Académique Documents
Professionnel Documents
Culture Documents
0
Splunk Integration & Administration Guide
Edition notice
Note: This edition applies to version 1.0 of Saviynt Security Analyzer and to all subsequent
releases
and modifications until otherwise indicated in new editions.
Copyright Saviynt Inc. 2016
Contents
1. Introduction to Saviynt Security Analyzer
................................
4
2. Description of the Application
.........................................
4
3. Pre-Requisites
4
.......................................................
3.1 Supported OS Platforms
....................................................................................................................
4
3.2 Connectivity and Firewalls consideration
........................................................................................
4
3.3 Supported Splunk versions
...............................................................................................................
4
3.4 Splunk Application
..............................................................................................................................
4
4. Installation and Configuration
5
..........................................
4.1 Installing the Saviynt application
......................................................................................................
5
4.1.1 Not Connected to the Internet
................................................................................................
5
4.1.2 Connected to the Internet
.......................................................................................................
8
4.2 Creating Cross Account Role ARN
..................................................................................................
9
4.3 Importing Data
....................................................................................................................................
9
4.3.1 Importing Data for the first time
..............................................................................................
9
5. AWS Dashboard
....................................................
12
5.1 AWS Controls
....................................................................................................................................
12
5.2 Understanding the graphs
...............................................................................................................
13
5.2.1 Bubble Graph
..........................................................................................................................
13
5.2.2 High Risk Summation
............................................................................................................
16
5.2.3 Pie Charts
...............................................................................................................................
17
6. Analytics
..........................................................
20
6.1 Creating New Analytics
...................................................................................................................
20
7. AWS IAM Users
.....................................................
22
7.1 List of AWS IAM Users
....................................................................................................................
22
7.2 Account Detail
...................................................................................................................................
23
7.3 Associated AWS Object
..................................................................................................................
24
7.4 Search
................................................................................................................................................
24
8.AWS Objects
.......................................................
25
9. Upgrade to Saviynt Premium
.........................................
26
10. Contact Us
........................................................
28
3. Pre-Requisites
The following components must be installed and configured on your Splunk infrastructure for the
Saviynt App to function correctly.
Once unzipped, copy it to your Splunk Enterprise server.
Untar and ungzip your app, using a tool like tar -xvf (on *nix) or WinZip (on Windows).
Once you see the splunk_app_saviynt_aws at the location $SPLUNK_HOME\etc\apps, login
to Splunk Enterprise and enter your credentials
(Note: It is necessary to restart Splunk before using it for the first time after downloading the
application)
After the Splunk has been restarted, go to the Saviynt App for AWS.
Click
the
+
sign
below
your
last
installed
app
to
go
directly
to
the
app
browser.
Search
for
Saviynt
Security
Analyzer.
You
can
also
click
the
gear
next
to
Apps
to
go
to
the
apps
manager
page.
Click
on
browse
more
apps
to
go
to
the
app
browser.
Search
for
Saviynt
Security
Analyzer.
Download
and
Install
the
app.
Restart
Splunk.
Once
Splunk
Enterprise
has
been
restarted,
the
Saviynt
Security
Analyzer
app
is
now
installed
and
will
be
available
from
Splunk
Home.
Important:
If
Splunk
Web
is
located
behind
a
proxy
server,
you
might
have
issues
accessing
Splunkbase.
To
solve
this
problem,
set
the
you
need
to
set
the
HTTP_PROXY
environment
variable.
http://saviynt.com/wp-content/uploads/2016/11/Saviynt_Splunk_Integration_Guide.pdf
You will need this Role ARN to import the data from AWS account.
Enter the Contact Information and AWS connection details. Please note that Company name
cannot be changed later. Enter the cross-account role ARN created and AWS account ID.
Once the details have been entered, click on the Save & Test Connection button. The following
dialog box appears.
For future data re-imports, you can either follow the previous steps, or click on the Re-
Evaluate Risks button on the Home page, or schedule import to run as job at a particular time by
enabling and scheduling pre-existing search Scheduling for importdata as shown below
Enable the search and then schedule it after checking Schedule this search checkbox.
