Configure Data Intelligence

Distributed Cloud Data Intelligence processes log data collected by F5 Distributed Cloud Services and uses it to equip security and fraud prevention teams with comprehensive insights into user behavior, device identification, and network data. This enables the early detection of anomalies indicative of potential security threats and fraudulent activities.

Integrate Data Intelligence with your SIEM solution or Fraud Orchestration tools and use the log data processed by Data Intelligence along with additional context and signals from your other data sources to build better rules and models and to improve the quality of data and decisions.

Data Intelligence can send log information to the following data collection systems:

• AWS S3
• Splunk
• Azure Blob Storage
• GCP Buckets

Configure Data Intelligence Data Delivery

Depending on the edition of Bot Defense that you have, there are two ways to configure Data Intelligence Data Delivery:

• If you have Bot Defense Standard Edition, follow the instructions in the sections below to enable and configure Data Intelligence Data Delivery. To get started, see the prerequisites.

• If you have Bot Defense Advanced Edition, you can contact your assigned Technical Account Manager for assistance enabling and configuring Data Intelligence Data Delivery. Your Technical Account Manager can perform most of the configuration process for you and guide you on how to get started with Data Intelligence Data Delivery.

  You can also optionally decide to configure Data Intelligence Data Delivery yourself. To get started yourself, see the prerequisites.

Prerequisites

• You must have a valid Distributed Cloud Console account. If you do not have a valid account, see Create a Distributed Cloud Console Account.
• You must have an Organization plan. To see plan information, from the Distributed Cloud Console Home page, click Billing.
• You must have an externally available data collection system.
• You must add the following IP addresses to the allow list on your firewall:
  • 35.247.100.206
  • 34.168.102.111
  • 34.168.48.1
  • 34.82.248.13
  • 35.230.48.185
  • 35.203.143.95

Enable Data Intelligence

To use Data Intelligence, you must first enable it in the Distributed Cloud Console.

1. On the Distributed Cloud Console Home page, click Billing.
2. Click Manage > Billing Plan and scroll to the Organization Plan.
3. Under the Organization Plan, click Data Intelligence. The Data Intelligence landing page appears.

   Note: If Data Intelligence is already enabled, the Data Receivers page appears, and you can begin using Data Intelligence.

4. From the Data Intelligence landing page, click Request Service.

Add a Data Receiver

Configure a data receiver to connect Distribute Cloud Services to your externally accessible data collection system.

1. Log on to Data Intelligence in the Distributed Cloud Console.
2. Click Manage > Data Delivery and then click Add Receiver.
3. Add a Name to identify the new data receiver.
4. Optionally add a Description of the new data receiver.
5. From the Data Set drop-down menu, select the data set you want to send to your data collection system.
6. From the Receiver Configuration drop-down menu, select the data collection system to which you want to send data.
7. To finish configuring your data receiver, see one of the following sections:
   • Configure an AWS S3 Receiver
   • Configure a Splunk Receiver
   • Configure an Azure Blob Storage Receiver
   • Configure a GCP Bucket Receiver

Configure an AWS S3 Receiver

1. Complete the steps in Add a Data Receiver.

2. In the S3 Bucket Name field, enter the exact name of the AWS S3 bucket where you want to send log data.

3. From the AWS Cloud Credentials drop-down list, select the cloud credentials you want Distributed Cloud Services to use to access the AWS S3 bucket

   If you need to add new credentials, from the AWS Cloud Credentials drop-down list, click Add Item. For information about adding credentials, see Cloud Credentials.

   Note: You must select credentials that are the AWS Programmatic Access Credentials type.

   In the AWS Region drop-down list, select the region where you configured your S3 storage bucket.

   

   Figure: Configure an AWS S3 Receiver

4. To save your AWS S3 receiver, click Save & Continue.

Configure a Splunk Receiver

1. Complete the steps in Add a Data Receiver.

2. In the Splunk HEC Logs Endpoint field, enter the name of the Splunk HTTP Event Collector (HEC) that you want use to send log data to your Splunk deployment.

   

   Figure: Configure a Splunk Receiver

3. In the Splunk HEC token section, click Configure. Distributed Cloud Services uses an HEC token to authenticate with the HEC.

4. From the Secret Type drop-down list, select Blindfolded Secret.

5. From the Action drop-down list, select Blindfold New Secret.

6. From the Policy Type drop-down list, perform one of the following actions:

   • Select Built-in.
   • Select Custom and then select a custom policy from the Custom Policy drop-down list.

7. In the Secret to Blindfold field, enter your Splunk HEC token.

   

   Figure: Configure a Splunk HEC Token

8. Click Apply.

9. To save your Splunk receiver, click Save & Continue.

Configure an Azure Blob Storage Receiver

Important: Before you begin, make sure you have access to your Azure Blob connection string. You need the connection string during the receiver configuration process. See your Azure documentation for information about how to obtain the Azure Blob connection string.

1. Complete the steps in Add a Data Receiver.

2. In the Azure Blob Connection String section, click Configure.

   

   Figure: Configure an Azure Blob Receiver

3. From the Secret Type drop-down menu, select Blindfolded Secret.

4. From the Action drop-down menu, select one of the following options:

   • Use Existing Blindfolded Secret
   • Blindfold New Secret: From the Policy Type drop-down menu, select one of the following options:
     • Built-in
     • Custom: Select a custom policy from the Custom Policy drop-down list.

5. In the Secret to Blindfold field, enter your Azure Blob connection string and then click Apply.

6. In the Container Name field, enter the name of the Azure container where the logs should be stored.

7. To save your Azure Blob receiver, click Save and Exit.

Configure a GCP Bucket Receiver

1. Complete the steps in Add a Data Receiver.

   

   Figure: Configure a GCP Bucket Receiver

2. In the GCP Bucket Name field, enter the name of the GCP bucket where logs should be sent.

3. From the GCP Cloud Credentials drop-down menu, select an existing set of credentials that Data Intelligence can use to access the GCP bucket.

   To add new cloud credential, select Add Item. For information about adding new credentials, see Cloud Credentials.

4. To save your GCP bucket receiver, click Save and Exit.

Configure Advanced Options

Advanced settings include optional settings to enable compression and to configure batch options.

Enable Compression

Enabling compression reduces the size of the log data files delivered from Data Intelligence and can help reduce your data storage costs.

1. Click Manage > Data Delivery > Add Receiver.
2. In the Data Delivery section, enable the Show Advanced Fields toggle.
3. To enable compression, from the Compression Type drop-down menu, select gzip.
4. When finished, click, Save and Exit.

Configure Batch Options

Batch options allow you to apply limits such as maximum number of messages, bytes or timeout. When you configure a limit, Data Intelligence sends log data to the receiver only when the system detects that a configured limit has been reached.

1. Click Manage > Data Delivery > Add Receiver.
2. In the Data Delivery section, enable the Show Advanced Fields toggle.
3. To configure the maximum age of a batch before it is sent to a data receiver, from the Batch Timeout Options drop-down menu, select Timeout Seconds and then enter the number of Timeout Seconds.
4. To configure the maximum number of log messages that can be added to a batch before it is sent to a data receiver, from the Batch Max Events drop-down menu, select Max Events and then enter a Max Events value between 32 and 2000.
5. To configure the maximum byte size of a batch before it is sent to a data receiver, from the Batch Bytes drop-down menu, select Max Bytes and then enter a value between 4096 and 1048576. Logs are sent after the batch is size is equal to or more than the specified byte size.
6. When finished, click, Save and Exit.

Manage Data Receivers

Perform the following steps to manage, enable or disable, or delete existing data receivers.

Note: To add a new data receiver, see Add a Data Receiver.

1. From the Data Intelligence navigation menu, click Manage > Data Delivery.
2. From the list of configured data receivers, in the Actions column, click the Action menu (…) next to the data receiver you want to manage and then click one of the following options:
   • Manage: Update data receiver configuration settings. For information about specific settings, see the following sections:
     • Configure an AWS S3 Receiver
     • Configure a Splunk Receiver
     • Configure an Azure Blob Storage Receiver
     • Configure a GCP Bucket Receiver
   • Disable: Temporarily disable the data receiver that connects the Distributed Cloud Service to your data collection system. This prevents the Distributed Cloud Service from sending data to your data collection system
   • Enable: Re-enable a data receiver that you previously disabled. This allows the Distributed Cloud Service to resume sending data to your data collection system
   • Delete: Permanently disable and remove a configured data receiver. This cannot be undone.

---

View the Data Dictionary

The Data Intelligence data dictionary provides information to help you understand the log data that Data Intelligence sends to your data collection system.

To view the information contained in the data sets in the data dictionary, from the Data Intelligence navigation menu, click Manage > Data Dictionary.

Click a data set to view the following details:

• Feature name
• Description
• Data Type

To subscribe to a data set, contact F5 Support.

---