Splunk® App for AWS Security Dashboards

User Manual

Overview of the dashboards in the Splunk App for AWS Security Dashboards

The Splunk App for AWS Security Dashboards offers a variety of dashboards to give you insight into your AWS data. As you navigate from one dashboard to another, the app retains your most recent filter selections for Account ID and region to facilitate easy browsing.

Each dashboard is powered by data collected from your AWS environment using one or more input types configured in the Splunk Add-on for AWS. The dashboard overview tables below show the recommended input types to configure for each dashboard.

For detailed information about the supported input types for each source type, see Supported data types and corresponding AWS input types in the Splunk Add-on for AWS manual.

If you do not see data in a particular dashboard panel, check the source type of the panel for which data is missing. For example, if your Changes Over Time panel on the Resource Activity dashboard shows zeroes, but you know changes have been made in your AWS environment, search sourcetype=aws:config:notification to verify that data is coming in to your Splunk platform from that source type.

If you do not see events, troubleshoot that input with a Splunk administrator, and make sure that proper AWS permissions have been configured for the Splunk Add-on for AWS. See the installation overview topic in the Splunk Add-on for AWS manual to identify the input permissions you need for your deployment.

Overview

The following table summarizes the contents of the Security Overview dashboard, with special attention to input type, panel name, and source type:

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Security Overview Displays the number of error events from different services. Drill down to more detailed dashboards from this overview.

Recommended input types: Description and SQS-based S3.
IAM Errors aws:cloudtrail
VPC errors aws:cloudtrail
Security Group Errors aws:cloudtrail
Key Pair Errors aws:cloudtrail
Network ACL Errors aws:cloudtrail
Unauthorized Activity aws:cloudtrail
Authorized vs. Unauthorized IAM Activity aws:cloudtrail
Authorized vs. Unauthorized Activity by User aws:cloudtrail
Authorized vs. Unauthorized Activity by Event Name aws:cloudtrail

If you see a message indicating that the Notable CloudTrail Activity by Origin map cannot display, this is because AWS does not provide a valid sourceIPAddress for data in the AWS region at this time.

Security dashboards

The following table outlines the contents of the security-related dashboards in the Splunk App for AWS Security Dashboards:

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Network ACLs Describes the Network ACL activity in your AWS environment, including error events, the number of Network ACLs, activity over time, and the detailed list of error activities.

Recommended input types: Metadata and SQS-based S3.
Network ACLs aws:metadata
Error Events aws:cloudtrail
Network ACL actions aws:cloudtrail
Network ACL Activity Over Time aws:cloudtrail
Detailed Network ACLs Activity aws:cloudtrail
Network ACL Error Activity aws:cloudtrail
Security Groups Describes security group activity in your AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities.

Recommended input types: Metadata and SQS-based S3.
Security Groups aws:metadata
Security Group Rules aws:metadata
Error Events aws:cloudtrail
Security Group Actions aws:cloudtrail
Unused Security Groups aws:config
Security Group Activity Over Time aws:cloudtrail
Security Group Activity aws:cloudtrail
Authorize and Revoke Activity aws:cloudtrail
Security Group Error Activity aws:cloudtrail
IAM Activity Describes IAM activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3.
Error Events aws:cloudtrail
Activity by User aws:cloudtrail
IAM Actions aws:cloudtrail
IAM Activity Over Time aws:cloudtrail
Authorized vs. Unauthorized Activity aws:cloudtrail
Detailed IAM Activity aws:cloudtrail
IAM Error Activity aws:cloudtrail
Key Pairs Activity Describes the key pair activity in your AWS environment, including error events, the number of in-use key pairs, which key pair is most used, activity over time, and the detailed list of error activities.

Recommended input types: Metadata and SQS-based S3.
In-use Key Pairs aws:metadata
Error Events aws:cloudtrail
Key Pair Actions aws:cloudtrail
Key Pair Usage aws:metadata
Key Pair Activity Over Time aws:cloudtrail
Detailed Key Pair Activity aws:cloudtrail
Key Pair Error Activity aws:cloudtrail
S-3 Data Event Displays S-3 event statistics.

Recommended input types: Metadata and SQS-based S3.
Error Events aws:s3:access logs
Unauthorized Events aws:s3:access logs
Activities by User aws:s3:access logs
Events by UserAgent aws:s3:access logs
Events by UserName aws:s3:access logs
Events by BucketName aws:s3:access logs
Events Over Time aws:s3:access logs
Events by Origin aws:s3:access logs
Most Frequently Accessed Objects - Top 10 aws:s3:access logs
Most Recent Modifications - Latest 10 aws:s3:access logs
VPC Activity Describes VPC activity in your environment, including the error events, number of VPCs, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3, Metadata
VPCs aws:metadata
Error Events aws:cloudtrail
Network VPC Actions aws:cloudtrail
VPC Activity Over Time aws:cloudtrail
Detailed VPC Activity aws:cloudtrail
VPC Error Activity aws:cloudtrail
Resource Activity Shows the resource changes over time and the detailed change list.

