https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546973#M9855 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165827">@vikkysplunk</a>&nbsp;</P><P>The sourcetype for the security content in AWS are:</P><P>aws:cloudtrail</P><P><SPAN>aws:cloudwatchlogs:vpcflow</SPAN></P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P><SPAN>aws:config:rule</SPAN></P><P><SPAN>Also I suggest guardduty logs.</SPAN></P><P>&nbsp;</P></DIV></DIV><DIV class="lia-panel lia-panel-standard LabelsForMessage Chrome lia-component-message-view-widget-labels"><DIV class="lia-decoration-border"><DIV class="lia-decoration-border-top"><DIV>&nbsp;</DIV></DIV><DIV class="lia-decoration-border-content"><DIV><DIV class="lia-panel-heading-bar-wrapper">&nbsp;</DIV></DIV></DIV></DIV></DIV> Wed, 07 Apr 2021 07:19:13 GMT aasabatini 2021-04-07T07:19:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546971#M9854 <P><SPAN>Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ?</SPAN></P><P><SPAN>aws:cloudtrail<BR />aws:cloudwatchlogs:vpcflow<BR />aws:config<BR />aws:config:notification<BR />aws:config:rule</SPAN></P> Wed, 07 Apr 2021 06:51:22 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546971#M9854 vikkysplunk 2021-04-07T06:51:22Z https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546973#M9855 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165827">@vikkysplunk</a>&nbsp;</P><P>The sourcetype for the security content in AWS are:</P><P>aws:cloudtrail</P><P><SPAN>aws:cloudwatchlogs:vpcflow</SPAN></P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P><SPAN>aws:config:rule</SPAN></P><P><SPAN>Also I suggest guardduty logs.</SPAN></P><P>&nbsp;</P></DIV></DIV><DIV class="lia-panel lia-panel-standard LabelsForMessage Chrome lia-component-message-view-widget-labels"><DIV class="lia-decoration-border"><DIV class="lia-decoration-border-top"><DIV>&nbsp;</DIV></DIV><DIV class="lia-decoration-border-content"><DIV><DIV class="lia-panel-heading-bar-wrapper">&nbsp;</DIV></DIV></DIV></DIV></DIV> Wed, 07 Apr 2021 07:19:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546973#M9855 aasabatini 2021-04-07T07:19:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546978#M9856 <P>Hi, thanks for the below details..pls could you let me know have you created any use cases fir aws logs.. if yes please can you provide me that use case details.</P><P>&nbsp;</P><P>thanks in advance</P> Wed, 07 Apr 2021 08:07:42 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546978#M9856 vikkysplunk 2021-04-07T08:07:42Z https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546979#M9857 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165827">@vikkysplunk</a>&nbsp;<BR /><BR />please check this blog for the security use-cases, it is awesome!</P><P>&nbsp;this page is for the guardduty use-cases</P><P><A href="https://www.chrisfarris.com/post/reinforce-threat-hunting/" target="_blank">https://www.chrisfarris.com/post/reinforce-threat-hunting/</A></P><P>and this link&nbsp; is for the cloudtrail</P><P><A href="https://www.chrisfarris.com/post/reinvent2019-sec339/" target="_blank">https://www.chrisfarris.com/post/reinvent2019-sec339/</A></P><P>confirmation solution or karma given is appreciated</P><P>&nbsp;</P> Wed, 07 Apr 2021 08:14:27 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/546979#M9857 aasabatini 2021-04-07T08:14:27Z https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/547284#M9860 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222210">@aasabatini</a>&nbsp;</P><P>Thanks for the below use case details and same way do you have any document for&nbsp;<SPAN>aws:cloudwatchlogs:vpcflow?</SPAN></P> Fri, 09 Apr 2021 02:18:23 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/AWS-LOGS-for-SIEM/m-p/547284#M9860 vikkysplunk 2021-04-09T02:18:23Z