Correlating data for threat insights using Federated Search for Amazon S3

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Your threat intelligence center receives a new list of malicious IP addresses and file hashes linked to a global attack campaign. At the same time, your internal Splunk logs begin to show suspicious events such as unusual login times, unexpected outbound connections, and minor anomalies that do not make sense on their own.

Suspecting an advanced persistent threat in your environment, you know that waiting for more evidence is not an option. Normally, matching these new threat indicators with years of historical data stored in S3 would require a long process of data ingestion and normalization, slowing your response at a critical time.

To see this use case in action, open the click-through Demo: Federated Search for Amazon S3 use cases and select the Data Enrichment Through Correlation use case.

Data required

Amazon

How to use Splunk software for this use case

With Splunk Federated Search for Amazon S3, security analysts can directly search and combine live Splunk Cloud Platform logs with historical threat intelligence in S3. This instantly adds context to each alert. Searches you can run include:

► Correlate firewall destinations with known bad IPs from S3

This search joins CloudTrail logs (from Amazon S3) with an internal lookup file (for example, cisco-asa.csv) that contains known malicious IPs to correlate S3 events with identified threats.

| sdselect eventtime eventname eventsource errorcode sourceipaddress awsregion useragent recipientaccountid requestid eventid FROM federated:flaws_cloudtrail_parquet_logs
| where isnotnull(sourceipaddress) AND sourceipaddress!=""
| join type=inner max=0 sourceipaddress
  [ | inputlookup cisco-asa.csv
  | where isnotnull(dest_ip) AND dest_ip!=""
  | rename dest_ip AS sourceipaddress
  | where isnotnull(threat_name) AND threat_name!=""
  | fields sourceipaddress threat_name severity src_ip action app user device rule_id rule_name ]
| fields eventtime sourceipaddress eventname eventsource errorcode awsregion useragent threat_name severity src_ip action app user device rule_id rule_name
| sort - eventtime

The search returns results that look like this:

► Identify hosts communicating with high-risk IPs (prioritize remediation)

Building on the previous correlation, this search further categorizes and prioritizes correlated events based on threat severity, helping analysts focus on the most critical remediation tasks.

| sdselect eventtime eventname eventsource errorcode sourceipaddress awsregion useragent recipientaccountid requestid eventid FROM federated:flaws_cloudtrail_parquet_logs
| where isnotnull(sourceipaddress) AND sourceipaddress!=""
| join type=inner max=0 sourceipaddress
  [ | inputlookup cisco-asa.csv
  | where isnotnull(dest_ip) AND dest_ip!=""
  | rename dest_ip AS sourceipaddress
  | where isnotnull(threat_name) AND threat_name!=""
  | fields sourceipaddress threat_name severity src_ip action app user device rule_id rule_name ]
| eval severity_norm=lower(severity)
| eval severity_order=case(
  severity_norm="critical",1,
  severity_norm="high",2,
  severity_norm="medium",3,
  severity_norm="low",4,
  true(),5)
| dedup sourceipaddress threat_name severity action
| sort severity_order - eventtime
| fields eventtime sourceipaddress eventname eventsource errorcode awsregion useragent threat_name severity src_ip action app user device rule_id rule_name

The search returns results that look like this:

Next steps

The searches above show several internal hosts are communicating with flagged malicious IPs, and endpoint file hashes match the threat feed. What seemed like isolated anomalies now form a clear picture of compromise.

With this enhanced visibility, you can quickly identify affected systems, understand how the attack happened, and escalate alerts to the response team. Remediation efforts are prioritized, helping your organization stay ahead of the threat.

To get started, sign up for the Federated Search for Amazon S3 free trial.

In addition, these resources might help you understand and implement this guidance:

Splunk Help: About Splunk Federated Search for Amazon S3
Splunk Lantern Article: Leveraging Federated Search for Amazon S3 for key security use cases
Splunk Lantern Article: Using Federated Search for Amazon S3 for monitoring and detection
Splunk Lantern Article: Partitioning data in S3 for the best FS-S3 experience
Splunk Lantern Article: Using Federated Search for Amazon S3 with Edge Processor
Splunk Lantern Article: Using Federated Search for Amazon S3 with ingest actions
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their Success Plan. Engage the ODS team at ondemand@cisco.com if you would like assistance.