Saved searches for the Splunk App for AWS Security Dashboards
The Splunk App for AWS Security Dashboards includes the following saved searches.
To enable or disable a saved search:
- From the Settings menu, choose Searches, reports, and alerts.
- Locate the saved search by filtering the list or entering the name of the saved search in the filter field to search for it.
- Under the Action column of the saved search, choose Edit > Enable/Disable to enable or disable it.
The Addon Metadata - Summarize AWS Inputs
saved search is included in the Splunk Add-on for AWS and is disabled by default, but you MUST enable this saved search on the add-on side for the Splunk App for AWS Security Dashboards to work properly. The saved search is used to aggregate inputs and accounts data in the "summary" index.
Name | Purpose | Action required |
---|---|---|
AWS Security Addon Synchronization | Synchronizes macro searches between the Splunk Add-on for AWS and the Splunk App for AWS. Fetch AWS account IDs from index=summary and add account IDs in a CSV lookup (all_account_ids.csv). The Splunk App for AWS never deletes account IDs from the CSV lookup. | If you use any indexes other than main , run and schedule this saved search to update the app's index search macro.
|
AWS Security CloudTrail Alert: IAM: Create/Delete Roles | CloudTrail alert triggered by creation or deletion of roles in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: IAM: Create/Delete/Update Access Keys | CloudTrail alert triggered by creation, deletion, or update of access keys in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: IAM: Create/Delete/Update Groups | CloudTrail alert triggered by creation, deletion, or update of groups in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: IAM: Create/Delete/Update Users | CloudTrail alert triggered by creation, deletion, or update of users in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: IAM: Group Membership Updates | CloudTrail alert triggered by group membership changes in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions | CloudTrail alert triggered by reboot, stop, or termination actions in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: Instances: Run/Start Actions | CloudTrail alert triggered by run or start actions in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: Key Pairs: Create/Delete/Import Key Pairs | CloudTrail alert triggered by creation, deletion, or importation of Key Pairs in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: Security Groups: Create/Delete Groups | CloudTrail alert triggered by creation or deletion of security groups in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: Unauthorized Actions | CloudTrail alert triggered by any unauthorized actions in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: VPC: Create/Delete VPC | CloudTrail alert triggered by the creation or deletion of VPCs in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: VPC: Create/Delete/Attach Network Interfaces | CloudTrail alert triggered by creation, deletion, or attachment of network interfaces in VPCs. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail Alert: VPC: Create/Delete/Replace Network ACLs | CloudTrail alert triggered by creation, deletion, or replacement of network ACLs in VPCs. | To use this alert, enable this alert on the Alerts page in the app. |
AWS Security CloudTrail EventName Appender | Extracts the eventnames from CloudTrail. | Automatically enabled when you run AWS Security Addon Synchronization saved search. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. |
AWS Security CloudTrail EventName Generator | Extracts the eventnames from CloudTrail for All Time. | No action required. Automatically runs when you run AWS Security Addon Synchronization. This runs once for timerange of All Time. This only requires one-time execution and will be disabled after that. |
AWS Security CloudTrail S3 Data Event Search | Used for report acceleration. | Accelerated search. No action required. |
AWS Security CloudTrail Timechart Search | Used for report acceleration. | Accelerated search. No action required. |
AWS Security Config - Tags Appender | Extract user tags from config data. | Automatically enabled when you run AWS Security Addon Synchronization saved search. Scheduled to run once daily at midnight. |
AWS Security Config - Tags Generator | Extract user tags from config data. | No action required. Automatically runs when you run AWS Security Addon Synchronization. This runs once for timerange of All Time . This only requires one-time execution and will be disabled after that. |
AWS Security Metadata - CloudFront Edges Appender | Generates metadata of Cloudfront Edges. | Automatically enabled when you run AWS Security Addon Synchronization through the Saved Search Tab. Scheduled to run on a hourly basis. |
AWS Security Metadata - CloudFront Edges Generator | Generates metadata of Cloudfront Edges for All Time. | No action required. Automatically runs when you run AWS Security Addon Synchronization. This runs once for timerange of All Time. This only requires one-time execution and will be disabled after that. |
AWS Security Metadata - S3 Buckets Appender | Populates aws_security_s3_buckets lookup with S3 Bucket name and respective account id, region.
|
Automatically enabled when you run AWS Security Addon Synchronization through the Saved Search Tab. Scheduled to run on a hourly basis. |
AWS Security Metadata - S3 Buckets Generator | Populates aws_security_s3_buckets lookup with S3 Bucket name and respective account id, region for All Time.
|
No action required. Automatically runs when you run AWS Security Addon Synchronization. This runs once for timerange of All Time. This only requires one-time execution and will be disabled after that. |
AWS Security VPC Flow Logs Summary Generator (Dest Port, Dest IP, Src IP) | Generates VPC Flow Logs data in summary index. | Automatically enabled when you run AWS Security Addon Synchronization saved search.
|
Troubleshoot the Splunk App for AWS Security Dashboards | Lookups for the Splunk App for AWS Security Dashboards |
This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.1.1, 1.1.2
Feedback submitted, thanks!