Configure Data Intelligence

Distributed Cloud Data Intelligence processes log data collected by F5 Distributed Cloud Services and uses it to equip security and fraud prevention teams with comprehensive insights into user behavior, device identification, and network data. This enables the early detection of anomalies indicative of potential security threats and fraudulent activities.

Integrate Data Intelligence with your SIEM solution or Fraud Orchestration tools and use the log data processed by Data Intelligence along with additional context and signals from your other data sources to build better rules and models and to improve the quality of data and decisions.

Data Intelligence can send log information to the following log collection systems:

  • AWS S3
  • Splunk

Configure Data Intelligence Data Delivery

Depending on the edition of Bot Defense that you have, there are two ways to configure Data Intelligence Data Delivery:

  • If you have Bot Defense Standard Edition, follow the instructions in the sections below to enable and configure Data Intelligence Data Delivery. To get started, see the prerequisites.

  • If you have Bot Defense Advanced Edition, you can contact your assigned Technical Account Manager for assistance enabling and configuring Data Intelligence Data Delivery. Your Technical Account Manager can perform most of the configuration process for you and guide you on how to get started with Data Intelligence Data Delivery.

    You can also optionally decide to configure Data Intelligence Data Delivery yourself. To get started yourself, see the prerequisites.

Prerequisites

  • You must have a valid Distributed Cloud Console account. If you do not have a valid account, see Create a Distributed Cloud Console Account.
  • You must have an Organization plan. To see plan information, from the Distributed Cloud Console Home page, click Billing.
  • You must have an externally available log collection system.
  • You must add the following IP addresses to the allow list on your firewall:
    • 35.247.100.206
    • 34.168.102.111
    • 34.168.48.1
    • 34.82.248.13
    • 35.230.48.185
    • 35.203.143.95

Enable Data Intelligence

To use Data Intelligence, you must first enable it in the Distributed Cloud Console.

  1. On the Distributed Cloud Console Home page, click Billing.
  2. Click Manage > Billing Plan and scroll to the Organization Plan.
  3. Under the Organization Plan, click Bot Defense. The Data Intelligence landing pages appears.

    Note: If Data Intelligence is already enabled, the Data Receivers page appears, and you can begin using Data Intelligence.

  4. From the Data Intelligence landing page, click Request Service.

Add a Data Receiver

Configure a data receiver to connect Distribute Cloud Services to your externally accessible log collection system.

  1. Log on to Data Intelligence in the Distributed Cloud Console.
  2. Click Manage > Data Delivery and then click Add Receiver.
  3. Add a Name to identify the new data receiver.
  4. Optionally add a Description of the new data receiver.
  5. From the Data Set drop-down menu, select the type of logs you want to send to your log collection system.
  6. From the Receiver Configuration drop-down menu, select the log collection system to which you want to send log data.
  7. To finish configuring your data receiver, see one of the following sections:

Configure an AWS S3 Receiver

  1. Complete the steps in Add a Data Receiver.

  2. In the S3 Bucket Name field, enter the exact name of the AWS S3 bucket where you want to send log data.

  3. From the AWS Cloud Credentials drop-down list, select the cloud credentials you want Distributed Cloud Services to use to access the AWS S3 bucket

    If you need to add new credentials, from the AWS Cloud Credentials drop-down list, click Add Item. For information about adding credentials, see Cloud Credentials.

    Note: You must select credentials that are the AWS Programmatic Access Credentials type.

    In the AWS Region drop-down list, select the region where you configured your S3 storage bucket.

    aws receiver
    Figure: Configure an AWS S3 Receiver
  4. To save your AWS S3 receiver, click Save & Continue.

Configure a Splunk Receiver

  1. Complete the steps in Add a Data Receiver.

  2. In the Splunk HEC Logs Endpoint field, enter the name of the Splunk HTTP Event Collector (HEC) that you want use to send log data to your Splunk deployment.

    splunk receiver
    Figure: Configure a Splunk Receiver
  3. In the Splunk HEC token section, click Configure. Distributed Cloud Services uses an HEC token to authenticate with the HEC.

  4. From the Secret Type drop-down list, select Blindfolded Secret.

  5. From the Action drop-down list, select Blindfold New Secret.

  6. From the Policy Type drop-down list, perform one of the following actions:

    • Select Built-in.
    • Select Custom and then select a custom policy from the Custom Policy drop-down list.
  7. In the Secret to Blindfold field, enter your Splunk HEC token.

    splunk hec token
    Figure: Configure a Splunk HEC Token
  8. Click Apply.

  9. To save your Splunk receiver, click Save & Continue.

Manage Data Receivers

Perform the following steps to manage, enable or disable, or delete existing data receivers.

Note: To add a new data receiver, see Add a Data Receiver.

  1. From the Data Intelligence navigation menu, click Manage > Data Delivery.
  2. From the list of configured data receivers, in the Actions column, click the Action menu (…) next to the data receiver you want to manage and then click one of the following options:
    • Manage: Update data receiver configuration settings. For information about specific settings, see the following sections:
    • Disable: Temporarily disable the data receiver that connects the Distributed Cloud Service to your log collection system. This prevents the Distributed Cloud Service from sending log data to your log collection system
    • Enable: Re-enable a data receiver that you previously disabled. This allows the Distributed Cloud Service to resume sending log data to your log collection system
    • Delete: Permanently disable and remove a configured data receiver. This cannot be undone.