Organizations adopt software-as-a-service (SaaS) applications to provide employees with tools that meet their growing collaboration and productivity needs. As the adoption of these tools increase, IT and security teams must spend more time connecting each application to their security tools to keep corporate data secure and meet compliance regulation requirements. The challenge is that audit log data is often siloed and schemas varies for each SaaS application requiring IT teams to manage point-to-point (P2P) integrations. Building and maintaining P2P integrations across tens or hundreds of applications takes time away from IT and security teams’ strategic activities like detecting threats and responding to security incidents. Some teams use connectors for audit log data ingestion to security information and event management (SIEM) tools. These connectors are often maintained by the developer community and may have variable performance, reliability, and support making it harder for IT to maintain consistent functionality and performance across multiple connectors. As an organization’s SaaS application footprint grows, the amount of audit log data that IT and security teams need to retain for compliance purposes also increases. Organizations often store audit log data using their security tools. These tools often have limited storage capacity and high storage fees making it expensive to maintain compliance even if the data is not frequently accessed.

AWS AppFabric quickly connects SaaS applications for enhanced security and improved employee productivity. IT and security teams can quickly connect their SaaS applications through AWS AppFabric console – no coding required or ongoing integration management needed. AppFabric also supports many security tools including Splunk. Customers use Spunk’s unified security and observability platform to keep their digital systems secure and reliable. Splunk is a long-term AWS partner and launch partner for AppFabric. In this blog post, I discuss how to use AppFabric to centralize the ingestion of SaaS application audit log data into Splunk without building and managing custom code or P2P integrations. I also discuss how to optimize long-term audit log data storage in Splunk by leveraging Amazon Simple Storage Service (Amazon S3) with Splunk Federated Search for Amazon S3.

Centralized audit log ingestion and normalization

AppFabric allows IT and security teams to ingest, normalize, aggregate, and enrich SaaS application log data to meet regulatory compliance requirements and strengthen an organization’s security posture. AppFabric normalizes security data across SaaS applications into the Open Cybersecurity Schema Framework (OCSF). OCSF was co-founded by AWS, Splunk, and other AWS partners, and provides an open-source, vendor-agnostic core security schema that improves observability and helps reduce operational effort and cost for cybersecurity teams.

Splunk is compatible with OCSF and can receive normalized audit logs by AppFabric through Amazon Kinesis Data Firehose. Receiving aggregated and normalized audit logs from AppFabric removes the need for IT and security teams to create and manage point-to-point integrations with individual SaaS applications or perform data pre-processing before ingestion into Splunk. Use the Splunk Add-on for Amazon Kinesis Data Firehose to easily ingest audit logs from Kinesis Data Firehose (see Figure 1). This architecture configuration supports near real-time monitoring, alerting, and investigations in Splunk.

Figure 1: Architectural flow of AWS AppFabric with Amazon Kinesis Data Firehose integration

OCSF structured audit log data ingested by Splunk helps accelerate security analysis, detection, and investigation tasks. For example, create detailed Splunk data visualization dashboards with key performance indicators (KPIs) such as the number of privilege assignments, user additions, or deletions (see Figure 2), or create alerts based on OCSF standard event classifications using normalized audit log data across all SaaS applications.

With the latest version of OCSF-CIM (Common Information Model) Add-On for Splunk, you can extend your investigation using Splunk features like Notable Events, Risk Scoring, Risk-Based Alerting, and Threat Intelligence. You can also use Splunk’s Security Orchestration, Automation, and Response (SOAR) tools to analyze, investigate, and take mitigating action against the incident such as quarantining a user or blocking entry into certain applications.

Compliance retention and historical analysis

Organizations often need to retain audit log data for several years to meet compliance requirements or conduct investigations into historical activity. This data is usually infrequently accessed. While it is possible to store and manage historical data on Splunk Cloud Platform using Splunk’s data retention options, there are cost and restoration time considerations for searching archived data. Some customers retain only the most recent data within Splunk for observability and alerting, and offload historical audit log data to other destinations, such as Amazon S3.

With AppFabric, you can choose to send normalized audit log data to Amazon S3 for long-term retention and analysis, or send audit log data through Kinesis Data Firehose into Splunk for near real-time monitoring, alerting, and investigations. With data in Splunk, you can then use Splunk’s data retention rules to keep only the most recent audit log data required for near real-time and high frequency access. Splunk Federated Search for Amazon S3 allows you to take advantage of the cost, compliance, security, scalability, and manageability benefits of Amazon S3 as a part of your compliance data storage strategy.

Figure 2: Customized Splunk dashboard with OCSF event classification KPIs

For example, use Amazon S3 storage classes to optimize the cost of long-term storage of audit log data. Splunk Federated Search for Amazon S3 uses AWS Glue Data Catalog to allow Splunk Cloud Platform to understand audit log data stored in Amazon S3. You can then use Splunk Cloud Platform to search the historical audit log data in Amazon S3 at rest (see Figure 3).

Figure 3: Using Amazon S3 storage with Splunk

Conclusion

In this blog post, I explored how AppFabric and Splunk work together to help you address challenges created by increased SaaS application adoption. AppFabric quickly connects SaaS applications to enhance an organization’s security posture. With AppFabric, centralize and normalize SaaS application audit log data, and remove the burden of building and managing multiple SaaS application integrations from IT. Security teams benefit too. AppFabric automatically provides OCSF-normalized and enriched audit logs so security teams can analyze and respond to incidents across multiple SaaS applications more efficiently. Splunk’s compatibility with OCSF and Amazon S3 enables AppFabric customers to optimize audit log storage costs and supports near real-time and historical security analysis.

To learn more about how AppFabric and Splunk improve security observability, watch Improve SaaS application security observability with AWS AppFabric (BIZ213) from AWS re:Invent 2023. Try this configuration today by getting started in the AWS AppFabric console.