Splunk Integration


Splunk Integration

Splunk lets you search, monitor, and analyze big data for easy visualization. You can use Splunk’s integration with AWS CloudWatch to analyze your Kion data. You can also leverage a Cloud Custodian utility to send compliance notifications from Kion to Splunk.

We integrate with Splunk using a Cloud Custodian utility that lets you send Kion compliance notifications through Splunk. This helps us support your continuous compliance goals without disrupting your established work flows. Pairing Splunk with Kion makes it easy to visualize, manage, and remediate compliance concerns.

The Cloud Custodian utility we use to integrate with Splunk is the c7n-mailer, a robust implementation for sending notifications to various tools within your organization. For more information and additional configurations, see Amazon's article c7n-mailer: Custodian Mailer.

Setting Up a Splunk Integration


  1. Create a Simple Queue Service (SQS) queue in AWS. We recommend creating it in the account in which Kion is installed. The SQS queue needs to have a queue policy that allows any account in the organization to write to it. For more information, see Amazon's article Creating an Amazon SQS queue.
  2. Create an IAM role with read access to the SQS queue you created.

In Splunk:

  • Create an HTTP event collector (HEC). The process for creating an HEC varies based on Splunk version. You can find instructions for your particular version in the Splunk documentation.

On your local desktop:

  1. Install c7n-mailer by running:
    pip install c7n-mailer
  2. Create a file named mailer.yml. The mailer.yml file must have the following entries:
    • A queue_url entry with the HTTPS URL of the queue you created.
    • A role entry with the Amazon Resource Name (ARN) of the role you created.
    • A splunk_hec_url entry with the HTTP event collector URL.
    • A splunk_hec_token entry with the HTTP event collector token.
  3. Run the following command locally against the account where Kion is installed:
    c7n-mailer --config mailer.yml --update-lambda && custodian run -c test-policy.yml -s .

In Kion:

For each compliance check that you want to send notifications to Splunk:

  1. Navigate to Compliance > All Compliance Checks.
  2. Click the name of the compliance check.
  3. Under Compliance Check Details, click View Policy.
  4. Add the following action to the policy. For the queue, enter the URL of your SQS queue. For the region, enter the region the account is in.
          - type: notify
            body: |
                “url”: “{{CT::CallbackURL}}“,
                “method”: “POST”,
                “compliance_check_id”: {{CT::CheckId}},
                “findings”: “resources[].{resource_name: GroupId, resource_type: `security_group`}”
              - splunkhec://myIndexName
              type: sqs
              queue: sqs_queue_URL
              region: your_region