Understanding Splunk Cloud: Capabilities and Related Solutions

Splunk Cloud Platform Features

Following are the main features provided by the Splunk Cloud Platform. Keep in mind that because Splunk Cloud Platform is based on Splunk Enterprise, it provides most of the functional capabilities of on-premises Splunk Enterprise. Learn more in Splunk Cloud Platform vs. Splunk Enterprise below.

Monitoring and Alerting

Splunk Cloud provides functionality for continuous monitoring and alerts. It lets you monitor events, KPIs, and conditions. Here are key features:

• Scheduled searches—enables you to create real-time visualizations and dashboards.

• Out-of-the-box dashboards—provides monitoring dashboards for common security, application, and IT environments.

• Alerts—pushes alerts to notify stakeholders of critical events and impending conditions in real-time.

• Custom alert actions—lets you set up automation to kick off subsequent action in response to a triggered alert. You can set custom alerts to varying levels of granularity according to various conditions like data thresholds, behavioral pattern recognition, and trend-based conditions.

Metrics

Splunk Cloud lets you use metrics data to enhance search performance and optimize data storage costs. Here are notable features:

• Logs to Metrics—enables you to convert logs into metrics consisting of numerical data points captured over time. Metrics data is more efficiently compressed, processed, stored, and retrieved than logs.

• Analytics Workspace—enables technical as well as non-technical to visually analyze metrics and events data. It helps analyze metrics and non-time series data with visualizations like bar charts, reference lines, scatter plots, and column charts.

Machine Learning Toolkit (MLTK)

Splunk Cloud provides pre-built machine learning (ML) analytics for identifying use cases to tackle key issues and opportunities. You can also create custom machine learning models. Here are key features of the Splunk Machine Learning Toolkit (MLTK):

• Extend Splunk Cloud capabilities—MLTK offers outlier and anomaly detection, clustering, and predictive analytics.

• User open source algorithms—MLTK supports open source algorithms to help you operationalize data with ML in production environments.

• Leverage guided assistance—the toolkit provides smart assistants to guide you through this process. It writes SPL in the background and lets you review it later to gain insight into further customization.

Security and Compliance Standards

Splunk Cloud complies with the following regulations and standards:

• Industry compliance regulations—including HIPAA, SOC 2 Type 2, PCI, and ISO 27001.

• FedRAMP Authorized—Splunk Cloud is FedRAMP Authorized by the General Services Administration FedRAMP Program Management Office at the Moderate Impact Level.

• ITAR—Splunk Cloud meets the US Persons requirements under International Traffic in Arms Regulations (ITAR).

• DISA—the US Defense Information Systems Agency (DISA) provisionally authorized Splunk at Department of Defense Impact Level 5 (IL5), allowing US Government agencies to use Splunk Cloud for high sensitivity of controlled unclassified information (CUI).

Related content: Read our guide to Splunk cloud architecture

Splunk Cloud Pricing

Splunk Cloud offers two pricing models: workload pricing and ingest-based pricing. Workload pricing is the default model—ingest-based pricing is only offered by Splunk for selected accounts.

Both pricing models include customer support and all software updates.

Workload Pricing

This option lets you pay according to the compute capacity you use on Splunk Cloud Platform. It lets you optimize use of compute capacity to achieve faster response times or a larger amount of indexed data.

Compute resources are measured as Splunk Virtual Compute (SVC)—these are standard units of compute, memory, and I/O resources.

Ingest-Based Pricing

This option lets you pay according to the amount of data you ingest into Splunk Cloud Platform every day. You must then select an instance size that can handle the maximum amount of data you expect to process in a day. There is a one-time charge for indexing the data, and afterwards you can perform unlimited searches at no additional cost.

Ingest-based pricing is measured as Index Volume/Day. The price of the plan is the Index Volume/Day multiplied by the cost per GB.

What is Splunk Security Cloud?

Splunk Security Cloud is a Security as a Service (SECaaS) offering, provided as an optional add-on to Splunk Cloud Platform. It includes several capabilities, including:

• Advanced security analytics—uses machine learning to generate analytics for threat detection. It also provides insights into multi-cloud environments.

