![]() In the demo video, the policy name is cbc-demo-policy. Required permissions for KMS (if you are using KMS Encryption on your S3 bucket) Required permissions for S3 buckets and objects: These permissions are documented by Splunk in the AWS Add-on documentation, Configure AWS permissions for the SQS-based S3 input. This policy defines what access Splunk requires for the SQS-based S3 input. Handoff: Copy the Access Key ID and Secret Key these will be handed off to the SIEM team. ![]() ![]() Specify the deadletter queue created in the step above.A sample policy can be found in the Appendix: Sample Queue Policy Attach a queue policy that enables the S3 bucket sqs:sendmessage permissions.Primary QueuesĬreate one queue per data type. In the demo video, this queue was named cbc-demo-queue-deadletter. Most SQS consumers require a deadletter queue, essentially a place the consumer can dump bad or malformed messages from the primary queues if something goes wrong to avoid data loss or reprocessing bad data. See the Appendix: Sample Policy for KMS Encryption for additional details and examples. This requires granting additional permissions to allow Carbon Black Cloud's principal to access the key. KMS Encryption: The Carbon Black Cloud Data Forwarder now supports KMS Encryption (Symmetric keys only). ![]() Each type should get its own forwarder, its own prefix (directory) in the S3 bucket, its own SQS queue, its own Splunk input, and its own Splunk Source Type. The native input works well for lower-volume data sets but if you're an enterprise SOC where scale and reliability is critical, the data forwarder is our recommended solution.Ĭarbon Black Cloud currently offers three data types in the Data Forwarder. You configure the app with a Carbon Black Cloud API key, and it does the rest. Our Carbon Black Cloud Splunk App offers native inputs for data sets Alerts, Audit Logs, Live Query Results, and Vulnerabilities. If your organization has high-volume alerts, or you're looking to bring the visibility that Watchlist Hits and Endpoint Events provide into Splunk, the Data Forwarder is your solution. The Data Forwarder was built for low-latency data streaming, reliably, at scale. ![]()
0 Comments
Leave a Reply. |