Overview of the dashboards in the Splunk App for AWS Security Dashboards
The Splunk App for AWS Security Dashboards offers a variety of dashboards to give you insight into your AWS data. As you navigate from one dashboard to another, the app retains your most recent filter selections for Account ID and region to facilitate easy browsing.
Each dashboard is powered by data collected from your AWS environment using one or more input types configured in the Splunk Add-on for AWS. The dashboard overview tables below show the recommended input types to configure for each dashboard.
For detailed information about the supported input types for each source type, see Supported data types and corresponding AWS input types in the Splunk Add-on for AWS manual.
If you do not see data in a particular dashboard panel, check the source type of the panel for which data is missing. For example, if your Changes Over Time panel on the Resource Activity dashboard shows zeroes, but you know changes have been made in your AWS environment, search sourcetype=aws:config:notification to verify that data is coming in to your Splunk platform from that source type.
If you do not see events, troubleshoot that input with a Splunk administrator, and make sure that proper AWS permissions have been configured for the Splunk Add-on for AWS. See the installation overview topic in the Splunk Add-on for AWS manual to identify the input permissions you need for your deployment.
Overview
The following table summarizes the contents of the Security Overview dashboard, with special attention to input type, panel name, and source type:
Dashboard | Description and recommended input types in the Splunk Add-on for AWS | Panel | Source Type |
---|---|---|---|
Security Overview | Displays the number of error events from different services. Drill down to more detailed dashboards from this overview. Recommended input types: Description and SQS-based S3. |
IAM Errors | aws:cloudtrail
|
VPC errors | aws:cloudtrail
| ||
Security Group Errors | aws:cloudtrail
| ||
Key Pair Errors | aws:cloudtrail
| ||
Network ACL Errors | aws:cloudtrail
| ||
Unauthorized Activity | aws:cloudtrail
| ||
Authorized vs. Unauthorized IAM Activity | aws:cloudtrail
| ||
Authorized vs. Unauthorized Activity by User | aws:cloudtrail
| ||
Authorized vs. Unauthorized Activity by Event Name | aws:cloudtrail
|
If you see a message indicating that the Notable CloudTrail Activity by Origin map cannot display, this is because AWS does not provide a valid sourceIPAddress
for data in the AWS region at this time.
Security dashboards
The following table outlines the contents of the security-related dashboards in the Splunk App for AWS Security Dashboards:
Dashboard | Description and recommended input types in the Splunk Add-on for AWS | Panel | Source Type |
---|---|---|---|
Network ACLs | Describes the Network ACL activity in your AWS environment, including error events, the number of Network ACLs, activity over time, and the detailed list of error activities. Recommended input types: Metadata and SQS-based S3. |
Network ACLs | aws:metadata
|
Error Events | aws:cloudtrail
| ||
Network ACL actions | aws:cloudtrail
| ||
Network ACL Activity Over Time | aws:cloudtrail
| ||
Detailed Network ACLs Activity | aws:cloudtrail
| ||
Network ACL Error Activity | aws:cloudtrail
| ||
Security Groups | Describes security group activity in your AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities. Recommended input types: Metadata and SQS-based S3. |
Security Groups | aws:metadata
|
Security Group Rules | aws:metadata
| ||
Error Events | aws:cloudtrail
| ||
Security Group Actions | aws:cloudtrail
| ||
Unused Security Groups | aws:config
| ||
Security Group Activity Over Time | aws:cloudtrail
