Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Security Groups for your VPC in

Monitor security groups your Amazon Web Services (AWS) environment so that you have visibility into your virtual firewalls and can manually detect any suspicious activity.

Security Group Dashboard

Use the Security Group Dashboard to monitor security group activity in the AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities.

The Security Groups and Security Group Rules panels are snapshots based on the AWS lambda ingestion interval of three hours. If no events occur during that interval, your dashboards continue to show data based on the last snapshot from three hours ago. Also, if no events occur during the time you've chosen in the time range picker, such as one hour, your dashboards still show data based on the last snapshot from three hours ago. See Data Ingestion Mechanisms and Intervals in Data Manager in the Data Manager User Manual.

  1. From the menu bar, select Cloud Security.
  2. Click Security Groups.

The Security Group Dashboard includes the following panels:

Panel Source Type Datamodel
Security Groups aws:metadata n/a
Security Group Rules aws:metadata n/a
Error Events aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Network_Changes

Security Group Actions aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Network_Changes

Security Group Activity Over Time aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Network_Changes

Most Recent Security Group Activity aws:cloudtrail datamodel:"Change"."Network_Changes"
Most Recent Authorize and Revoke Activity aws:cloudtrail datamodel:"Change"."Network_Changes"
Security Group Error Activity aws:cloudtrail datamodel:"Change"."Network_Changes"

Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Account ID Specify one or more of the data account IDs that you chose during onboarding.
Regions Specify one or more of the data source regions that you chose during onboarding.
Status Choose from the following statuses:
  • All - All event statuses, including both successes and errors.
  • Error - Only error event statuses. Some panels are based on error trends, so there is no difference in the results if you select All or if you select Error.
Time Range Define the time range of a search with the time range picker.


Work with panel drilldown options

For further details, you can drill down into all the panels in your dashboards. Click on a panel to see the drilldown options appear.

Option Description
Open in Search Open a search bar in Splunk Web to see the SPL syntax for populating the panel with data. If applicable, these searches incorporate the | tstats command to perform statistical queries. See tstats for more information.


In the search results, click the Statistics tab in Splunk Web to see statistics about your indexed data.

Open Events in Search Open a search bar in Splunk Web to see the SPL syntax for viewing the top 100 raw events that are ingested. If applicable, these searches incorporate the | datamodel command to search data model datasets. The | datamodel command has the potential to impact performance, so the default is to limit the number of events with | head 100 rather than show them all. See datamodel for more information.


In the search results, click the Events tab in Splunk Web to see raw events. If you use Open Events in Search but you get the same results as Open in Search, then the panel does not use a data model.

Export Download a .png file of the panel results.
Refresh Update the results of the panel.
Last modified on 26 July, 2021
PREVIOUS
Overview of Cloud Security dashboards in
  NEXT
User and Authentication Activity in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters