This document explains how to configure a bi-direction integration between Splunk Phantom and AWS Security Hub. The integration is built on leveraging AWS Cloud Watch Events to forward Findings into a SQS Queue, from which they are picked up and consumed by Phantom. Phantom in turn uses a standard IAM access credentials to communicate with Security Hub.
Start by navigating to the CloudFormation page on your AWS console and running CloudFormation template linked below. The template will generate a new CloudWatch Event Rule which will forward all new Security Hub findings to an SQS Queue.
CloudFormation Template: https://splunkphantom.s3.amazonaws.com/cloud-formation/phantom-sechub-to-sqs.yaml
After the Cloud Formation stack has been created be sure to take note of the securityHubToPhantomSQSURL field in the output - you will need it later.
Next, login to your Splunk Phantom instance. If you are new to Phantom you can easily launch the Phantom Communinity Edition availabile in the AWS Marketplace.
Navigate to the "Apps" page in Phantom. Search for the Security Hub app - if you don't find it in your search results, you may need to select the New Apps and install the app before proceeding. Select "Configure New Asset" for the v1.1+ Security Hub App.
Impoprtant These instructions require the Phantom Security Hub app v1.1 or higher - if you are running an older version, be sure to upgraded it by selecting "Upgrade Apps" in your phantom instance or downloading the latest version of the app from my.phantom.us/apps and manually installing it.
Setting up the Security Hub Phantom app requires input on 3 configuration tabs.
Provide a unique name asset name. It is a good idea to use a name which reminds you which AWS environment the app connects to.
Supply values for the following fields:
Once you have configured the Asset Info, Ingest Settings, and Asset Settings select Save to finalize your app configuration. You are now ready to start consuming Security Hub Findings in Phantom!
Any new Security Hub Findings will now appear on your Phantom "Events" page according to your polling interval. Note that the integration relies on forwarding events from the Security Hub to the SQS queue, so the app will only know about any findings that were created after the Cloud Formation template was run in Step 1.