AWS CloudTrial events - searching on specific AWS accounts - ARN's



I am attempting to update a notable.

The notable allows us to identify if a AWS new user has been created via a API or via AWS Management Console. This is via the ingestion of the AWS CloudTrial events logs in to our Splunk instance.

We have a situation were a number of the AWS new users are being created in our Dev and Test accounts.

I am attempting to filter out these specific events and only focus on the AWS new users being created in other accounts. The Dev and Test AWS accounts have there own specific 'arn' prefixes, which uniquely identify which AWS resources assigned to which account. 

Could someone please provide some help as whether on right track with the revised SPL, should I being another attribute from the AWS CloudTrial logs or the 'arn' the right direction.

index=aws sourcetype="aws:cloudtrail" (arn!="arn*xxxxxxxxxxxx*" OR arn!="arn*xxxxxxxxxxxx*") AND (eventName=CreateUser OR eventName=CreateLoginProfile OR eventName=CreateAccount) errorCode=success
| rex field=userIdentity.arn ".*\/(?<src_user>.*)$"
| rename requestParameters.accountName as account_name requestParameters.userName as user_name eventName as action
| eval user = coalesce(account_name,user_name)
| fields requestID src_user action user eventSource urgency

Thanks again in advance, appreciate any assistance or guidance anyone can offer.

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...