Better Together: How AWS and Splunk Help Modern SOCs Move Faster

This blog was co-authored by Allan Holmes, Brandon Rooks, Marshall Jones, Narayan Sundar, and Paul Frederiksen.

Security operations center teams are under more pressure than ever. They have more data, more tools, and more visibility into their environments, but many still struggle with fragmented workflows, manual investigation, and alert fatigue.

The challenge is not a lack of security signals. It is that those signals often live across disconnected tools. Cloud findings, identity activity, endpoint data, application telemetry, and on-premises events are frequently reviewed in separate workflows. That slows investigations, increases operational overhead, and makes it harder for analysts to see the full picture.

Splunk and AWS are working together to change that. By bringing AWS-native findings and enterprise telemetry into Splunk-powered workflows, organizations can move from isolated alerts to connected, actionable intelligence. The result is a more unified SOC experience across AWS, hybrid, and multi-cloud environments.

AWS Security Hub Extended with Splunk Enterprise Security

AWS Security Hub Extended is a plan of Security Hub that simplifies how customers procure, enable, and integrate enterprise security solutions across endpoint, identity, email, network, data, browser, cloud, AI, and security operations. With AWS as the seller of record, customers get one bill, flexible pricing, and a simplified path to activation without long procurement cycles.

Splunk Enterprise Security is available through AWS Security Hub Extended as a curated SIEM solution. The Splunk Enterprise Security for AWS Security Hub Extended plan bundles Splunk Cloud and Splunk Enterprise Security and makes them available through AWS Security Hub. This helps customers activate enterprise SIEM capabilities more easily while keeping Splunk’s analytics, detection, investigation, and security operations expertise at the center of the experience.

With this integration, AWS findings flow directly into Splunk Enterprise Security, helping SOC teams reduce the need for custom parsing, manual configuration, and service-specific rule maintenance. AWS Security Hub aggregates findings from AWS services such as Amazon GuardDuty, Amazon Inspector, AWS Config, and IAM Access Analyzer, then normalizes them using the Open Cybersecurity Schema Framework, or OCSF. Those findings flow into Splunk Enterprise Security in near real time, where they can be correlated with AWS, hybrid, multi-cloud, and on-premises telemetry.

The latest update to the Splunk Add-on for AWS Security Hub further strengthens the integration by supporting bi-directional findings workflows between Splunk Enterprise Security and AWS Security Hub Extended. AWS Security Hub Extended findings can flow into Splunk Enterprise Security, and Splunk Enterprise Security findings can create findings in AWS Security Hub Extended.

For SOC teams, this creates a shared detection and response loop. Analysts can investigate across AWS, hybrid, and multi-cloud data in Splunk Enterprise Security, enrich findings with Splunk’s correlation engine, AI-powered SecOps capabilities, and Cisco Talos threat intelligence, and send relevant findings back into AWS Security Hub Extended for visibility, tracking, and operational alignment.

The result is a more unified SOC workflow that helps teams simplify procurement, reduce operational friction, correlate cloud and enterprise signals, accelerate investigations, and improve analyst focus by turning isolated findings into prioritized, actionable insights.

Extending the AWS and Splunk Partnership

AWS Security Hub Extended is one example of how AWS and Splunk are helping customers modernize security operations. The broader partnership also extends across observability, DevOps, and data access.

Capabilities such as the AWS DevOps agent help development and operations teams bring AWS context into Splunk-powered workflows. This makes it easier to understand application performance, infrastructure changes, deployment activity, and operational risk without forcing teams to manually connect signals across separate tools.

Federation is another important capability for modern enterprises. As data becomes more distributed across AWS, on-premises environments, SaaS platforms, and other systems, customers need flexible ways to search and correlate data without always moving it first. Federated approaches help teams analyze data where it resides while still bringing high-value insights into Splunk workflows.

Together, AWS and Splunk help customers connect cloud-native signals, enterprise data, and operational workflows into a more complete view of their environment.

A New Standard for Modern SOCs

Modernizing the SOC is not about adding more tools. It is about helping teams work smarter, move faster, and act with better context.

By combining Splunk Enterprise Security with AWS Security Hub Extended, organizations can reduce silos, simplify operations, and give analysts a unified workflow for detection, investigation, and response. Whether customers are simplifying their security stack or managing a complex hybrid estate, Splunk and AWS provide the visibility, control, and agility needed to strengthen digital resilience.

Your security team deserves tools that work together as hard as they do. With Splunk and AWS, organizations can move beyond fragmented workflows and build a more connected, AI-powered foundation for modern security operations.

Getting Started

Splunk Enterprise Security for AWS Security Hub Extended is available through the AWS Security Hub console. Customers can review the Splunk partner solution, explore other curated partner offerings, and activate the capabilities that best support their security operations needs.

To learn more, visit the AWS Security Hub Extended product page, review Splunk integration resources, or reach out to your AWS or Splunk account team.