Exporting Alerts

Alerts can be exported to other products by configuring rules with export actions, such as SNS or SQS. The following sections describe how to export alerts into commonly used systems.

Exporting Alerts into Splunk via SQS

Prerequisites:

If you would like to encrypt the messages being exported by CloudHunter, you will need to create or designate an existing encryption key in your AWS account to use with the queue. We recommend assigning encryption and decryption permissions to the roles discussed below. You must use Key policies to set those permissions, which are separate from regular IAM policies.

Create a cross-account role that grants our AWS account permission to assume the role with an external ID, which you can choose. You can either create a new role just for this purpose, or use the same cross account role that is already used by CloudHunter to perform other tasks, such as data ingestion.

  1. Create your SQS queue and set the necessary permissions.

Once you create a SQS queue for the purpose of exporting data from CloudHunter to Splunk, make a note of the queue URL and ARN. The role being assigned to CloudHunter must have the necessary permissions to send messages to the queue. The following policy template can be used to allocate the correct permissions to the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1530916286624",
            "Action": [
                "sqs:SendMessage",
                "sqs:SendMessageBatch"
            ],
            "Effect": "Allow",
            "Resource": "queue-arn"
        }
    ]
}

Just replace the “queue-arn” text above with your SQS queue’s ARN.

We also recommend creating a role that will have permissions to receive messages from the SQS queue and assign that role to your Splunk instance. The following policy template can be used to allocate the correct permissions to the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1530916286624",
            "Action": [
                "sqs:ReceiveMessage"
            ],
            "Effect": "Allow",
            "Resource": "queue-arn"
        }
    ]
}

Just replace the “queue-arn” text above with your SQS queue’s ARN.

  1. Configure the SQS Integration Agent on your instance of CloudHunter.

This can be done as follows:

  • Click on the “System Configurations” gear icon next to your login name.
  • Navigate to the Integrations tab and select the pencil next to “Export to AWS SQS”.
  • Click on the Next button until you get to Step 4.
  • Fill in the value fields there, which will provide the ARN of the cross-account role information, as well as the URL for the queue that should be used.
  • Click the Submit button.
  1. Configure the Detection Rule to trigger an export to SQS.
  • Navigate to the Risks tab, and select “Configure Rule based Detection” from the gear icon located under Risks.
  • Find the rule named “Send SQS Messages for Critical Alerts”.
  • You can either change the query in this rule to expand or narrow the alerts being forwarded.
  • If you only want to export critical alerts, don’t make any changes to the rule, you can just enable it by clicking on the toggle button located in the last column, as shown here:
  1. Configure Splunk to ingest the data from the SQS queue.
  • Install the Splunk Add-on for AWS.
  • Click on the button for “Create New Input”.
  • In the drop-down from the new input button, select “Custom Data Type” → “SQS”.
  • Enter your SQS and authentication information, so that Splunk will be able to receive messages being sent by CloudHunter.