I have Splunk App for AWS in Splunk. I'm having issues with Configuration Updates in the app. I can see change events when a user creates, updates, or deletes something in AWS. What I can't see is who is making one of those changes.
It should be noted that we use AWS Directory Service AW connector to facilitate user access to AWS. The odd part is that when I look at the CloudTrail logs, I can see who is making the change, but I can't see it in Splunk.
Any Ideas as to what I'm missing in the config of this app or in the setup process of AWS?
in "audit ->User Activity" page, "User Activity Grouped by Event Name" shows user names. Is it what you want?
We are also planning to do big enhancement for cloudtrail dashboards. Are you willing to share more of your use cases?