Data Manager

User Manual

This documentation does not apply to the most recent version of Data Manager. For documentation on the most recent version, go to the latest release.

Onboarding for AWS in Data Manager

Data Manager helps you set up hundreds of AWS accounts for data ingestion into Splunk Cloud within a matter of 25 to 30 minutes.

Logging in and getting started with Data Manager

Complete the following steps to get started:

  1. Log into Splunk Cloud using Splunk-provided credentials.
  2. Save the email that contains the credentials. It contains a Forgot Password link, in case you need to reset your password.
  3. Change your password at the prompt.
  4. Sign the terms and conditions.
  5. Start onboarding or take the product tour.

Data Manager walks you through adding existing data sources so that you can monitor and investigate any alerts that impact the security state of your environment. It also helps you to see which services you are ingesting, but not yet using, so that you can expand your security coverage.

If you are using Splunk Security Analytics for AWS, after the data is in, you can see Work With Your Data and Use Case topics for details about available dashboards regarding data breach, misconfiguration, insufficient identity, insider threats, user and authentication activity, and risk based alerting.


Stages of onboarding

Data Manager walks you through various stages depending if you're onboarding a single AWS account or multiple AWS accounts.

The onboarding steps are described in detail within Data Manager. The details are not duplicated here.

Onboard a single account

Onboarding a single AWS account consists of the following stages:

  1. AWS Admin completes the setup prerequisites in the data account
  2. Configure the data account, regions, and data sources
  3. Create a data ingestion CloudFormation stack in each region
  4. Summary

This image shows an example of a single account onboarding flow.

Onboard multiple accounts

Onboarding multiple AWS accounts consists of the following stages:

  1. AWS Admin completes the setup prerequisites in the control account and data accounts
  2. Configure the control account, data accounts, regions, and data sources
  3. Create a control account CloudFormation StackSet to manage the data accounts
  4. Create data account CloudFormation stack instances per region
  5. Summary

This image shows an example of a multiple account onboarding flow.

Summary of CloudFormation stack templates

A high-level summary of CloudFormation stack templates follows.

The onboarding steps are described in detail within Data Manager. The details are not duplicated here.

  1. Splunk provides CloudFormation templates to establish the stack set execution role and the Data Manager read role.
    1. The read role allows Splunk to read metadata from cloudtrail, securityhub, guardduty, cloudformation, firehose, s3, lambda, events, logs.
    2. The template also creates five other IAM roles to allow firehose, cloudwatch, lambda, s3, logs and events to interact amongst themselves.
  2. You apply the templates.

Deploy CloudFormation templates

Data Manager uses us-east-1 for setting up resources, such as IAM Roles, that do not need to be configured in all the regions that you select for data onboarding. When creating and deleting resources, the resources in us-east-1 are created first and they are deleted last. Even though you may not have selected the us-east-1 region for data ingestion, the CloudFormation templates create a stack or stackset in this region anyway. This is normal and not a cause for alarm.

Deploying templates takes approximately ten minutes.

  1. Splunk provides a nested stack set template, which takes a couple of minutes to prepare.
  2. You download the template when the download button is enabled.
  3. You apply the template in the control account to start setting up resources across all the list of data accounts, for data ingestion into Splunk through firehose.
  4. Data starts flowing within five minutes.

The template preparation period varies depending on the number of data sources you selected during onboarding. After you specify the data sources that need to be onboarded, the backend synchronously creates one HTTP Event Collector (HEC) token for every dataset as part of the final download ingest templates operation.

You see this as a disabled download button in the UI until all the tokens are created. If you hover over the download button, you see the message regarding template preparation. There is also an information banner with status and tips. The template download button is enabled when all tokens are created for data ingestion through firehose.

Click Finish to navigate to the Data Management home page and see your data input.

Last modified on 16 November, 2021
 

This documentation applies to the following versions of Data Manager: 1.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters