All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i collect all of my service accounts in AWS Cloudtrails?

JoaoGuiNovaes
Explorer
‎04-15-2025 03:05 PM

In some essential app security aws rules, it requires you to populate the aws_service_accounts lookup to use in exceptions, but I'm having trouble with how I can map all my aws service accounts.

by example: https://research.splunk.com/deprecated/4d46e8bd-4072-48e4-92db-0325889ef894/
in implementation section

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 11:55 PM

Hi @JoaoGuiNovaes 

Based on the Enterprise Securtity Content Updater repo (https://github.com/splunk/security_content/blob/develop/baselines/create_a_list_of_approved_aws_serv...) it looks like the following can be used to create the aws_service_accounts lookup:

`cloudtrail` errorCode=success | rename userName as identity | search NOT
  [inputlookup identity_lookup_expanded | fields identity] | stats count by identity
  | table identity | outputlookup aws_service_accounts | stats count

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Please validate the service account entires in `aws_service_accounts.csv`,which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

JoaoGuiNovaes
Explorer
‎04-22-2025 09:09 AM

Thanks for the reply! The rule implementation instructions say to run this search every 30 days, but it doesn't say how long I should search. I've already tested searching the last 90 minutes, but it didn't cover even close to what I needed. I tried this time because this search is very expensive and takes a long time. Do you have any suggestions for scheduling time and search period? Another point is that I tried, but I didn't find any way to differentiate service accounts from user accounts based on fields.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 03:09 PM

Hi @JoaoGuiNovaes 

I think every 30 days is way too infrequent for this - You would want the service accounts adding fairly soon after they're first seen so the info can be used in other searches.

Personally I would run it more frequently, e.g. hourly, or every 4 hours. I usually look back (earliest) equiv to the time since the previous run minus an extra 10 mins to account for lag, so something like earliest=-70m latest=-10m (60 minute period, running every hour).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

JoaoGuiNovaes
Explorer
‎06-16-2025 07:33 AM

Thank you! You helped me a lot with the time issue!

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 11:55 PM

Hi @JoaoGuiNovaes 

Based on the Enterprise Securtity Content Updater repo (https://github.com/splunk/security_content/blob/develop/baselines/create_a_list_of_approved_aws_serv...) it looks like the following can be used to create the aws_service_accounts lookup:

`cloudtrail` errorCode=success | rename userName as identity | search NOT
  [inputlookup identity_lookup_expanded | fields identity] | stats count by identity
  | table identity | outputlookup aws_service_accounts | stats count

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Please validate the service account entires in `aws_service_accounts.csv`,which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...