Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

User and Authentication Activity in

Monitor your Amazon Web Services (AWS) user activity to uncover suspicious behaviors that may be associated with malicious activity, such as activity spikes or unusual events.

Use the IAM Activity Dashboard

Use the IAM Activity Dashboard to monitor user activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.

  1. From the menu bar, select Cloud Security.
  2. Click IAM Activity.

The IAM Activity Dashboard includes the following panels:

Panel Source Type Datamodel
Error Events aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

Activity by User aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

IAM Actions aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

IAM Actions Over Time aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

Success vs. Failure Activity aws:cloudtrail datamodel=Change.All_Changes

nodename=All_Changes.Account_Management

Most Recent IAM Activity aws:cloudtrail datamodel:"Change.Account_Management"
IAM Error Activity aws:cloudtrail datamodel:"Change.Account_Management"

Take action on user and authentication activity spikes or unusual events. See Overview of securing your cloud environment in Splunk Security Analytics for AWS.

Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Account ID Specify one or more of the data account IDs that you chose during onboarding.
Regions Specify one or more of the data source regions that you chose during onboarding.
Status Choose from the following statuses:
  • All - All event statuses, including both successes and errors.
  • Error - Only error event statuses. Some panels are based on error trends, so there is no difference in the results if you select All or if you select Error.
Action Choose from the following actions:
  • All - All event actions.
  • Each action - You can filter on each action individually or a combination of actions.
Time Range Define the time range of a search with the time range picker.

Work with panel drilldown options

For further details, you can drill down into all the panels in your dashboards. Click on a panel to see the drilldown options appear.

Option Description
Open in Search Open a search bar in Splunk Web to see the SPL syntax for populating the panel with data. If applicable, these searches incorporate the | tstats command to perform statistical queries. See tstats for more information.


In the search results, click the Statistics tab in Splunk Web to see statistics about your indexed data.

Open Events in Search Open a search bar in Splunk Web to see the SPL syntax for viewing the top 100 raw events that are ingested. If applicable, these searches incorporate the | datamodel command to search data model datasets. The | datamodel command has the potential to impact performance, so the default is to limit the number of events with | head 100 rather than show them all. See datamodel for more information.


In the search results, click the Events tab in Splunk Web to see raw events. If you use Open Events in Search but you get the same results as Open in Search, then the panel does not use a data model.

Export Download a .png file of the panel results.
Refresh Update the results of the panel.
Last modified on 10 August, 2021
PREVIOUS
Security Groups for your VPC in
  NEXT
Network ACL Analytics in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters