Splunk® Enterprise Security

Use Splunk Enterprise Security

User and Authentication Activity in

Monitor your Amazon Web Services (AWS) user activity to uncover suspicious behaviors that may be associated with malicious activity, such as activity spikes or unusual events.

Use the IAM Activity Dashboard

Use the IAM Activity Dashboard to monitor user activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.

  1. From the menu bar, select Cloud Security.
  2. Click IAM Activity.

The IAM Activity Dashboard includes the following panels:

Panel Source Type Datamodel
Error Events aws:cloudtrail datamodel=Change.All_Changes


Activity by User aws:cloudtrail datamodel=Change.All_Changes


IAM Actions aws:cloudtrail datamodel=Change.All_Changes


IAM Actions Over Time aws:cloudtrail datamodel=Change.All_Changes


Success vs. Failure Activity aws:cloudtrail datamodel=Change.All_Changes


Most Recent IAM Activity aws:cloudtrail datamodel:"Change.Account_Management"
IAM Error Activity aws:cloudtrail datamodel:"Change.Account_Management"

Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Account ID Specify one or more of the data account IDs that you chose during onboarding.
Regions Specify one or more of the data source regions that you chose during onboarding.
Status Choose from the following statuses:
  • All - All event statuses, including both successes and errors.
  • Error - Only error event statuses. Some panels are based on error trends, so there is no difference in the results if you select All or if you select Error.
Action Choose from the following actions:
  • All - All event actions.
  • Each action - You can filter on each action individually or a combination of actions.
Time Range Define the time range of a search with the time range picker.
Last modified on 19 January, 2022
Security Groups for your VPC in   Network ACL Analytics in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters