Splunk SIEM
Understanding Splunk Cloud: Capabilities and Related Solutions
What is Splunk Cloud Platform?
Splunk Cloud Platform provides Splunk Enterprise, a popular big data management solution, as a managed service. It is currently provided in AWS and Google Cloud. You can use it to collect machine data from across the enterprise, search it, derive business insights from it, and leverage it for monitoring and reporting.
The platform provides self-service capabilities that allow you to:
- Seamlessly ingest data
- Set data retention options
- Customize user access, roles, and allowed IPs
- Configure dashboards and searches
- Monitor data consumption
This is part of an extensive series of guides about open source.
Splunk Cloud Platform Features
Following are the main features provided by the Splunk Cloud Platform. Keep in mind that because Splunk Cloud Platform is based on Splunk Enterprise, it provides most of the functional capabilities of on-premises Splunk Enterprise. Learn more in Splunk Cloud Platform vs. Splunk Enterprise below.
Monitoring and Alerting
Splunk Cloud provides functionality for continuous monitoring and alerts. It lets you monitor events, KPIs, and conditions. Here are key features:
Scheduled searches—enables you to create real-time visualizations and dashboards.
Out-of-the-box dashboards—provides monitoring dashboards for common security, application, and IT environments.
Alerts—pushes alerts to notify stakeholders of critical events and impending conditions in real-time.
Custom alert actions—lets you set up automation to kick off subsequent action in response to a triggered alert. You can set custom alerts to varying levels of granularity according to various conditions like data thresholds, behavioral pattern recognition, and trend-based conditions.
Metrics
Splunk Cloud lets you use metrics data to enhance search performance and optimize data storage costs. Here are notable features:
Logs to Metrics—enables you to convert logs into metrics consisting of numerical data points captured over time. Metrics data is more efficiently compressed, processed, stored, and retrieved than logs.
Analytics Workspace—enables technical as well as non-technical to visually analyze metrics and events data. It helps analyze metrics and non-time series data with visualizations like bar charts, reference lines, scatter plots, and column charts.
Machine Learning Toolkit (MLTK)
Splunk Cloud provides pre-built machine learning (ML) analytics for identifying use cases to tackle key issues and opportunities. You can also create custom machine learning models. Here are key features of the Splunk Machine Learning Toolkit (MLTK):
Extend Splunk Cloud capabilities—MLTK offers outlier and anomaly detection, clustering, and predictive analytics.
User open source algorithms—MLTK supports open source algorithms to help you operationalize data with ML in production environments.
Leverage guided assistance—the toolkit provides smart assistants to guide you through this process. It writes SPL in the background and lets you review it later to gain insight into further customization.
Security and Compliance Standards
Splunk Cloud complies with the following regulations and standards:
Industry compliance regulations—including HIPAA, SOC 2 Type 2, PCI, and ISO 27001.
FedRAMP Authorized—Splunk Cloud is FedRAMP Authorized by the General Services Administration FedRAMP Program Management Office at the Moderate Impact Level.
ITAR—Splunk Cloud meets the US Persons requirements under International Traffic in Arms Regulations (ITAR).
DISA—the US Defense Information Systems Agency (DISA) provisionally authorized Splunk at Department of Defense Impact Level 5 (IL5), allowing US Government agencies to use Splunk Cloud for high sensitivity of controlled unclassified information (CUI).
Related content: Read our guide to Splunk cloud architecture
BlueVoyant offers end-to-end consulting, implementation, and MDR services powered by Splunk® Cloud or Splunk® Enterprise platform.
Splunk Cloud Pricing
Splunk Cloud offers two pricing models: workload pricing and ingest-based pricing. Workload pricing is the default model—ingest-based pricing is only offered by Splunk for selected accounts.
Both pricing models include customer support and all software updates.
Workload Pricing
This option lets you pay according to the compute capacity you use on Splunk Cloud Platform. It lets you optimize use of compute capacity to achieve faster response times or a larger amount of indexed data.
Compute resources are measured as Splunk Virtual Compute (SVC)—these are standard units of compute, memory, and I/O resources.
Ingest-Based Pricing
This option lets you pay according to the amount of data you ingest into Splunk Cloud Platform every day. You must then select an instance size that can handle the maximum amount of data you expect to process in a day. There is a one-time charge for indexing the data, and afterwards you can perform unlimited searches at no additional cost.