Recommended input types: SQS-based S3
Changes Over Time aws:config:notification
Changes by Resource Type aws:config:notification
Resources aws:config:notification
User Activity Describes user activity in your AWS environment, including the number of active users, error/unauthorized activities, activity over time, and list of activities. You can also filter activities by ARN or username.

Recommended input types: SQS-based S3
Active Users aws:cloudtrail
Error Activities aws:cloudtrail
Unauthorized Activities aws:cloudtrail
User Activity by Event Name Over Time aws:cloudtrail
User Activity by User Name Over Time aws:cloudtrail
Most Recent User Activity Grouped by Event Name aws:cloudtrail
Event Details aws:cloudtrail
Geographic Source of Event(s) aws:cloudtrail
CloudFront - Traffic Analysis Traffic and error metrics about your CloudFront distribution.

Recommended input types: SQS-based S3
Total Requests aws:cloudfront:accesslogs
Error Requests aws:cloudfront:accesslogs
Total Request Traffic aws:cloudfront:accesslogs
Total Response Traffic aws:cloudfront:accesslogs
Cache Hit Ratio aws:cloudfront:accesslogs
Traffic Size by Location (Bytes) aws:cloudfront:accesslogs
Request Count by Location aws:cloudfront:accesslogs
HTTP Status aws:cloudfront:accesslogs
User Agents aws:cloudfront:accesslogs
CloudFront Edge Details aws:cloudfront:accesslogs
Top URLs aws:cloudfront:accesslogs
Top Request by Edge Location aws:cloudfront:accesslogs
Slowest Requests aws:cloudfront:accesslogs
Heaviest Traffic Requests aws:cloudfront:accesslogs
Latency Over Time aws:cloudfront:accesslogs
Traffic (MB) Over Time aws:cloudfront:accesslogs
ELB - Traffic Analysis Data from your ELB access logs.

Recommended input types: SQS-based S3
Total Entries aws:elb:accesslogs
Total ELBs aws:elb:accesslogs
Unique Clients aws:elb:accesslogs
Total Data Sent aws:elb:accesslogs
Total Data Received aws:elb:accesslogs
Traffic Size by Location (Bytes) aws:elb:accesslogs
Request Count by Location aws:elb:accesslogs
Error Entries aws:elb:accesslogs
Average Processing Time aws:elb:accesslogs
Top Error-Causing Requests aws:elb:accesslogs
Error Count aws:elb:accesslogs
Top Time-Consuming Requests aws:elb:accesslogs
Processing Time (ms) aws:elb:accesslogs
S3 - Traffic Analysis Data from your S3 access logs.

Recommended input types: SQS-based S3
Total Requests aws:s3:accesslogs
Error Requests aws:s3:accesslogs
Total Traffic aws:s3:accesslogs
Average Processing Time aws:s3:accesslogs
Traffic Size by Location (Bytes) aws:s3:accesslogs
Request Count by Location aws:s3:accesslogs
HTTP Status aws:s3:accesslogs
S3 Error Code aws:s3:accesslogs
Top User Agents aws:s3:accesslogs
Top Requests aws:s3:accesslogs
Request Count Over Time aws:s3:accesslogs
Top Error Requests aws:s3:accesslogs
Error Count Over Time aws:s3:accesslogs
VPC Flow Logs - Traffic Analysis Provides an overview of your network traffic.

Recommended input types: SQS-based S3
Monitored Interfaces aws:cloudwatchlogs:vpcflow
Traffic Protocols aws:cloudwatchlogs:vpcflow
All Traffic (GB) aws:cloudwatchlogs:vpcflow
Traffic Destinations aws:cloudwatchlogs:vpcflow
Traffic Sources aws:cloudwatchlogs:vpcflow
Traffic Over Time by Interface (Top 5) aws:cloudwatchlogs:vpcflow
Traffic Size by Protocol and Location aws:cloudwatchlogs:vpcflow
Top Destination Addresses aws:cloudwatchlogs:vpcflow
Top Destination Ports aws:cloudwatchlogs:vpcflow
Top Source Addresses aws:cloudwatchlogs:vpcflow
VPC Flow Logs - Security Analysis Provides an overview of your rejected network traffic.

Recommended input types: SQS-based S3
Accepted vs. Rejected Over Time (Bytes) aws:cloudwatchlogs:vpcflow
Accepted vs. Rejected Traffic by Location aws:cloudwatchlogs:vpcflow
Top Rejected Destination Ports aws:cloudwatchlogs:vpcflow
Top Rejected Source Addresses aws:cloudwatchlogs:vpcflow
Top 50 Rejected Address Pairs aws:cloudwatchlogs:vpcflow

Insights dashboards

The following table outlines the contents of the insights dashboards in the Splunk App for AWS Security Dashboards:

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Security Group Insights Displays different severity levels of detected problems with the configuration and usage of security groups in your AWS environment..

Recommended input types: Metadata.
Security Group Insights aws:metadata
IAM Insights Displays different severity levels of detected problems with IAM authentication setup and management in your AWS environment

Recommended input types: Metadata and SQS-based S3.
IAM Insights aws:metadata
Last modified on 14 August, 2024
Analyze data using the Splunk App for AWS Security Dashboards   Filter dashboards using tags

This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters