Connecting Splunk Phantom to AWS Security Hub

This document explains how to configure a bi-direction integration between Splunk Phantom and AWS Security Hub. The integration is built on leveraging AWS Cloud Watch Events to forward Findings into a SQS Queue, from which they are picked up and consumed by Phantom. Phantom in turn uses a standard IAM access credentials to communicate with Security Hub.

Instructions

1 - Forward Security Hub Alerts to a SQS Queue

Start by navigating to the CloudFormation page on your AWS console and running CloudFormation template linked below. The template will generate a new CloudWatch Event Rule which will forward all new Security Hub findings to an SQS Queue.

CloudFormation Template: https://splunkphantom.s3.amazonaws.com/cloud-formation/phantom-sechub-to-sqs.yaml

Cloud Formation - Selecting the Phantom Template

After the Cloud Formation stack has been created be sure to take note of the securityHubToPhantomSQSURL field in the output - you will need it later.

Cloud Formation Output

2 - Configure your Phantom App Asset

Next, login to your Splunk Phantom instance. If you are new to Phantom you can easily launch the Phantom Communinity Edition availabile in the AWS Marketplace.

Navigate to the "Apps" page in Phantom. Search for the Security Hub app - if you don't find it in your search results, you may need to select the New Apps and install the app before proceeding. Select "Configure New Asset" for the v1.1+ Security Hub App.

Impoprtant These instructions require the Phantom Security Hub app v1.1 or higher - if you are running an older version, be sure to upgraded it by selecting "Upgrade Apps" in your phantom instance or downloading the latest version of the app from my.phantom.us/apps and manually installing it.

Security Hub Phantom App Configure

App Configuration Parameters

Setting up the Security Hub Phantom app requires input on 3 configuration tabs.

Asset Info

Provide a unique name asset name. It is a good idea to use a name which reminds you which AWS environment the app connects to.

Ingest Settings

Select a Label to apply to all Findings consumed from security hub, or create a new one by typing in the drop down box
Select "Interval" to enable periodic polling of the SQS Queue
Modify the polling interval as desired to suit your organization's needs.

Asset Settings

Supply values for the following fields:

AWS Access Key - The access key associated with an IAM account
AWS Secret Key - The secret key associated with an IAM account
SQS URL - The URL provided by the Cloud Formation template from part 1 of this guide

Security Hub Phantom App - Asset Settings Tab

Finalize the Configuration

Once you have configured the Asset Info, Ingest Settings, and Asset Settings select Save to finalize your app configuration. You are now ready to start consuming Security Hub Findings in Phantom!

Any new Security Hub Findings will now appear on your Phantom "Events" page according to your polling interval. Note that the integration relies on forwarding events from the Security Hub to the SQS queue, so the app will only know about any findings that were created after the Cloud Formation template was run in Step 1.