Data Manager

Troubleshooting Manual

Troubleshoot AWS SecurityHub data ingestion

Troubleshoot the AWS Security Hub data ingestion process.

If the AWS accounts are configured in an administrator-member relation to monitor Security Hub findings, the EventBridge event rules and Kinesis Data Firehose delivery stream will not be created in the member accounts. The findings from each member account's region will be available in the administrator account's region and will be ingested to Splunk from the administrator account.

SecurityHub events cannot be found

AWS SecurityHub events cannot be found.

Cause

AWS SecurityHub is not enabled or is not configured correctly, or Splunk HEC is not configured correctly.

Solution

  1. In AWS, check if Security Hub is enabled on the AWS account you are trying to get data from. If the account is setup as a member account, login to the Security Hub Administrator account for further debugging in that region. See the Setting up AWS Security Hub topic in the AWS documentation for more information.
  2. If Security Hub is already enabled and you still still don't see the events you are looking for, check the Splunk side HEC configuration. See the HTTP Event Collector (HEC) configuration reference topic in this manual to troubleshoot Splunk software-side HEC configurations.
  3. If the HEC token is present and is enabled, navigate to Security Hub on your AWS account and check if you have any findings.
  4. If there are findings and data is not flowing to your Splunk Cloud deployment, in AWS, navigate to EventBridge > Rules in the same region and check if SplunkDMGaurdDutyEventBridgePatternRule exists.
  5. In AWS, navigate to Kinesis > Delivery streams, and check for SplunkDMSecurityHubDeliveryStream.
  6. If the SplunkDMSecurityHubDeliveryStream stream exists, navigate to the Monitoring tab and see if events are being generated in AWS.
  7. For debugging issues during AWS Kinesis Firehose stream, refer to Troubleshoot AWS Kinesis Firehose data ingestion.
  8. If you are still facing issues, delete the data input in Data Manager and recreate it.
  9. If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Last modified on 05 September, 2024
Troubleshoot AWS CloudTrail data ingestion   Troubleshoot AWS GuardDuty data ingestion

This documentation applies to the following versions of Data Manager: 1.11.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters