Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets
Use the search capabilities of Federated Analytics with the risk-based alerting capabilities of Splunk Enterprise Security to run correlation searches or detections and identify threats within the data located in Amazon Security Lake (ASL) datasets.
Using Federated Analytics with Splunk Enterprise Security provides the following benefits:
- Extended visibility into your security operations center (SOC): Access remote and distributed data stored in data lakes for historical data analysis that helps in threat hunting and compliance.
- Unified and consistent user experience: Run detections and ad-hoc searches on data lakes and integrate findings with existing investigations.
- Transform security data: Refine, filter, and compress information from multiple teams to create valuable findings.
Configure Federated Analytics with Splunk Enterprise Security 8.0 and higher
You can use Federated Analytics with Splunk Enterprise Security version 8.0.0 and higher.
Prerequisites
Ensure the following prerequisites are met:
- Configure Federated Analytics on Splunk Cloud Platform and ensure that data lake indexes are configured.
Federated Analytics is available on Splunk Cloud Platform 9.3.2408 and higher. See About Federated Analytics in the Splunk Cloud Platform Federated Search manual. - Install the Splunk Enterprise Security app version 8.0.
- Install the Enterprise Security Content update (ESCU) app version 4.32.0 or higher
Follow these steps to configure Federated Analytics in Splunk Enterprise Security version 8.0 and higher:
- In Splunk Enterprise Security, go to the Analyst queue on the Mission Control page, which displays the Update ASL search macro dialog box.
- Follow the instructions in the Update ASL search macro dialog box to automatically update the federated provider for ASL. Splunk Enterprise Security version 8.0 and higher automatically detects if data lake indexes are configured on the Splunk Platform and updates relevant AWS security detections that are mapped to the Open Cybersecurity Framework (OCSF) schema using the ESCU app.
- Accept the terms and conditions and select Accept and continue to update the ESCU app automatically.
- Select Next. The ESCU app automatically updates the detections.
- Select Confirm and continue to update the macro and turn on the detections.
- Review the detections that are turned on.
See also
For information on troubleshooting Federated Analytics in Splunk Enterprise Security, see the product documentation:
Troubleshoot common issues when using Federated Analytics with Splunk Enterprise Security
Use federated searches in transparent mode with Splunk Enterprise Security | Overview of Mission Control in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!