Accelerating security forensics with Federated Search for Amazon S3
Your SecOps team is alerted to suspicious activity: an executive’s account is seeing a spike in failed login attempts, and the firewall is flagging unusual outbound connections. These signals point to the possibility of lateral movement or even data exfiltration. With the security of sensitive data at stake, every minute counts.
Traditionally, responding to such incidents would require your team to ingest years’ worth of archived authentication, VPN, and firewall logs from Amazon S3 into the Splunk platform before any meaningful investigation could even begin—a process that might take hours or even days or weeks.
To see this use case in action, open the click-through Demo: Federated Search for Amazon S3 use cases and select the Security Forensics use case.
Data required
How to use Splunk software for this use case
Using Splunk Federated Search for Amazon S3, you can quickly search historical logs directly in S3, eliminating the need for data movement or ingestion. Searches you can run include:
- ► List failed login attempts across geolocations
-
This search counts all failed AWS console login attempts from S3 CloudTrail logs, grouping them by the source IP address and AWS region to quickly identify unusual login patterns.
| sdselect * FROM flaws_cloudtrail_parquet_logs WHERE eventname="ConsoleLogin" AND errormessage!="" | stats count AS failures BY sourceipaddress, awsregion | sort –failures
The search returns results that look like this:
- ► List failed AWS console login events, convert their timestamps, and add geolocation info for each source IP
-
This search retrieves failed AWS console login events, standardizes their timestamps, and then enriches the data with geographical information (City, Country, Region) based on the source IP address.
| sdselect eventtime sourceipaddress awsregion errormessage FROM flaws_cloudtrail_parquet_logs WHERE eventname="ConsoleLogin" AND errormessage!="" | eval _time=strptime(eventtime,"%Y-%m-%dT%H:%M:%S%z") | iplocation sourceipaddress | fields eventtime sourceipaddress awsregion errormessage City Country Region
The search returns results that look like this:
- ► List failed AWS console login attempts from unfamiliar IP addresses
-
This search identifies unique failed AWS console login events, extracts relevant details, and adds geolocation data. Then it counts these unique events by login type, source IP, and location to pinpoint potential unauthorized access.
| sdselect eventID useridentity eventtime eventsource sourceipaddress responseelements FROM federated:flaws_cloudtrail_parquet_logs WHERE eventname="ConsoleLogin" AND responseelements!="" AND _time >= 1 | spath input=responseelements path=ConsoleLogin | iplocation sourceipaddress | eval _time=strptime(eventtime,"%Y-%m-%dT%H:%M:%S%z") | stats dc(eventID) AS "unique events" BY ConsoleLogin eventsource sourceipaddress City Country | sort - "unique events"
The search returns results that look like this:
Next steps
By using Splunk Federated Search for Amazon S3, your team can significantly accelerate investigations, maintain full visibility across years of historical data, and protect your organization’s assets while avoiding the costs and complexity of traditional data ingestion.
To get started, sign up for the Federated Search for Amazon S3 free trial.
In addition, these resources might help you understand and implement this guidance:
- Splunk Help: About Splunk Federated Search for Amazon S3
- Splunk Lantern Article: Leveraging Federated Search for Amazon S3 for key security use cases
- Splunk Lantern Article: Using Federated Search for Amazon S3 for monitoring and detection
- Splunk Lantern Article: Partitioning data in S3 for the best FS-S3 experience
- Splunk Lantern Article: Using Federated Search for Amazon S3 with Edge Processor
- Splunk Lantern Article: Using Federated Search for Amazon S3 with ingest actions