Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Release notes for

Version 1.0.0 of was released on July 12, 2021.


1.0.0 is compatible with Splunk Enterprise Cloud version 8.2.2104.

Known issues

The following are known issues for Splunk Security Analytics for AWS.

Date filed Issue number Description
22/Jun/21 MUS-148 The Impossible Travel dashboard panel display is misleading. When you view the panel at Cloud Security > Microsoft 365 > Active Directory > Impossible Travel, you expect to see the "top 100" impossible travel events from a set of all impossible travel events. Instead, the panel shows impossible travel events in the "top 100" events where "Operation=UserLoggedIn".
n/a n/a When data onboarding is finished, EC2 events might not show up immediately in the aws_security index. This can cause some dashboards to populate in a delayed manner.
n/a n/a From the menu bar, the first time you navigate to Security Posture you see Health Check warning messages, such as "The server does not meet the recommended minimum system requirements." The check runs the first time you click Security Posture but is not relevant to the beta environment. If you delete the messages, you do not see them on subsequent visits to the Security Posture dashboard.
n/a n/a In the Security Posture dashboard, the panels for Aggregate System Risk and Aggregate User Risk do not immediately populate with data. You might see a blank panel with the message "Failed to Update" instead. If you hover over the message, you can see errors for the reasons:
  • "Error in 'apply' command: Failed to load model "total_risk_by_object_type_1d": Model does not exist."
    A tip similar to this one means that there is no risk data object for the systems or the users.
  • "Error in 'apply' command: "None of [Index(['findbest_th=0.01','findbest_th=0.05', 'findbest_th=0.1',\n 'findbest_th=0.25', 'findbest_th=1.0', 'BoundaryRangees_th=0.01',\n 'BoundaryRanges_th=0,05', 'BoundaryRanges_th=0.1',\n 'BoundaryRange"
    A tip similar to this one means that he process runs every 24 hours, so there is nothing to display yet.
Last modified on 12 July, 2021
Share usage data with Splunk

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters