Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Get an overview of your security posture in

The Security Posture dashboard is a high level overview of observed activity in your Amazon Web Services (AWS) and Microsoft 365 environments. The dashboard provides context for instantaneous operational behaviors, plus notable events and risky trends identified over time.

Use the Security Posture dashboard to view the current state of your environment, so that you can identify what activity to investigate first.

Work with the Cloud Security Metrics dashboard panels

Use the Security Posture dashboard to get instantaneous value about suspicious behavior in your user activity and network infrastructure.

  1. From the Splunk Cloud menu bar, click Apps > .
  2. From the menu bar, select Security Posture.
  3. Click the Cloud Security Metrics tab.
Security Metrics Panel Description
IAM Error Trend Displays the current count of AWS Identity and Access Management (IAM) Access Analyzer error events and the trend of those events for the past 24 hours. The trend-line shows a visualization of the data for the past 7 days. See Find out more about error trends.
IAM Actions Displays AWS Identity and Access Management (IAM) Access Analyzer account actions including, but not limited to, the following: creating accounts, creating users, deleting accounts. Find out more about IAM actions.
Unauthorized IAM Activity Displays AWS Identity and Access Management (IAM) Access Analyzer unauthorized activity including, but not limited to, the following: new services unexpectedly launched, access denied errors, unauthorized errors. The sparkline shows a visualization of the activity for the past 7 days. See Find out more about unauthorized IAM activity.
Network ACL Error Trend Displays the current count and trend of network error events and the trend of those events for the past 24 hours. See Find out more about error trends.
Security Group Error Trend Displays the current count and trend of network error events and the trend of those events for the past 24 hours. See Find out more about error trends.
User MFA Activated Based on the AWS Credential Report, displays the count of multi-factor authentication (MFA) devices that are activated or not activated for users. When the MFA device is enabled for the user, this value is TRUE. When the MFA device is not enabled for the user, the value is FALSE. See Find out more about the IAM credential report.
User Access Key Rotation in Last 90 Days Based on the AWS Credential Report, displays a count of the user access keys that were rotated or not rotated in the last 90 days. See Find out more about the IAM credential report.
User Password Changed in Last 90 Days Based on the AWS Credential Report, displays a count of the user accounts that have passwords changed or not changed in the last 90 days. See Find out more about the IAM credential report.
Microsoft 365 Failed Logins Based on Microsoft 365 management activity, displays a count of failed logins for the past 7 days across all resources such as: Active Directory, Exchange, and so on.
Microsoft 365 Security Alerts Based on Microsoft 365 management activity, displays a count of security and compliance alerts for the past 7 days.

Work with the Notable Events and Risk Trends dashboard panels

Use the Notable Events and Risk Trends dashboard to get 24-hour and weekly insight into the notable and risky activity across all data sources in your deployment:

  1. From the menu bar, select Security Posture.
  2. Click the Notable Events and Risk Trends tab.
Notable Events and Risk Trends Panel Description
Notables Today Displays the notable events for the last 24 hours. See Find out more about notable events.
Notables this Week Displays the notable events for the last 7 days. See Find out more about notable events.
Notables by Urgency Displays the notable events by Urgency for the last 24 hours.
Notable Events by Urgency uses an urgency calculation based on the priority assigned to the asset and the severity assigned to the correlation search. See Find out more about notable events.
Top Notable Events Displays the top notable events by rule name, including a total count and a sparkline to represent activity spikes over time. See Find out more about Top Notable Events.
Risk Events by ATT&CK Displays the risk events with Mitre ATT&CK annotations including, but not limited to, the following: collection, discovery, exfiltration, persistence. See Find out more about risk by ATT&CK.
Aggregate System Risk Displays the sum of all calculated system risk scores, using "low", "medium", "high" and "extreme" to represent threshold values. See Find out more about aggregate risk.
Aggregate User Risk Displays the sum of all calculated user risk scores, using "low", "medium", "high" and "extreme" to represent threshold values. See Find out more about aggregate risk.

Work with drilldown options and filters

Use a drilldown or filter for dashboard interactivity.

Find out more about error trends

For further details about error trends, you can drill down into the following panels:

  • IAM Error Trend
  • Network ACL Error Trend
  • Security Group Error Trend

These steps are applicable for all the aforementioned panels, but as an example, consider that you want to know more about AWS Identity and Access Management (IAM) Access Analyzer error trends.

  1. From the menu bar, select Security Posture.
  2. In the IAM Error Trend panel, click the number in the panel.
  3. This takes you directly to the dashboard of Cloud Security > IAM Activity with the Status filter of Error selected.

See Filter your panel results for further details.

Find out more about AWS Identity and Access Management (IAM) Access Analyzer actions

For further details about user and authentication activity, you can drill down into the IAM Actions panel. These steps are applicable for all actions, but as an example, consider that you want to know more about the CreateUser action.

  1. From the menu bar, select Security Posture.
  2. In the IAM Actions panel, click a section of the pie chart such as CreateUser.
  3. This takes you directly to the dashboard of Cloud Security > IAM Activity with the Action filter of CreateUser selected, along with the time range picker of Today, which is from 12 AM to the current time.

See Filter your panel results for further details.

Find out more about unauthorized AWS Identity and Access Management (IAM) Access Analyzer activity

For further details about unauthorized user and authentication activity, you can drill down into the Unauthorized IAM Activity panel. These steps are applicable for all locations, but as an example, consider that you want to know more about Canada.

  1. From the menu bar, select Security Posture.
  2. In the Unauthorized IAM Activity panel, click a section of the map chart such as Canada.
  3. This opens a search bar in Splunk Web to see the SPL syntax for counting the unauthorized activity events, along with the time range picker of Today, which is from 12 AM to the current time.

Find out more about the AWS Identity and Access Management (IAM) Access Analyzer credential report

For further details about AWS Identity and Access Management (IAM) Access Analyzer credentials, you can drill down into the following panels:

  • User MFA Activated
  • User Access Key Rotation in Last 90 Days
  • Security Group Error Trend

These steps are applicable for all the aforementioned panels, but as an example, consider that you want to know more about User MFA Activated.

  1. From the menu bar, select Security Posture.
  2. In the User MFA Activated panel, click a section of the pie chart such as MFA Activated.
  3. This opens a search bar in Splunk Web to see the SPL syntax for counting the number of MFA devices that are enabled.

Find out more about notable events

For further details about notable events, you can drill down into the following panels:

  • Notables Today
  • Notables this Week
  • Notables by Urgency

These steps are applicable for all the aforementioned panels, but as an example, consider that you want to know more about Notables Today.

  1. From the menu bar, select Security Posture.
  2. In the Notables Today panel, click the number in the panel.
  3. This takes you directly to the dashboard of Incident Review with the corresponding Time filter selected, such as Last 24 hours.

See Triage notable events in Splunk Security Analytics for AWS.

Find out more about Top Notable Events

For further details about the top notable events, you can drill down into the Top Notable Events panel. These steps are applicable for all rule names, but as an example, consider that you want to know more about the Personally Identifiable Information Detected rule.

  1. From the menu bar, select Security Posture.
  2. In the Top Notable Events panel, click a rule name, such as Personally Identifiable Information Detected.
  3. This takes you directly to the dashboard of Incident Review with the Correlation Search filter of Personally Identifiable Information Detected selected and the Time filter of Last 24 hours selected.

See Triage notable events in Splunk Security Analytics for AWS.

Find out more about aggregate risk

For further details about aggregate risk, you can drill down into the following panels:

  • Aggregate System Risk
  • Aggregate User Risk

These steps are applicable for all the aforementioned panels, but as an example, consider that you want to know more about Aggregate System Risk.

  1. From the menu bar, select Security Posture.
  2. In the Aggregate System Risk panel, click the word in the panel, such as extreme.
  3. This takes you directly to the dashboard of Risk Analysis with the corresponding filters selected, such as Risk Object Type of system and Time filter of Last 24 hours.

See Manage risk in Splunk Security Analytics for AWS.

Find out more about risk by ATT&CK

For further details about risk events by ATT&CK, you can do the following.

  1. From the menu bar, select Security Posture.
  2. In the Risk Events by ATT&CK panel, click a section of the pie chart such as defense-evasion.
  3. This opens a search bar in Splunk Web to see the SPL syntax for counting the number of defense evasion events.

See also

See the following topics for further information about AWS user and network activity:

Last modified on 10 August, 2021
PREVIOUS
Overview of getting data in (GDI) for
  NEXT
Overview of Cloud Security dashboards in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters