Splunk Enterprise Security

Enterprise Security in hybrid (cloud + on premise) scenario

gdigrego
Path Finder

Hello,

We are refining our Splunk hybrid (cloud + on-premise) architecture design and are looking for ideas and experience sharing in that particular area.

In summary:
- We have a clustered (Indexers and SHs) Splunk infrastructure on premise in our data center to centralize logs from on-premise computers and perform their security monitoring with Enterprise Security
- We are now starting to use the cloud (AWS now and also Azure in the near future) for hosting some of our information systems and are defining the architecture for these log data ingestion also in the cloud (EG: CoudWatch to Firehose to ELB to several Splunk HFs in AWS)
- For indexing these cloud logs, one option we have is to build also a Splunk indexers cluster in AWS (and Azure later) but this won't allow our existing on-prem enterprise security SHs cluster to access that data (from what we can read, Hybrid search is only supporting one standalone on prem search head and not a cluster and premium apps like ES are explicitly not supported for hybrid search).
- Since hybrid search seems not possible, one alternative we have in mind is to forward log events from HFs in the cloud to our existing on-prem indexer cluster via our existing AWS Direct Connect lines but would like your feedback on feasibility, latency/performance, traffic costs, ...
- Another alternative is to build a full (Indexers + ES SHs) clusted infra in the cloud (AWS, Azure) but this won't be as "user friendly" for our Splunk users (like the SOC team) as they will have to switch between 2 or 3 different Splunk installations. Also on the Splunk administration side, we will have to duplicate (or triplicate with Azure) many servers/configuration ...

Thanks in advance therefore if you can share your experience in these hybrid Splunk deployments, particularly in the context of having Enterprise Security used as the SIEM to monitor cloud and on-premise infrastructures.

0 Karma

splk
Communicator

Stumbled about this question - I think it is answered here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/User/SearchCloudfromEnterprise 

0 Karma

oolatunji
Explorer

I believe your ES SH can connect to your AWS indexers (I may be wrong). The documentation speaks of Splunk Cloud (different from AWS deployment). This is my thinking. Sending data from your cloud to your on-premise will involve significant cost depending on the volume of data being sent.

If you have solved this issue, kindly please share your solution.

Thanks
OP

0 Karma

General_Talos
Path Finder

Try configure multiple indexer cluster in search head cluster, like on-prem indexer cluster and AWS/Azure indexer cluster to your existing search-head Cluster

Refer:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Configuremulti-clustersearch

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...