5. AWS Dashboard
An AWS Control is a procedure or a policy that ensures that the data in the AWS environment of an
organization is reliable and in compliance with applicable laws & regulations. These controls help you
implement common scenarios for potential conflicts for an AWS Object (such as VPC, EC2, etc).
Saviynt provides a comprehensive range of AWS controls to detect and/or prevent various access and
security violations occurring in your environment.
The AWS controls provided by Saviynt are divided into three different categories:
Risk Signatures
Compliance Control-
Category Analytics Name Occurrence Description Risk Recommendations
Violation Type
Detects
CloudFormation Is recommended to
AWS Best CloudFormation
CloudFormation templates with No Often Basic Medium add Output sections to
Practices templates with No
Output Sections CF templates
Output Sections
Detects it is recommended to
CloudFormation
CloudFormation not to Echo passwords
AWS Best templates with
CloudFormation Basic templates with High and keep encrypted
Practices Password
Password passwords in CF
Violations
Violations templates
Detects
CloudFormation It is recommended to
CloudFormation
AWS Best templates with not to use Open RDP
CloudFormation Basic templates with High
Practices Open RDP Port Port Security groups in
Open RDP Port
Security Groups CF templates
Security Groups
Preventative Controls
Preventative
Workloads with open Detects Workloads with open
Notify via Email, SNS Notification , Stop
Premium Internet access via Internet access via Security Medium
control - EC2
Security Groups Groups
EC2 instances
Preventative Security Groups with Detects Security Groups with Notify via Email, SNS Notification , Stop
Premium High
control - EC2 open SSH Ports open SSH Ports EC2 instances
Workloads with open
Preventative Detects Workloads with open Notify via Email, SNS Notification , Stop
Premium SSH access via Security High
control - EC2 SSH access via Security Groups EC2 instances
Groups
Saviynts analytics also provide an administrator with the risk level (high, medium, or low) for a violation.
As the AWS Dashboard gets populated, you will see various AWS analytics, such as EC2, VPC, S3
Buckets related to the AWS account.
On this chart, hovering over any of the bubbles gives the number of instances and violations on the
object.
Click on the bubble for any of the AWS analytics listed on the right. For example, if you click on the
brown colored EC2 bubble on the chart, the following screen should appear:
Click on any Analytics and it will show you the details of violations associate with the particular
Analytics
Click on the Home button and scroll down to the section High Risk Summation.
This bar graph gives the conflict count for various analytics. Hover over the bar corresponding to any
of the analytics and click on it.
Scroll down further to get various pie charts, which give an insight into the current AWS ecosystem
and actual or potential occurring violations.
The below example explains the pie chart titled Open Access on EC2 Security Groups. Hovering
over any section of the pie chart gives the number of violations and the percentage it represents for
the total number of violations for open access on EC2 security groups.
Click on the section of the pie chart. The following screen should appear.
The following screen should appear. It provides a list of analytics under different AWS categories, their
descriptions and the number of conflicts occurring. Click on anyone of them to see the list of violations
in that particular analytics along with the details.
Once the details are entered and the request is created, an email is sent to Saviynts support team.
The process to include the new analytics is initiated within 24 hours.
This shows a list of all active IAM users associate with the AWS account.
7.4 Search
To search for a specific users account, use the applications search functionality by entering the user
name in the search field.
This screen provides a list of the AWS objects and their criticalities (very low, low, medium, high, very
high, none).
http://saviynt.com/saviynt-security-analyzer/
Click on the Get Premium Application button on the top right corner of the Home page.
The following payment screen appears:
Enter the number of accounts in your AWS environment and your Splunk ID.
There are two modes of payment:
Pay Now: Pay the amount for subscription via PayPal or any other major credit card
Invoice Me: Upon clicking on the Invoice Me button, the following box appears:
Once a request is submitted, you will be contacted by a Saviynt team member to confirm and
process the request.
Click on contact us to open the following window: