User and Authentication Activity in
Monitor your Amazon Web Services (AWS) user activity to uncover suspicious behaviors that may be associated with malicious activity, such as activity spikes or unusual events.
Use the IAM Activity Dashboard
Use the IAM Activity Dashboard to monitor user activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.
- From the menu bar, select Cloud Security.
- Click IAM Activity.
The IAM Activity Dashboard includes the following panels:
Panel | Source Type | Datamodel |
---|---|---|
Error Events | aws:cloudtrail
|
datamodel=Change.All_Changes
|
Activity by User | aws:cloudtrail
|
datamodel=Change.All_Changes
|
IAM Actions | aws:cloudtrail
|
datamodel=Change.All_Changes
|
IAM Actions Over Time | aws:cloudtrail
|
datamodel=Change.All_Changes
|
Success vs. Failure Activity | aws:cloudtrail
|
datamodel=Change.All_Changes
|
Most Recent IAM Activity | aws:cloudtrail
|
datamodel:"Change.Account_Management"
|
IAM Error Activity | aws:cloudtrail
|
datamodel:"Change.Account_Management"
|
Filter your panel results
You can filter the results that you see in the dashboard panels.
Filter | Description |
---|---|
Account ID | Specify one or more of the data account IDs that you chose during onboarding. |
Regions | Specify one or more of the data source regions that you chose during onboarding. |
Status | Choose from the following statuses:
|
Action | Choose from the following actions:
|
Time Range | Define the time range of a search with the time range picker. |
Security Groups for your VPC in | Network ACL Analytics in |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!