr-prod-la-c19 x description-mdr-prod-ma-c19 x description-mdr-prod-nga x description-mdr-tiaas x description-mdr-prod-root-ca x description-mdr-prod-afs-gov x description-mdr-prod-dgi-gov
Config Rules: x configrules-mdr-prod-c2 x configrules-mdr-prod-c2-gov x configrules-legacy-mdr-prod x configrules-mdr-commonservices x configrules-mdr-commonservices-gov x configrules-mdr-service-root x configrules-mdr-cyber-range x configrules-mdr-prod-bas x configrules-mdr-prod-ca-c19 x configrules-mdr-prod-dc-c19 x configrules-mdr-prod-doed x configrules-mdr-prod-frtib x configrules-mdr-prod-la-c19 x configrules-mdr-prod-ma-c19 x configrules-mdr-prod-nga x configrules-mdr-tiaas x configrules-mdr-prod-root-ca x configrules-mdr-prod-afs-gov x configrules-mdr-prod-dgi-gov