Splunk® Enterprise Security

Use Splunk Enterprise Security

Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets

Use the search capabilities of Federated Analytics with the risk-based alerting capabilities of Splunk Enterprise Security to run correlation searches or detections and identify threats within the data located in Amazon Security Lake (ASL) datasets.

Using Federated Analytics with Splunk Enterprise Security provides the following benefits:

  • Extended visibility into your security operations center (SOC): Access remote and distributed data stored in data lakes for historical data analysis that helps in threat hunting and compliance.
  • Unified and consistent user experience: Run detections and ad-hoc searches on data lakes and integrate findings with existing investigations.
  • Transform security data: Refine, filter, and compress information from multiple teams to create valuable findings.

For more information, see About Federated Analytics in the Splunk Cloud Platform Federated Search manual.

Configure Federated Analytics with Splunk Enterprise Security 8.0 and higher

You can use Federated Analytics with Splunk Enterprise Security version 8.0.0 and higher.

Prerequisites

Ensure the following prerequisites are met:

  • Configure Federated Analytics on Splunk Platform and ensure that data lake indexes are configured.
  • Install the Splunk Enterprise Security app version 8.0.
  • Install the Enterprise Security Content update (ESCU) app version 4.32.0 or higher

Follow these steps to configure Federated Analytics in Splunk Enterprise Security version 8.0 and higher:

  1. In Splunk Enterprise Security, go to the Analyst queue on the Mission Control page, which displays the Update ASL search macro dialog box.
  2. Follow the instructions in the Update ASL search macro dialog box to automatically update the federated provider for ASL. Splunk Enterprise Security version 8.0 and higher automatically detects if data lake indexes are configured on the Splunk Platform and updates relevant AWS security detections that are mapped to the Open Cybersecurity Framework (OCSF) schema using the ESCU app.
  3. Accept the terms and conditions and select Accept and continue to update the ESCU app automatically.
  4. Select Next. The ESCU app automatically updates the detections.
  5. Select Confirm and continue to update the macro and turn on the detections.
  6. Review the detections that are turned on.

See also

For information on troubleshooting Federated Analytics in Splunk Enterprise Security, see the product documentation:

Troubleshoot common issues when using Federated Analytics with Splunk Enterprise Security

Last modified on 14 November, 2024
Use federated searches in transparent mode with Splunk Enterprise Security   Overview of Mission Control in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters