Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

User and Authentication Activity in

Monitor your Amazon Web Services (AWS) user activity to uncover suspicious behaviors that may be associated with malicious activity, such as activity spikes or unusual events.

Use the IAM Activity Dashboard

Use the IAM Activity Dashboard to monitor user activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.

  1. From the menu bar, select Cloud Security.
  2. Click IAM Activity.

The IAM Activity Dashboard includes the following panels:

Panel Source Type Datamodel
Error Events aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

Activity by User aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

IAM Actions aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

IAM Actions Over Time aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

Success vs. Failure Activity aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

Most Recent IAM Activity aws:cloudtrail datamodel:"Change.Account_Management"
IAM Error Activity aws:cloudtrail datamodel:"Change.Account_Management"


Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Account ID Specify one or more of the data account IDs that you chose during onboarding.
Regions Specify one or more of the data source regions that you chose during onboarding.
Status Choose from the following statuses:
  • All - All event statuses, including both successes and errors.
  • Error - Only error event statuses. Some panels are based on error trends, so there is no difference in the results if you select All or if you select Error.
Action Choose from the following actions:
  • All - All event actions.
  • Each action - You can filter on each action individually or a combination of actions.
Time Range Define the time range of a search with the time range picker.
Last modified on 19 January, 2022
Security Groups for your VPC in   Network ACL Analytics in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters