Integrating Dome9 and Splunk Using the Dome9 TA

In this topic:

    Dome9 customers who have a SIEM solution or a log aggregation strategy may be interested in consuming Dome9 audit log and alert data outside of the Dome9 web portal. For Splunk customers this process is straightforward thanks to a Splunk Dome9 Technology app.

    For Splunk versions 6.2 and earlier please use this: https://splunkbase.splunk.com/app/2721/

    For Splunk 6.3 through 7.0 please use this: https://splunkbase.splunk.com/app/3203/

    At a high level, this process includes the following concepts:

    • Enabling Dome9 AWS SNS support in Dome9 central

    • Creating an AWS SNS Topic and giving Dome9 the right to publish to it

    • Creating an AWS SQS queue that is subscribed to the SNS Topic created above

    • Installing and configuring the Splunk Dome9 Technology Add On to read from the SQS queue created above

    For more background on the Dome9 ability to publish audit and log data via AWS SNS, please refer to this related blog post.

    Before you begin, consider that the Splunk Dome9 TA has the following prerequisites:

    Specifically, configuration of both the Splunk Add On for AWS and the Splunk App for AWS is not required with the exception of defining AWS user credentials.

    To get started, follow the steps below:

    Dome9:

    Directly under your username in the top right corner of the Dome9 dashboard, click on 'Settings'.

    Navigate to the 'AWS SNS Events Notification' tab. Click 'ENABLE'.

    As per the pop up instructions, our next steps are done in the Amazon Web Services Console.

    Amazon Web Services

    Log in to the AWS web console with credentials associated with the AWS account that you have configured in Dome9, or any other AWS account. It is under this account that you will configure your SNS topic and SQS queue for Splunk to read using the Dome9 Technology Add On.

    Navigate to AWS SNS. Click on 'Topic' and then 'Create new topic".

    Name and (optionally) describe your topic. Click 'Create topic'.

    Once created and displayed, click on the topic ARN.

    Once viewing the Topic Details, click on 'Other topic actions' to drop down the menu, and select 'Edit topic policy'.

    Under the 'Basic View' tab (the default view), select 'Only these AWS users' under 'Allow these users to publish messages to this topic'. Paste the following ID into the resulting input box : 634729597623 . Click on 'Update policy' when finished.

    This step ensures that Dome9 has permission to write the desired content to this AWS SNS topic.

    Copy the AWS ARN of the topic you just created to the clipboard. It will look something like this:

    'arn:aws:sns:us-west-2:12345678912:dome9snstopic'

    We're done at the AWS SNS console, the following steps are done back at the Dome9 dashboard.

    Dome9

    Paste the AWS Topic ARN into the interface where you left off earlier.

    Click 'SAVE'.

    Amazon Web Services

    One of the last things to do before configuring Splunk is to 'publish' our SNS feed via an AWS SQS queue. It is this queue that the Splunk Dome9 Technology Add On interfaces with.

    Navigate to the AWS SQS service. Click on 'Create New Queue'.

    On the resulting screen, give your queue a name and click 'Create Queue'.

    Back at the main AWS SQS interface, right click on the queue you just created and click 'Subscribe Queue to SNS Topic'.

    On the 'Subscribe to a Topic' interface, select the Topic Region and the AWS SNS Topic that you configured in the steps above.

    Click 'Subscribe'.

    Next, we will install the Splunk Dome9 Technology Add On in Splunk and configure it.

    Splunk

    As prerequisites, please ensure that Splunk Enterprise v6+ is installed, and that you have both the Splunk Add On for Amazon Web Services and the Splunk App for AWS installed. The only configuration step required is to configure an AWS account under the ''Configuration' -> 'Account' in the Add On for Amazon Web Services.

    Add a user that has permission to use the AWS assets you created earlier (SNS topic, SQS queue) here. If you are unsure how to configure the correct IAM policy, reference the following Splunk documentation : Configure AWS permissions for the Splunk Add On for AWS.

    Once this account has been added, you are ready to install the Splunk Dome9 Technology Add On.

    Download the Add On by logging into your Splunk account and navigating to:

    https://splunkbase.splunk.com/app/2721/

    Click on 'VISIT SITE' to take you to the Github repository. Click the 'Download ZIP' link.

    Next, log in to your Splunk Enterprise installation.

    Click on the gear icon beside 'Apps' in the left hand navigation column.

    Click on 'Install App from File'. On the resulting screen, select 'Choose File', browse for the Splunk Dome9 Technology Add On .zip file you downloaded earlier. Click 'Upload'.

    Once the installation is complete, Splunk will ask you to restart. Click 'Restart Splunk'. Click 'Ok' to confirm. Splunk will restart - this will take up to a couple of minutes.

    Log back into Splunk Enterprise.

    Click on 'Settings' in the top Splunk navigation bar. Click on 'Data inputs' under 'Data'.

    Under Local Inputs, choose 'Add new' on the AWS Dome9 line item.

    On the resulting 'Add Data' interface, give the Input Name a friendly name, choose which AWS Account to use. If none are listed, you skipped a step earlier. Configure an account under the settings for the Splunk AWS Add On.

    Choose the AWS Region in which you created the AWS SQS queue, and then select the SQS queue name from the dropdown. Click 'Next >' at the top of the screen.

    Congratulations! The installation and configuration of the Splunk Dome9 Technology Add On is complete. Feel free to click on 'Start Searching' to begin to work with the Dome9 audit log and alert data inside of Splunk!