AWS Partner Network (APN) Blog

Build a complete SOC solution with Amazon Security Lake, Splunk, and Recorded Future Autonomous Threat Operations

By: Kunal Sharma – Sr. Solutions Architect – AWS
By: Anthony Henry – Sr. Account Manager – AWS
By: Jon Hall – Principal Architect – Recorded Future
By: Robert Rossetti – Partner Engineer – Splunk

RF/Splunk-AWS-Partners-2026
APN Blog - RF:Splunk Connect Button

It’s 2:00 AM and you’re a SOC analyst triaging a suspicious sign-in alert, manually searching across five consoles to determine whether the activity is a real threat or a false positive. By the time the picture becomes clear, the threat actor has already moved laterally.
This detection-to-response gap is where Amazon Security Lake, Splunk Enterprise Security, and Recorded Future Autonomous Threat Operations provide a unified architecture that centralizes your security data, automates analysis, and accelerates response.

Traditional approaches use separate point solutions: a SIEM for log aggregation, threat intelligence feeds for context, and manual playbooks for response. This fragmented approach leaves gaps and creates operational inefficiencies.In this post, you learn how to solve the detection-to-response gap that leaves organizations vulnerable using Amazon Security Lake, Splunk Enterprise Security, and Recorded Future Autonomous Threat Operations. They work as a comprehensive SOC and SIEM solution that addresses the security lifecycle from detection to analysis to mitigation. Recorded Future is an AWS Partner that delivers real-time threat intelligence to help organizations defend against threat actors. Splunk is an AWS Partner that helps organizations build resilience through holistic security and observability. Specifically, you will learn:

  • How Amazon Security Lake centralizes and normalizes security data for consistent analysis
  • How Splunk Enterprise Security correlates events in real time and automates response workflows
  • How Recorded Future Autonomous Threat Operations enriches alerts with intelligence and standardizes threat hunting
  • How to implement this architecture in phases across your environment

The challenge: From detection to mitigation

Security operations teams struggle with three interconnected problems:

  • Disparate data resulting in incomplete visibility: Security data exists in silos across AWS services, software as a service (SaaS) applications, and on-premises systems, making comprehensive threat detection difficult.
  • Alert fatigue and manual inefficiency: Even when threats are detected, analysts face alert fatigue and spend hours manually correlating events and researching threat intelligence.
  • Response time challenges: The time between detection and response represents an operational gap that requires automation and integration to close effectively.

The solution: Unified detection, analysis, and mitigation

The integration of Amazon Security Lake, Splunk Enterprise Security, and Recorded Future Autonomous Threat Operations provides an architecture where each component directly targets one of the preceding challenges: centralizing data, automating analysis, and accelerating response. The following sections detail how each component works.

Detection: Amazon Security Lake

Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on-premises sources, and cloud platforms into a purpose-built data lake. The service uses the Open Cybersecurity Schema Framework (OCSF) to normalize security data from diverse sources into a consistent format.

Security Lake ingests data from AWS services such as AWS CloudTrail, Amazon GuardDuty, Amazon Inspector, VPC Flow Logs, and AWS Security Hub, along with third-party security tools. This centralized approach supports visibility across multi-account and multi-region AWS environments, reducing the gaps that threat actors target.

Analysis: Splunk Enterprise Security

Splunk Enterprise Security provides real-time analytics and AI-driven anomaly detection, and Risk-Based Alerting (RBA) on the security data flowing from Security Lake. Splunk Enterprise Security performs correlation across multiple data sources, applies User and Entity Behavior Analytics (UEBA) to detect anomalous activity, and provides interactive dashboards and advanced search capabilities for investigating events.

Splunk Enterprise Security uses RBA to accelerate the process of detecting risk in your environment. The risk analysis framework applies insights from cybersecurity frameworks such as MITRE ATT&CK, CIS 20, and NIST controls to identify the tactics and techniques observed in risky events. Doing so reduces alert volume, resulting in higher fidelity alerts.

Splunk Enterprise Security integrates with Splunk Security Orchestration, Automation, and Response (SOAR) for automated response workflows. With this integration, your security teams can define playbooks that run automatically when specific threat patterns are detected, reducing the time between detection and response.

Mitigation: Recorded Future Autonomous Threat Operations

Recorded Future Autonomous Threat Operations extends the architecture with AI-powered capabilities that autonomously hunt, detect, and prevent threats. Powered by real-time threat intelligence from 1+ million sources, the solution proactively tracks and enriches IoCs, malware, and threat actors across your environment.Autonomous Threat Operations standardizes threat hunting processes that previously required days or weeks of manual research. The solution integrates directly with Splunk, so autonomous agents operate within your existing security workflow without requiring analysts to switch between tools.

Architecture: How the components work together

The integrated architecture operates as an integrated pipeline where security data flows from detection through analysis to mitigation.

