Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets
Use the search capabilities of Federated Analytics with the risk-based alerting capabilities of Splunk Enterprise Security to run correlation searches or detections and identify threats within the data located in Amazon Security Lake (ASL) datasets.
Using federated analytics with Splunk Enterprise Security provides the following benefits:
- Extended visibility into your security operations center (SOC): Access remote and distributed data stored in data lakes for historical data analysis that helps in threat hunting and compliance.
- Unified and consistent user experience: Run detections and ad-hoc searches on data lakes and integrate findings with existing investigations.
- Transform security data: Refine, filter, and compress information from multiple teams to create valuable findings.
Configure Federated Analytics with Splunk Enterprise Security version 7.3.2
You can use Federated Analytics with Splunk Enterprise Security version 7.3.2, 8.0.0, and higher. However, you might want to upgrade to Splunk Enterprise Security version 8.0 to use Federated Analytics because the configuration process is easier.
Prerequisites
Ensure the following prerequisites are met:
- Configure Federated Analytics on Splunk Cloud Platform.Federated Analytics is available on Splunk Cloud Platform 9.3.2408 and higher. See About Federated Analytics in the Splunk Cloud Platform Federated Search manual.
- Install the Splunk Enterprise Security app.
- Install the Enterprise Security Content update (ESCU) app version 4.32.0 or higher
You can configure federated analytics in Splunk Enterprise Security 7.3.2 by completing the following subtasks:
Update new content and turn on correlation searches
Follow these steps to update new content and turn on correlation searches using the Enterprise Security Content Update (ESCU) app when you are using Splunk Enterprise Security version 7.3.2:
- Update any new correlation searches using the ESCU app by following the instructions in the dialog box that pops up automatically in the Splunk Enterprise Security home page if new content is available.
- Accept the terms and conditions to update the ESCU app from Splunkbase and select Accept and continue.
- Enter your Splunk.com username and password to download the app.
Compile the data lake indexes to search
Compile the data lake indexes that you want to search for threats using Splunk Enterprise Security:
Follow these steps to compile the data lake indexes that you want to search for threats:
- n the Splunk Platform app, go to Settings and under Distributed Environment, select Federation.
- Select Data lake indexes.
- Identify all the data lake indexes that you want to include in the
amazon_security_lakemacro.Note: All the data lake indexes are listed under the column heading Data lake index name. - Format the compiled list of data lake indexes into a string.
For example,
index=dl_application_activity_index OR index=dl_discovery_index OR …
Update the Amazon Security Lake (ASL) search macro
Create or update the ASL macro to include all the ASL data lake indexes that you want to search for threats.
Follow these steps to update the ASL search macro:
- In the Splunk Platform app, go to Settings, and under Knowledge, select Advanced Search.
- Under Type, select Search macros.
- Search for the
amazon_security_lakemacro. If theamazon_security_lakemacro exists, edit the macro. Otherwise, select New search macro.Note: If you create a new macro, make sure that the sharing permissions are set to global. - In the Add new search macro dialog box, enter a name for the macro.
- Go to the Definition field and insert the string of compiled data lake indexes. index=dl_application_activity_index OR index=dl_discovery_index OR …
- Select Save.
Turn on correlation searches for ASL
Splunk Enterprise Security can run existing security correlation searches, which are relevant to ASL data, as scheduled searches to return notable events:
Follow these steps to turn on correlation searches that are relevant to run on ASL data:
- In Splunk Enterprise Security, go to Configure and select Content.
- Select Content Management.
- Filter the correlation searches by "ASL".
- Turn on the correlation searches as required.