| ||
Security Group Activity | aws:cloudtrail
| ||
Authorize and Revoke Activity | aws:cloudtrail
| ||
Security Group Error Activity | aws:cloudtrail
| ||
IAM Activity | Describes IAM activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities. Recommended input types: SQS-based S3. |
Error Events | aws:cloudtrail
|
Activity by User | aws:cloudtrail
| ||
IAM Actions | aws:cloudtrail
| ||
IAM Activity Over Time | aws:cloudtrail
| ||
Authorized vs. Unauthorized Activity | aws:cloudtrail
| ||
Detailed IAM Activity | aws:cloudtrail
| ||
IAM Error Activity | aws:cloudtrail
| ||
Key Pairs Activity | Describes the key pair activity in your AWS environment, including error events, the number of in-use key pairs, which key pair is most used, activity over time, and the detailed list of error activities. Recommended input types: Metadata and SQS-based S3. |
In-use Key Pairs | aws:metadata
|
Error Events | aws:cloudtrail
| ||
Key Pair Actions | aws:cloudtrail
| ||
Key Pair Usage | aws:metadata
| ||
Key Pair Activity Over Time | aws:cloudtrail
| ||
Detailed Key Pair Activity | aws:cloudtrail
| ||
Key Pair Error Activity | aws:cloudtrail
| ||
S-3 Data Event | Displays S-3 event statistics. Recommended input types: Metadata and SQS-based S3. |
Error Events | aws:s3:access logs
|
Unauthorized Events | aws:s3:access logs
| ||
Activities by User | aws:s3:access logs
| ||
Events by UserAgent | aws:s3:access logs
| ||
Events by UserName | aws:s3:access logs
| ||
Events by BucketName | aws:s3:access logs
| ||
Events Over Time | aws:s3:access logs
| ||
Events by Origin | aws:s3:access logs
| ||
Most Frequently Accessed Objects - Top 10 | aws:s3:access logs
| ||
Most Recent Modifications - Latest 10 | aws:s3:access logs
| ||
VPC Activity | Describes VPC activity in your environment, including the error events, number of VPCs, activity over time, and the detailed list of error activities. Recommended input types: SQS-based S3, Metadata |
VPCs | aws:metadata
|
Error Events | aws:cloudtrail
| ||
Network VPC Actions | aws:cloudtrail
| ||
VPC Activity Over Time | aws:cloudtrail
| ||
Detailed VPC Activity | aws:cloudtrail
| ||
VPC Error Activity | aws:cloudtrail
| ||
Resource Activity | Shows the resource changes over time and the detailed change list. Recommended input types: SQS-based S3 |
Changes Over Time | aws:config:notification
|
Changes by Resource Type | aws:config:notification
| ||
Resources | aws:config:notification
| ||
User Activity | Describes user activity in your AWS environment, including the number of active users, error/unauthorized activities, activity over time, and list of activities. You can also filter activities by ARN or username. Recommended input types: SQS-based S3 |
Active Users | aws:cloudtrail
|
Error Activities | aws:cloudtrail
| ||
Unauthorized Activities | aws:cloudtrail
| ||
User Activity by Event Name Over Time | aws:cloudtrail
| ||
User Activity by User Name Over Time | aws:cloudtrail
| ||
Most Recent User Activity Grouped by Event Name | aws:cloudtrail
| ||
Event Details | aws:cloudtrail
| ||
Geographic Source of Event(s) | aws:cloudtrail
| ||
CloudFront - Traffic Analysis | Traffic and error metrics about your CloudFront distribution. Recommended input types: SQS-based S3 |
Total Requests | aws:cloudfront:accesslogs
|
Error Requests | aws:cloudfront:accesslogs
| ||
Total Request Traffic | aws:cloudfront:accesslogs
| ||
Total Response Traffic | aws:cloudfront:accesslogs
| ||
Cache Hit Ratio | aws:cloudfront:accesslogs
| ||
Traffic Size by Location (Bytes) | aws:cloudfront:accesslogs
| ||
Request Count by Location | aws:cloudfront:accesslogs
| ||
HTTP Status | aws:cloudfront:accesslogs
| ||
User Agents | aws:cloudfront:accesslogs
| ||
CloudFront Edge Details | aws:cloudfront:accesslogs