  1. Data collection and normalization: Security Lake ingests security events from AWS services and third-party sources, normalizing them to OCSF format. With this data standardization, Splunk can analyze data consistently across supported data sources.
  2. Real-time analysis: Splunk Enterprise Security receives normalized security data from Security Lake and performs real-time correlation, behavioral analysis, and threat detection. Splunk Enterprise Security applies machine learning models to identify anomalous patterns and generates alerts for security analysts.
  3. Intelligence enrichment: Recorded Future automatically enriches security events with threat intelligence, providing context about indicators of compromise (IOCs), threat actor tactics, and patterns of unauthorized activity. This enrichment happens continuously without manual analyst intervention.
  4. Automated response: When Splunk detects threats, Splunk SOAR runs automated playbooks that can isolate compromised resources, revoke credentials, block unexpected IP addresses, and initiate incident response workflows. Recorded Future Autonomous Threat Operations provides the intelligence that informs these automated decisions.

Integration benefits

This integrated solution delivers measurable improvements across your security operations.

Centralized visibility: Security Lake provides visibility across your cloud and on-premises environments, helping verify detection of security events across your configured data sources. You gain a single, normalized view of activity rather than switching between siloed tools.

Reduced analysis time: Automated threat intelligence enrichment and correlation reduce the time your analysts spend researching alerts and investigating events. If your security teams currently spend hours per alert on manual research, this integration can compress that timeline.

Faster response: Integration between Splunk SOAR and Recorded Future supports automated response to threats in seconds rather than hours. Your security teams can define playbooks that act on enriched intelligence without waiting for manual triage.

Standardized operations: Autonomous threat hunting creates consistent, repeatable processes that deliver reliable results with standard rigor and coverage every time.

Implementation approach

Organizations can implement this architecture in phases. This sequence builds each layer on the previous one, so that your team validates data flow and detection capabilities before adding automation.

  1. Deploy Security Lake to centralize security data from AWS services and third-party sources using OCSF format.
  2. Integrate Splunk Enterprise Security to analyze security data with real-time correlation and behavioral analytics.
  3. Connect Recorded Future to enrich security events with threat intelligence from global sources.
  4. Configure SOAR playbooks in Splunk to automate response actions based on threat intelligence.
  5. Activate Autonomous Threat Operations to standardize threat hunting and proactively detect threats.

The workflow and components are shown in the following figure. You install the Recorded Future App for Splunk directly from Splunk’s app marketplace, Splunkbase. Security Lake subscribers can configure Splunk as a data consumer for real-time data flow from the centralized data lake, or search remotely with federated search. For configuration details, see the Splunk and Security Lake integration guide or Splunk Federated Search for ASL.

Figure 1: Unified SOC Solution: Detect, Analyze, Mitigate – An integrated framework for security operations powered by AWS CloudTrail, Amazon GuardDuty, Amazon Inspector, Splunk SOAR, and Recorded Future Autonomous Threat Operations

Figure 1: Unified SOC Solution: Detect, Analyze, Mitigate – An integrated framework for security operations powered by AWS CloudTrail, Amazon GuardDuty, Amazon Inspector, Splunk SOAR, and Recorded Future Autonomous Threat Operations

Use case: Detecting and mitigating credential misuse

A practical example demonstrates how the integrated architecture operates:

When a threat actor uses stolen credentials to access an AWS account, AWS CloudTrail logs the authentication event and Amazon GuardDuty detects the suspicious sign-in pattern. Security Lake ingests these events in OCSF format and delivers them to Splunk Enterprise Security.

Splunk Enterprise Security correlates the suspicious login with other security events, including unusual API calls and network traffic patterns. Recorded Future automatically enriches the alert with threat intelligence, identifying that the source IP address is associated with known threat actors.Based on this enriched intelligence, Splunk SOAR runs an automated playbook that suspends the affected account, revokes active sessions, isolates affected resources, and creates forensic snapshots for investigation.Following containment, an analyst can then use Autonomous Threat Operations to extend this initial investigation and run an automated threat hunt for similar activity across the analyst’s environment, surfacing additionally impacted users, assets, or persistence mechanisms that may have otherwise evaded the initial point-in-time investigation.

Transforming security from reactive to preemptive

By combining Amazon Security Lake, Splunk Enterprise Security, and Recorded Future Autonomous Threat Operations, your organization can build a complete SOC and SIEM solution that addresses the security lifecycle from detection to analysis to mitigation. Security Lake centralizes detection across your configured security data sources, Splunk Enterprise Security delivers real-time analysis with automated response capabilities, and Recorded Future provides intelligence-driven mitigation through Autonomous Threat Operations. This integrated architecture helps transform your security operations from reactive alert triage to proactive threat mitigation. By detecting threats across your environment, analyzing them with intelligence-driven context, and automating security actions, you can reduce your risk and strengthen your security posture.

Take the next step

To see this architecture in action, schedule a demo of Recorded Future Autonomous Threat Operations.

RFSplunk-Connect-button-2-2026

AWS Partner Spotlight

Recorded Future is an AWS Advanced Technology partner that provides real-time threat intelligence to help organizations defend against threat actors. With capabilities spanning the open web, deep web, and dark web, Recorded Future delivers actionable intelligence that security teams can use to anticipate and respond to threats.

Contact Recorded Future | Partner Overview | AWS Marketplace

Splunk is an AWS Advanced Technology Partner that helps organizations build resilience through holistic security and observability. Used by enterprises and government agencies worldwide, Splunk Enterprise Security and Splunk SOAR give security teams real-time analytics, automated response workflows, and the operational consistency needed to keep pace with evolving threats.

Contact Splunk | Partner Overview | AWS Marketplace