“Splunk”) in the forwarder name to help future-you identify what that forwarder used for.īe sure to specify the s3 prefix for each data type as specified by your AWS team. It’s helpful to include the destination (e.g. See Also: Getting Started: Custom Filters for the Data Forwarderįrom Settings -> Data Forwarders, create one data forwarder per data type.This should be determined in collaboration with your SIEM team based on their data budget and use cases. Carbon Black Cloud API key with ttings CREATE, UPDATE.If you’re creating data forwarders from the Carbon Black Cloud Data Forwarder API.Carbon Black Cloud user in a role with the “View/Manage Data Forwarders” permissions.If you’re creating data forwarders from the Carbon Black Cloud console:.AWS team has created an S3 bucket in the specified region with the correct access policy.Watchlist Hits: arn:aws:sqs:us-east-1:535601802221:cbc-demo-queue-watchlist-hits Here’s the sample hand-off from the demo video: Handoff to Carbon Black Cloud TeamĪrn:aws:iam::535601802221:role/cbc-demo-roleĪlerts: arn:aws:sqs:us-east-1:535601802221:cbc-demo-queue-alertsĮvents: arn:aws:sqs:us-east-1:535601802221:cbc-demo-queue-events The ARNs of the queues you created and which data types they correspond to.The AWS Access Key ID and Secret Key associated with the AWS user.The S3 prefixes you defined for each data type in the event notifications.The team with Carbon Black Cloud Access who will create the Data Forwarder will need: If another team in your organization is handling the Carbon Black Cloud or Splunk configuration, here’s what they’ll need. Handoff: Copy the role ARN this will be handed off to the SIEM team. A sample policy can be found in the Appendix: Sample Role Trusted Entity. Then replace the Principal -> AWS field with ARN of the user created above. Once the role is created, open the role in the AWS console, go to the Trust relationships tab and click "edit trust relationship". In the demo video, the role name is cbc-demo-role. Attach the role’s policy that was created in the previous step. The AWS role’s “trusted entity” should be “another AWS Account” however the account ID should be your own, which can be found in the upper-right of the AWS Console. That sample policy is available in the Appendix: Sample Role Policy (or Appendix: Sample Policy for KMS Encryption) AWS Role In the demo video, the policy name is cbc-demo-policy. Required permissions for KMS (if you are using KMS Encryption on your S3 bucket) Required permissions for S3 buckets and objects: These permissions are documented by Splunk in the AWS Add-on documentation, Configure AWS permissions for the SQS-based S3 input. This policy defines what access Splunk requires for the SQS-based S3 input. Handoff: Copy the Access Key ID and Secret Key these will be handed off to the SIEM team.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |