Splunk Enterprise Security

AWS LOGS for SIEM

vikkysplunk
Path Finder

Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ?

aws:cloudtrail
aws:cloudwatchlogs:vpcflow
aws:config
aws:config:notification
aws:config:rule

Labels (1)
Tags (1)
0 Karma
1 Solution

aasabatini
Motivator

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini
Motivator

hi @vikkysplunk 

The sourcetype for the security content in AWS are:

aws:cloudtrail

aws:cloudwatchlogs:vpcflow

aws:config:rule

Also I suggest guardduty logs.

 

 
 
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

vikkysplunk
Path Finder

Hi, thanks for the below details..pls could you let me know have you created any use cases fir aws logs.. if yes please can you provide me that use case details.

 

thanks in advance

0 Karma

aasabatini
Motivator

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

vikkysplunk
Path Finder

Hello @aasabatini 

Thanks for the below use case details and same way do you have any document for aws:cloudwatchlogs:vpcflow?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...