Federated Search for Security

Splunk introduced Federated Search in July 2021 to much fanfare. We won’t go into too much detail about how it works because there is already a great writeup in a previous blog along with Splunk Federated Search documentation. The idea behind Federated Search is to allow users to leverage the great Splunk search, alerting and dashboarding capabilities for data across multiple, disparate Splunk deployments — regardless of whether they are self-managed Splunk Enterprise deployments, or fully-managed Splunk Cloud Platform deployments.

This solves issues with data residency and governance. With Federated Search across Splunk deployments, you can now leave the data in place where it resides without moving it out of its location.

In this blog, I will outline some of the great new security use cases this technology enables.

Federated Global SOC / Multi-Tenancy ES

In the current version of Federated Search (which is shipped with Splunk Enterprise 9.0 and Splunk Cloud Platform) we don’t fully support our premium products Splunk Enterprise Security and Splunk IT Service Intelligence. There’s lots of work behind the scenes to enable this over time. However, you can still search remote datasets that have the application contexts of those products. This means that within the scope of the current capabilities of Federated Search, you can create a de facto multi-tenancy global SOC reporting environment that rolls up notables and security KPIs across multiple Splunk ES environments. Our customers and our managed security service partners (MSSPs) have requested this capability for many years.

Could we not do this before, you might ask? Earlier in 2019, we released a Splunk Enterprise app called “Mothership” that provided the capability to aggregate Enterprise Security notable events into one dashboard and provided an aggregated view of key security indicators in Enterprise Security. This capability is achieved by using the REST API, custom search commands and scheduled searches. With Federated Search you can now achieve something similar and get more flexibility by using only standard supported components of Splunk.

^{A Security Overview dashboard with an “Environment” dropdown for selecting which Enterprise Security stack you want to view. This dashboard contains notable events aggregated from two ES stacks in New York and Switzerland.}

^{The Federated Search provider configuration page}

^{The Federated Search index configuration page}

In addition to Federated Search, we also launched another MSSP-friendly capability, the Splunk Admin Config Service (ACS). As a result, an MSSP can now configure Splunk Cloud Platform stacks for their clients and even install apps for a more efficient managed service offering on Splunk Cloud Platform.

Remote Shared Indexes

With Federated Search, it is also possible to make a Splunk index you own available to other organizations or even to the public. This could be part of a commercial service or an open or closed threat intelligence sharing community. Using Splunk in this way opens up a new set of use cases that were previously unavailable. For example, plenty of apps on Splunkbase today offer access to public datasets, either for free or with some charge. Access is usually provided via a custom search command that interacts with an API. With Federated Search, you can access external datasets with standard Splunk search commands after the federated provider has been configured in the Splunk UI.

When is Federated Search the Answer?

While federated search solves many use cases and opens new doors, there are some limitations to be aware of. However, with time, we will improve the capability and make it as useful as possible.

Federated Search Limitations:

• Knowledge Objects, depending on the search configuration, might have to be replicated across local and remote search heads.
• When using data models, the Knowledge Objects being used are not from the search head you would expect.
• If a federated provider fails to perform a search, the local search head will silently exclude those results.

Regardless of the current limitations, we are very excited about Federated Search and see this as a strategic new capability of Splunk. Most of all, it will help our customers improve their security posture even more beyond the current reach of Splunk.

- Johan

Authors and Contributors: As always, security at Splunk is a family business. Credit to authors and collaborators: Johan Bjerke, Audra Streetman, Anna Mensing, and Brittany Coppola. 

^{Image Credits: Hero Image (Photo by Monstera from Pexels), Featured Image (“Federated Search” by DALL·E)}