Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AWS LOGS for SIEM

vikkysplunk
Path Finder
‎04-06-2021 11:48 PM

Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ?

aws:cloudtrail
aws:cloudwatchlogs:vpcflow
aws:config
aws:config:notification
aws:config:rule

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-07-2021 01:14 AM

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-07-2021 12:19 AM

hi @vikkysplunk 

The sourcetype for the security content in AWS are:

aws:cloudtrail

aws:cloudwatchlogs:vpcflow

aws:config:rule

Also I suggest guardduty logs.

 

 
 
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma
Reply
Solved! Jump to solution

vikkysplunk
Path Finder
‎04-07-2021 01:07 AM

Hi, thanks for the below details..pls could you let me know have you created any use cases fir aws logs.. if yes please can you provide me that use case details.

 

thanks in advance

0 Karma
Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-07-2021 01:14 AM

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

vikkysplunk
Path Finder
‎04-08-2021 07:18 PM

Hello @aasabatini 

Thanks for the below use case details and same way do you have any document for aws:cloudwatchlogs:vpcflow?

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...