Analyze data using the Splunk App for AWS Security Dashboards

Use the dashboards provided by the Splunk App for AWS Security Dashboards to access and analyze your data.

See Dashboards overview for an introduction to the Security dashboard.

If you do not see your data, see Troubleshoot the Splunk App for AWS Security Dashboards for tips on how to resolve that issue.

Alerts

The Splunk App for AWS Security Dashboards includes preconfigured alerts that you can use to monitor CloudTrail events. You can find these alerts on the app's Alerts screen.

Use them as templates to build your own alerts, or simply enable them to use the default configuration. For example, if you want to be notified when an IAM role is deleted, enable AWS Security CloudTrail Alert: IAM: Create/Delete Roles.

Reports

The Splunk App for AWS includes a set of reports based on saved searches that are enabled by default when you start collecting data and configuring this app. For more information, see Create indexes and schedule saved searches in the Installation and Configuration Manual.

In most cases, you do not need to run these reports manually. Most of them are scheduled to run every twenty minutes on the hour, at twenty minutes past the hour, and at forty minutes past the hour. If you want to refresh the data sooner, you can run them manually. However, AWS does not deliver CloudTrail or Config data in real time, so you may experience a one to two hour delay before data arrives in your S3 bucket regardless of when you last ran these reports.

Searches

As with any data source, you can search the raw data in the Splunk platform. For a full list of source types to use in your searches, see Source types for the Splunk Add-on for AWS in the Splunk Add-on for AWS manual.