Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Security Groups for your VPC in

Monitor security groups in your Amazon Web Services (AWS) environment so that you have visibility into your virtual firewalls and can manually detect any suspicious activity.

Security Group Dashboard

Use the Security Group Dashboard to monitor security group activity in the AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities.

The Security Groups and Security Group Rules panels are snapshots based on the AWS lambda ingestion interval of three hours. If no events occur during that interval, your dashboards continue to show data based on the last snapshot from three hours ago. Also, if no events occur during the time you've chosen in the time range picker, such as one hour, your dashboards still show data based on the last snapshot from three hours ago. See Data Ingestion Mechanisms and Intervals in Data Manager in the Data Manager User Manual.

  1. From the menu bar, select Cloud Security.
  2. Click Security Groups.

The Security Group Dashboard includes the following panels:

Panel Source Type Datamodel
Error Events aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Network_Changes

Security Group Actions aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Network_Changes

Security Group Activity Over Time aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Network_Changes

Most Recent Security Group Activity aws:cloudtrail datamodel:"Change"."Network_Changes"
Most Recent Authorize and Revoke Activity aws:cloudtrail datamodel:"Change"."Network_Changes"
Security Group Error Activity aws:cloudtrail datamodel:"Change"."Network_Changes"
Last modified on 19 January, 2022
Web Intelligence dashboards   User and Authentication Activity in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters