Splunk Inc. continues to build on its integration with Amazon Web Services with new offerings to support connections to just-released AWS technologies, including AWS Security Hub and Amazon CloudWatch Events.
Splunk Inc. continues to build on its integration with Amazon Web Services with new connections with just-released AWS technologies for security and management, including AWS Security Hub and Amazon CloudWatch Events.
Splunk latest offerings, which debuted at AWS re:Invent, aim to expand its capabilities to turn machine data into complete end-to-end views of AWS environments, including security. Further, the latest technologies add to Splunk’s focus on converting data into actionable results.
“As organizations continue to migrate to the cloud, data is dispersed across various teams that need to ensure that they are monitoring and analyzing it in order to detect potential threats and respond to them quickly,” said Haiyan Song, Senior Vice President and General Manager of Security Markets at Splunk in a statement.
Splunk’s partnership is also valuable to AWS, as users look to secure for sophisticated and cross-cloud projects. “We are working with Splunk to allow our customers to continue AWS Security Hub investigations in the Splunk platform and to initiate their Splunk Phantom automation playbooks,” said Dan Plastina, vice president of AWS security and services in a statement.
Splunk-AWS Security Hub: Splunk Enterprise and Splunk Phantom platform integrations with the AWS Security Hub allow security operations to be visible across operations by analyzing data quickly to resolve potential threats with reduced response times. It can also be customized to meet company needs, Song noted.
Technically, AWS Security Hub provides a single pane solution based on best practices and organizational requirements. Data is aggregated, organized, and prioritized from multiple AWS services. Results are summarized on integrated dashboards that visualize data with graphs and tables.
“Splunk’s support for AWS Security Hub allows our customers to take an analytics-driven approach to security, and to scale their security operations through automation and orchestration capabilities,” Song added.
Splunk-Amazon CloudWatch Events: In addition, Splunk rolled out integrations to work with Amazon CloudWatch Events to provide customers with data directly from AWS Security Hub. With this capability, Splunk will let users query Amazon’s newly-released Amazon CloudWatch Logs Insights.
AWS’s CloudWatch Logs Insights is a fully managed service designed to work at cloud scale, with no setup or maintenance required. It is designed to plow through massive logs in seconds, and give users fast, interactive queries and visualizations. It handles any log format and can auto-discover fields from JSON logs.
Splunk’s integration lets users combine all their Amazon CloudWatch Logs with multiple types of data from other sources across hybrid or multi-cloud environments. It will also provide customers with faster access to logs by removing the associated data transfer latencies and eliminates the operational complexities of configuring and maintaining certain data transfers.
According to the Splunk Blog, Splunk’s integration with Amazon CloudWatch Logs is especially beneficial for Splunk customers who already export CloudWatch Logs into Splunk Enterprise (enterprise software) or Splunk Cloud (cloud-based service) but are looking for a better user experience during investigation and troubleshooting. Splunk also works for AWS customers using CloudWatch Logs to collect and store operational data but are looking for a compliant third-party tool to add querying and correlation capabilities, the blog added.
On that note, for user flexibility the AWS blog notes that CloudWatch Logs Insights also includes a sophisticated ad-hoc query language, with commands to fetch desired event fields, filter based on conditions, calculate aggregate statistics (including percentiles and time series aggregations). It can also sort on any desired file and limit the number of events returned by a query.
[Users can also use regular expressions to extract data from an event field, creating one or more ephemeral fields that can be further processed by the query. They can visualize query results using line and stacked area charts, and even add queries to a CloudWatch Dashboard. There’s even a rich set of sample queries to get started.]
Splunk Phantom and AWS: In another notable advance, updates to Splunk Phantom let users monitor and identify potential threats across AWS Security products like Amazon GuardDuty, Amazon Inspector, and Amazon Macie directly in the Splunk platform, officials said.
Splunk Phantom combines security infrastructure orchestration, playbook automation and case management – which all work together to integrate team, processes and tools. Phantom supports 225+ apps and 1,200+ APIs, which enable users to connect and coordinate complex workflows across team and tools.
Phantom also offers powerful abstractions which can translate data into security-related actions in seconds, such as detonating files or even quarantining devices. It lets users work in a code-free environment or using Python’s IDE.
Further, the Splunk Phantom platform also provides integration for multiple non-AWS security assets, such as firewalls, sandbox, and directory services. To bring all these security assets together, the Splunk Phantom 64-bit Amazon Machine Image (AMI) is available and ready to be deployed in production.
Splunk and ‘serverless’: Many Splunk integrations announced at year end will also make any planned “serverless” automations more intelligent, according to Splunk officials. They will enable serverless automations to gather findings from AWS Security Hub sending them to a HTTP Event Collector in the Splunk platform.
As an example. with the Splunk Phantom App for AWS Security Hub, findings can be sent to Splunk Phantom for automated context enrichment with additional threat intelligence information or to perform automated response actions. By adding broader context to findings, security teams can make well-informed decisions and take action quickly.
Splunk Enterprise gathers data from existing sources, including sensors, logs, web servers, hypervisors, and custom applications. It allows you to search, monitor, and analyze the data to discover informative insights across monitoring, security, and multiple use cases.
Continuous monitoring of events and designated KPIs are projected visually to keep team members informed. Further, dashboards come out-of-the-box, which means they can be launched quickly – and can even be easily customizations to meet organizational requirements. As to other outputs, reports can be generated immediately or scheduled to run at designated intervals that are configured in the dashboard.
Splunk Enterprise also sports built-in AI analytics and a Machine Learning Toolkit (MLTK) that allows users to create their own custom models. The MLTK works with many open source algorithms now available (through various open source developer venues).
“Splunk Machine Learning Toolkit, and the new Splunk Community for MLTK Algorithms on GitHub enables our Professional Services Consultants to deliver broader and more valuable data science and machine learning solutions. We can now use the most appropriate algorithm to solve complex business problems in a clean, consistent and supportable manner, which means our customers get more powerful, focused solutions and a much more satisfying experience,” said Michael Cormier of Concanon, a Splunk professional services partner.
Splunk’s integration with AWS Security Hub is the latest Splunk offering aimed to provide real-time visibility across your entire AWS and IT environment.
Prior to the most recent releases, Splunk and AWS have had a long-standing partnership to develop a host of solutions optimized for end-to-end visibility across AWS cloud and hybrid environment. Among them:
- Splunk App for AWS: Collects and analyzes data from over 15 AWS data sources (including AWS CloudTrail, AWS Config, Amazon Virtual Private Cloud Flow Logs, Amazon Inspector, Amazon Kinesis Data Firehose, AWS Billing and Cost Management and more) to deliver security, operational and cost management insights via pre-built dashboards, reports and alerts
- Splunk Insights for AWS Cloud Monitoring in AWS Marketplace: Provides teams with end-to-end security, operational and cost-management insights, with a pay-as-you-go option
- Splunk Phantom AMI in AWS Marketplace: Integrate your team, processes, and existing tools together to support a broad range of SOC functions including playbook automation, infrastructure orchestration, event and case management, collaboration, and reporting
- Splunk Insights for Infrastructure PAYG (SII) in AWS Marketplace: An analytics solution that provides a seamless experience for infrastructure monitoring and troubleshooting
- AWS Quick Start for Splunk: Accelerates deployment of Splunk software on AWS
- Innovative Technology: Delivers collection, visualization and analysis for AWS Lambda, Amazon Kinesis Data Firehose, AWS IoT, Amazon Elastic Container Service (ECS) and Amazon EMR
More information on Splunk-AWS integrations is available here.
Site Search 360 Reports