Security

AWS CloudTrial events - searching on specific AWS accounts - ARN's

Thundercat
Engager

Hi, 

I am attempting to update a notable.

The notable allows us to identify if a AWS new user has been created via a API or via AWS Management Console. This is via the ingestion of the AWS CloudTrial events logs in to our Splunk instance.

We have a situation were a number of the AWS new users are being created in our Dev and Test accounts.

I am attempting to filter out these specific events and only focus on the AWS new users being created in other accounts. The Dev and Test AWS accounts have there own specific 'arn' prefixes, which uniquely identify which AWS resources assigned to which account. 

Could someone please provide some help as whether on right track with the revised SPL, should I being another attribute from the AWS CloudTrial logs or the 'arn' the right direction.

index=aws sourcetype="aws:cloudtrail" (arn!="arn*xxxxxxxxxxxx*" OR arn!="arn*xxxxxxxxxxxx*") AND (eventName=CreateUser OR eventName=CreateLoginProfile OR eventName=CreateAccount) errorCode=success
| rex field=userIdentity.arn ".*\/(?<src_user>.*)$"
| rename requestParameters.accountName as account_name requestParameters.userName as user_name eventName as action
| eval user = coalesce(account_name,user_name)
| fields requestID src_user action user eventSource urgency

Thanks again in advance, appreciate any assistance or guidance anyone can offer.

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...