Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets

Use the search capabilities of Federated Analytics with the risk-based alerting capabilities of Splunk Enterprise Security to run correlation searches or detections and identify threats within the data located in Amazon Security Lake (ASL) datasets.

Using federated analytics with Splunk Enterprise Security provides the following benefits:

  • Extended visibility into your security operations center (SOC): Access remote and distributed data stored in data lakes for historical data analysis that helps in threat hunting and compliance.
  • Unified and consistent user experience: Run detections and ad-hoc searches on data lakes and integrate findings with existing investigations.
  • Transform security data: Refine, filter, and compress information from multiple teams to create valuable findings.

Configure Federated Analytics with Splunk Enterprise Security version 7.3.2

You can use Federated Analytics with Splunk Enterprise Security version 7.3.2, 8.0.0, and higher. However, you might want to upgrade to Splunk Enterprise Security version 8.0 to use Federated Analytics because the configuration process is easier.

Prerequisites

Ensure the following prerequisites are met:

  • Configure Federated Analytics on Splunk Cloud Platform.
    Federated Analytics is available on Splunk Cloud Platform 9.3.2408 and higher. See About Federated Analytics in the Splunk Cloud Platform Federated Search manual.
  • Install the Splunk Enterprise Security app.
  • Install the Enterprise Security Content update (ESCU) app version 4.32.0 or higher

You can configure federated analytics in Splunk Enterprise Security 7.3.2 by completing the following subtasks:

Update new content and turn on correlation searches

Follow these steps to update new content and turn on correlation searches using the Enterprise Security Content Update (ESCU) app when you are using Splunk Enterprise Security version 7.3.2:

  1. Update any new correlation searches using the ESCU app by following the instructions in the dialog box that pops up automatically in the Splunk Enterprise Security home page if new content is available.
  2. Accept the terms and conditions to update the ESCU app from Splunkbase and select Accept and continue.
  3. Enter your Splunk.com username and password to download the app.

Compile the data lake indexes to search

Compile the data lake indexes that you want to search for threats using Splunk Enterprise Security:

Follow these steps to compile the data lake indexes that you want to search for threats:

  1. n the Splunk Platform app, go to Settings and under Distributed Environment, select Federation.
  2. Select Data lake indexes.
  3. Identify all the data lake indexes that you want to include in the amazon_security_lake macro.

    All the data lake indexes are listed under the column heading Data lake index name.

  4. Format the compiled list of data lake indexes into a string. For example, index=dl_application_activity_index OR index=dl_discovery_index OR …

Update the Amazon Security Lake (ASL) search macro

Create or update the ASL macro to include all the ASL data lake indexes that you want to search for threats.

Follow these steps to update the ASL search macro:

  1. In the Splunk Platform app, go to Settings, and under Knowledge, select Advanced Search.
  2. Under Type, select Search macros.
  3. Search for the amazon_security_lake macro. If the amazon_security_lake macro exists, edit the macro. Otherwise, select New search macro.

    If you create a new macro, make sure that the sharing permissions are set to global.

  4. In the Add new search macro dialog box, enter a name for the macro.
  5. Go to the Definition field and insert the string of compiled data lake indexes. index=dl_application_activity_index OR index=dl_discovery_index OR …
  6. Select Save.

Turn on correlation searches for ASL

Splunk Enterprise Security can run existing security correlation searches, which are relevant to ASL data, as scheduled searches to return notable events:

Follow these steps to turn on correlation searches that are relevant to run on ASL data:

  1. In Splunk Enterprise Security, go to Configure and select Content.
  2. Select Content Management.
  3. Filter the correlation searches by "ASL".
  4. Turn on the correlation searches as required.
Last modified on 16 November, 2024
Use federated searches in transparent mode with Splunk Enterprise Security   Overview of Incident Review in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters