forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get_all_aws_activity_from_region.yml
35 lines (35 loc) · 1.31 KB
/
get_all_aws_activity_from_region.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Get All AWS Activity From Region
id: 5b794bef-1743-4f6f-804a-43915a2702ff
version: 1
date: '2018-03-19'
author: David Dorsey, Splunk
type: Investigation
datamodel: []
description: This search retrieves all the activity from a specific geographic region
and will create a table containing the time, geographic region, ARN, username, the
type of user, the source IP address, the AWS region the activity was in, the API
called, and whether or not the API call was successful.
search: '`cloudtrail` | iplocation sourceIPAddress | search Region=$Region$ | spath
output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName
| spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip
| table _time, Region, user, userName, userType, src_ip, awsRegion, eventName, errorCode'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs.
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Suspicious Provisioning Activities
product:
- Splunk Phantom
required_fields:
- _time
- sourceIPAddress
- userIdentity.arn
- userIdentity.userName
- userIdentity.type
- awsRegion
- eventName
- errorCode
security_domain: network