• Automated security operations—facilitates rapid detection, investigation, and response, generating alerts in as little as thirty seconds.

• Threat intelligence—automatically collects, prioritizes, and integrates various sources of intelligence to drive faster detections.

• Open ecosystem—correlates data across all security tools and vendors to increase visibility.

Splunk Security Cloud is available in the following two editions:

• Security Cloud Plus—provides security analytics and SIEM capabilities, priced according to the number of protected devices. It provides deep visibility into various environments, including pre-built detections for clouds.

• Security Cloud Standard—facilitates real-time data ingestion of various sources and offers prescriptive guidance on achieving specific security outcomes. It lets you quickly and easily integrate data sources and deploy pre-built searches.

Related content: Read our guide to Splunk Security Cloud

Splunk Cloud Platform vs Splunk Enterprise

Splunk Cloud Platform is based on Splunk Enterprise, but has several important differences compared to self-managed Splunk Enterprise. It is important to understand these differences to plan your deployment, especially if you are moving from Splunk Enterprise to Splunk Cloud Platform. The following table summarizes the differences.

Related content: Read our guide to Splunk Enterprise

Best Practices for Splunk Cloud Platform Security

Splunk Cloud Platform is often used to store sensitive or mission critical data. Here are a few ways you can ensure that data is secure and improve the security posture of your Splunk systems.

Block Risky Command in Splunk Processing Language (SPL)

SPL is a query language used to perform searches in Splunk. Splunk provides safeguards to warn you when you use SPL commands that might be either a security or a performance risk. Risky actions include:

• Copying or transferring data, which can be used to exfiltrate data (transfer it outside the organization).

• Deleting or overwriting data—even if not malicious, this can have negative consequences.

If a search that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.

In the Search app, the warning dialog box appears when you click a link or type a URL that loads an unsafe search (a search that will execute risky SPL commands). In dashboards, the warning dialog box appears automatically if an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.

Attack scenarios in the Search app

Consider an attacker who creates a search that includes commands that exfiltrate or destroy data. The attacker then sends an unsuspecting user a link to the search, adding a valid query string (q) and an invalid search identifier (sid) to the URL. If used, this link runs a search, but if the user notices the unsafe SPL warning, the threat is mitigated.

Attack scenarios in a dashboard

Consider an attacker who creates or edits a dashboard to include searches with commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load it. The dashboard then runs the searches with the risky commands. Because of the SPL safeguard mechanism, the searches planted by the attacker will not run until the user explicitly allows them.

Troubleshoot Splunk Forwarder TCP Tokens

You can control which forwarders in your Splunk Enterprise deployment have access to the indexers, by setting up forwarder TCP tokens. This can prevent attackers from setting up a malicious forwarder that sends unwanted data to the indexer.

Certain events may cause the forwarded to continually retry and fail to connect to the indexer, including:

• The forwarder TCP token is corrupt

• The indexer rejected the token

Harden Configuration of Splunk Instances

Splunk is responsible for securing the infrastructure of your Splunk Cloud Platform deployment, but your organization is responsible for correctly configuring security features. Pay special attention to the following configurations:

• Set up users and define access roles—roles let users perform actions on the Splunk platform. You can use roles to control access to platform resources. It is critical to define granular roles and ensure that users have only the minimal privileges they need to perform their tasks. Regularly review roles and revoke access when no longer needed.

• Single sign-on (SSO) with multi-factor authentication (MFA)—configure a primary and secondary authentication method for Splunk Enterprise users. Splunk MFA is provided by Duo Security. Note that MFA is supported by Splunk Web and not by the Splunk Cloud Platform. You can configure a SAML identity provider supporting MFA.

• Review audit events to see what changed in your configuration—Splunk generates audits of all changes to the environment. Administrators and security teams should review these audits to see what changed and identify the user who made the change.

• Harden network ports used by App Key Value Store (KV Store)—Splunk Cloud and Splunk Enterprise both use the KV Store to maintain configurations and metadata for Splunk apps. By default, it uses TCP port 8191. To secure a Splunk Enterprise environment, use a firewall to limit access to this port only to Splunk Enterprise machines that require access.