All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i collect all of my service accounts in AWS Cloudtrails?

JoaoGuiNovaes
Explorer
‎04-15-2025 03:05 PM

In some essential app security aws rules, it requires you to populate the aws_service_accounts lookup to use in exceptions, but I'm having trouble with how I can map all my aws service accounts.

by example: https://research.splunk.com/deprecated/4d46e8bd-4072-48e4-92db-0325889ef894/
in implementation section

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 11:55 PM

Hi @JoaoGuiNovaes 

Based on the Enterprise Securtity Content Updater repo (https://github.com/splunk/security_content/blob/develop/baselines/create_a_list_of_approved_aws_serv...) it looks like the following can be used to create the aws_service_accounts lookup:

`cloudtrail` errorCode=success | rename userName as identity | search NOT
  [inputlookup identity_lookup_expanded | fields identity] | stats count by identity
  | table identity | outputlookup aws_service_accounts | stats count

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Please validate the service account entires in `aws_service_accounts.csv`,which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

JoaoGuiNovaes
Explorer
‎04-22-2025 09:09 AM

Thanks for the reply! The rule implementation instructions say to run this search every 30 days, but it doesn't say how long I should search. I've already tested searching the last 90 minutes, but it didn't cover even close to what I needed. I tried this time because this search is very expensive and takes a long time. Do you have any suggestions for scheduling time and search period? Another point is that I tried, but I didn't find any way to differentiate service accounts from user accounts based on fields.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 03:09 PM

Hi @JoaoGuiNovaes 

I think every 30 days is way too infrequent for this - You would want the service accounts adding fairly soon after they're first seen so the info can be used in other searches.

Personally I would run it more frequently, e.g. hourly, or every 4 hours. I usually look back (earliest) equiv to the time since the previous run minus an extra 10 mins to account for lag, so something like earliest=-70m latest=-10m (60 minute period, running every hour).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

JoaoGuiNovaes
Explorer
‎06-16-2025 07:33 AM

Thank you! You helped me a lot with the time issue!

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 11:55 PM

Hi @JoaoGuiNovaes 

Based on the Enterprise Securtity Content Updater repo (https://github.com/splunk/security_content/blob/develop/baselines/create_a_list_of_approved_aws_serv...) it looks like the following can be used to create the aws_service_accounts lookup:

`cloudtrail` errorCode=success | rename userName as identity | search NOT
  [inputlookup identity_lookup_expanded | fields identity] | stats count by identity
  | table identity | outputlookup aws_service_accounts | stats count

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Please validate the service account entires in `aws_service_accounts.csv`,which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...