Ingest-based pricing is measured as Index Volume/Day. The price of the plan is the Index Volume/Day multiplied by the cost per GB.
What is Splunk Security Cloud?
Splunk Security Cloud is a Security as a Service (SECaaS) offering, provided as an optional add-on to Splunk Cloud Platform. It includes several capabilities, including:
Advanced security analytics—uses machine learning to generate analytics for threat detection. It also provides insights into multi-cloud environments.
Automated security operations—facilitates rapid detection, investigation, and response, generating alerts in as little as thirty seconds.
Threat intelligence—automatically collects, prioritizes, and integrates various sources of intelligence to drive faster detections.
Open ecosystem—correlates data across all security tools and vendors to increase visibility.
Splunk Security Cloud is available in the following two editions:
Security Cloud Plus—provides security analytics and SIEM capabilities, priced according to the number of protected devices. It provides deep visibility into various environments, including pre-built detections for clouds.
Security Cloud Standard—facilitates real-time data ingestion of various sources and offers prescriptive guidance on achieving specific security outcomes. It lets you quickly and easily integrate data sources and deploy pre-built searches.
Related content: Read our guide to Splunk Security Cloud
Splunk Cloud Platform vs Splunk Enterprise
Splunk Cloud Platform is based on Splunk Enterprise, but has several important differences compared to self-managed Splunk Enterprise. It is important to understand these differences to plan your deployment, especially if you are moving from Splunk Enterprise to Splunk Cloud Platform. The following table summarizes the differences.
Related content: Read our guide to Splunk Enterprise
Apps and Functionality
Splunk Enterprise | Splunk Cloud Platform | |
Splunk Apps | Runs all Splunk apps. You self-install all apps. | Only supports vetted apps approved for Splunk Cloud Platform. You can install some apps via an app browser, or in some cases Splunk Support will install the app for you. |
Private Apps | Runs all private apps without validation. | You can self-install private apps using the app browser, but apps must be validated by Splunk Cloud Platform. You must remediate any issues identified before using the app, or take responsibility for impaired functionality. |
Dynamic Data Active Archive (DDAA) | Does not support DDAA. | Offered as an optional subscription at additional cost. |
Export to Amazon S3 or Google Cloud Storage | Not supported. | Supported for users of DDAA. |
Real-time search | Supports real-time search. | Only enables real-time search if you submit a support ticket. Note that real-time search can degrade the health and performance of other searches. |
Search performance | Depends on the search type used—Dense, Spare, Super-Sparse, or Rare. | Uses a multi-tier storage architecture, with performance optimization based on search patterns. Recently processed data usually has better performance than data that was not recently processed. |
Administration and Workload Management
Splunk Enterprise | Splunk Cloud Platform | |
Monitoring console | Provides the legacy Monitoring Console. | Provides the new Cloud Monitoring Console (CMC). |
License pooling | Supports license pooling. | Does not support license pooling. For ingest-based pricing, lets you exceed your daily index volume up to five times per month. |
Workload management | You allocate CPU and memory resources into workload pools, and define workload rules to place searches in pools. | Provides pre-configured workload pools. |
Administration, Authentication, and Access
Splunk Enterprise | Splunk Cloud Platform | |
Command Line Interface (CLI) | Provides CLI access. | Does not provide CLI access. Tasks that you previously performed using the CLI should be done via self-service Splunk interfaces, or by issuing a support ticket. |
REST API | Provides REST APIs and enables them by default. | Supports only some of the REST APIs in Splunk Enterprise. In addition, REST APIs are only enabled if you issue a request to support. |
Multi-factor authentication (MFA) | Supports MFA. | Does not support MFA directly, but you can configure a SAML v2 identity provider that supports MFA. |
System user roles | Administrators can modify system user roles. | Comes with predefined system roles and you should not delete or modify these roles. |
Inputs, Outputs and Alerts
Splunk Enterprise | Splunk Cloud Platform | |
Direct data input via TCP, UDP, files, and syslog | Accepts these as direct inputs. | Does not accept these as direct inputs—you must use Splunk forwarder as an agent. |
Encrypted data output via TCP, UDP, files, and syslog | Supports unencrypted outputs at the search head level, and enables search commands like cefout for indexers. | Supports only encrypted outputs at the search head level, and no outputs at the indexer level. |
Native alerts | Supports alerts that run operating-system scripts or system services. | In general, does not support system-level access for native alerts. Alerts can be sent via email or HTTPS POST requests, by setting up Splunk webhooks. |
Best Practices for Splunk Cloud Platform Security
Splunk Cloud Platform is often used to store sensitive or mission critical data. Here are a few ways you can ensure that data is secure and improve the security posture of your Splunk systems.