| ||
Top URLs | aws:cloudfront:accesslogs
| ||
Top Request by Edge Location | aws:cloudfront:accesslogs
| ||
Slowest Requests | aws:cloudfront:accesslogs
| ||
Heaviest Traffic Requests | aws:cloudfront:accesslogs
| ||
Latency Over Time | aws:cloudfront:accesslogs
| ||
Traffic (MB) Over Time | aws:cloudfront:accesslogs
| ||
ELB - Traffic Analysis | Data from your ELB access logs. Recommended input types: SQS-based S3 |
Total Entries | aws:elb:accesslogs
|
Total ELBs | aws:elb:accesslogs
| ||
Unique Clients | aws:elb:accesslogs
| ||
Total Data Sent | aws:elb:accesslogs
| ||
Total Data Received | aws:elb:accesslogs
| ||
Traffic Size by Location (Bytes) | aws:elb:accesslogs
| ||
Request Count by Location | aws:elb:accesslogs
| ||
Error Entries | aws:elb:accesslogs
| ||
Average Processing Time | aws:elb:accesslogs
| ||
Top Error-Causing Requests | aws:elb:accesslogs
| ||
Error Count | aws:elb:accesslogs
| ||
Top Time-Consuming Requests | aws:elb:accesslogs
| ||
Processing Time (ms) | aws:elb:accesslogs
| ||
S3 - Traffic Analysis | Data from your S3 access logs. Recommended input types: SQS-based S3 |
Total Requests | aws:s3:accesslogs
|
Error Requests | aws:s3:accesslogs
| ||
Total Traffic | aws:s3:accesslogs
| ||
Average Processing Time | aws:s3:accesslogs
| ||
Traffic Size by Location (Bytes) | aws:s3:accesslogs
| ||
Request Count by Location | aws:s3:accesslogs
| ||
HTTP Status | aws:s3:accesslogs
| ||
S3 Error Code | aws:s3:accesslogs
| ||
Top User Agents | aws:s3:accesslogs
| ||
Top Requests | aws:s3:accesslogs
| ||
Request Count Over Time | aws:s3:accesslogs
| ||
Top Error Requests | aws:s3:accesslogs
| ||
Error Count Over Time | aws:s3:accesslogs
| ||
VPC Flow Logs - Traffic Analysis | Provides an overview of your network traffic. Recommended input types: SQS-based S3 |
Monitored Interfaces | aws:cloudwatchlogs:vpcflow
|
Traffic Protocols | aws:cloudwatchlogs:vpcflow
| ||
All Traffic (GB) | aws:cloudwatchlogs:vpcflow
| ||
Traffic Destinations | aws:cloudwatchlogs:vpcflow
| ||
Traffic Sources | aws:cloudwatchlogs:vpcflow
| ||
Traffic Over Time by Interface (Top 5) | aws:cloudwatchlogs:vpcflow
| ||
Traffic Size by Protocol and Location | aws:cloudwatchlogs:vpcflow
| ||
Top Destination Addresses | aws:cloudwatchlogs:vpcflow
| ||
Top Destination Ports | aws:cloudwatchlogs:vpcflow
| ||
Top Source Addresses | aws:cloudwatchlogs:vpcflow
| ||
VPC Flow Logs - Security Analysis | Provides an overview of your rejected network traffic. Recommended input types: SQS-based S3 |
Accepted vs. Rejected Over Time (Bytes) | aws:cloudwatchlogs:vpcflow
|
Accepted vs. Rejected Traffic by Location | aws:cloudwatchlogs:vpcflow
| ||
Top Rejected Destination Ports | aws:cloudwatchlogs:vpcflow
| ||
Top Rejected Source Addresses | aws:cloudwatchlogs:vpcflow
| ||
Top 50 Rejected Address Pairs | aws:cloudwatchlogs:vpcflow
|
Insights dashboards
The following table outlines the contents of the insights dashboards in the Splunk App for AWS Security Dashboards:
Dashboard | Description and recommended input types in the Splunk Add-on for AWS | Panel | Source Type |
---|---|---|---|
Security Group Insights | Displays different severity levels of detected problems with the configuration and usage of security groups in your AWS environment.. Recommended input types: Metadata. |
Security Group Insights | aws:metadata
|
IAM Insights | Displays different severity levels of detected problems with IAM authentication setup and management in your AWS environment Recommended input types: Metadata and SQS-based S3. |
IAM Insights | aws:metadata
|
Analyze data using the Splunk App for AWS Security Dashboards | Filter dashboards using tags |
This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.1.1, 1.1.2
Feedback submitted, thanks!