Block Risky Command in Splunk Processing Language (SPL)
SPL is a query language used to perform searches in Splunk. Splunk provides safeguards to warn you when you use SPL commands that might be either a security or a performance risk. Risky actions include:
- Copying or transferring data, which can be used to exfiltrate data (transfer it outside the organization).
- Deleting or overwriting data—even if not malicious, this can have negative consequences.
If a search that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.
In the Search app, the warning dialog box appears when you click a link or type a URL that loads an unsafe search (a search that will execute risky SPL commands). In dashboards, the warning dialog box appears automatically if an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.
Attack scenarios in the Search app
Consider an attacker who creates a search that includes commands that exfiltrate or destroy data. The attacker then sends an unsuspecting user a link to the search, adding a valid query string (q) and an invalid search identifier (sid) to the URL. If used, this link runs a search, but if the user notices the unsafe SPL warning, the threat is mitigated.
Attack scenarios in a dashboard
Consider an attacker who creates or edits a dashboard to include searches with commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load it. The dashboard then runs the searches with the risky commands. Because of the SPL safeguard mechanism, the searches planted by the attacker will not run until the user explicitly allows them.
Troubleshoot Splunk Forwarder TCP Tokens
You can control which forwarders in your Splunk Enterprise deployment have access to the indexers, by setting up forwarder TCP tokens. This can prevent attackers from setting up a malicious forwarder that sends unwanted data to the indexer.
Certain events may cause the forwarded to continually retry and fail to connect to the indexer, including:
- The forwarder TCP token is corrupt
- The indexer rejected the token
Harden Configuration of Splunk Instances
Splunk is responsible for securing the infrastructure of your Splunk Cloud Platform deployment, but your organization is responsible for correctly configuring security features. Pay special attention to the following configurations:
- Set up users and define access roles—roles let users perform actions on the Splunk platform. You can use roles to control access to platform resources. It is critical to define granular roles and ensure that users have only the minimal privileges they need to perform their tasks. Regularly review roles and revoke access when no longer needed.
- Single sign-on (SSO) with multi-factor authentication (MFA)—configure a primary and secondary authentication method for Splunk Enterprise users. Splunk MFA is provided by Duo Security. Note that MFA is supported by Splunk Web and not by the Splunk Cloud Platform. You can configure a SAML identity provider supporting MFA.
- Review audit events to see what changed in your configuration—Splunk generates audits of all changes to the environment. Administrators and security teams should review these audits to see what changed and identify the user who made the change.
- Harden network ports used by App Key Value Store (KV Store)—Splunk Cloud and Splunk Enterprise both use the KV Store to maintain configurations and metadata for Splunk apps. By default, it uses TCP port 8191. To secure a Splunk Enterprise environment, use a firewall to limit access to this port only to Splunk Enterprise machines that require access.
See Additional Guides on Key Open Source Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of open source.
Authored by Coralogix
- OpenSearch: The Basics and a Quick Tutorial
- AWS OpenSearch Service: Quick Guide and Tutorial
- OpenSearch Dashboards: The Basics and 2 Quick Tutorials
Authored by Granulate
- Apache Spark: Architecture, Best Practices, and Alternatives
- Spark Streaming (Structured Streaming): Basics & Quick Tutorial
- Apache Spark: Quick Start and Tutorial
Authored by Granulate
Managed Detection & Response
Splunk Security with BlueVoyant
Quickly scale your security operations across your environments without the need to invest in additional hardware or software.
Additional Readings
Splunk SIEM
Splunk Enterprise: Architecture, Features, and Capabilities
Splunk SIEM
Splunk Enterprise Security: Use Cases, Features, and Process
Splunk SIEM
What is Splunk Phantom (Renamed to Splunk SOAR)?
Splunk SIEM
8 Splunk Security Solutions and How to Secure Splunk Data
Splunk SIEM
Splunk Security Cloud: Product Editions and Professional Services
Splunk SIEM
Splunk User Education and Role-Based Access Control (RBAC)
Splunk SIEM
Part 1: CI/CD Pipelines Efficiently Delivers the Most Accurate and Updated Security Content
Splunk SIEM
Part 2: How Workflow Influences CI/CD Process