Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AWS LOGS for SIEM

vikkysplunk
Path Finder
‎04-06-2021 11:48 PM

Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ?

aws:cloudtrail
aws:cloudwatchlogs:vpcflow
aws:config
aws:config:notification
aws:config:rule

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-07-2021 01:14 AM

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-07-2021 12:19 AM

hi @vikkysplunk 

The sourcetype for the security content in AWS are:

aws:cloudtrail

aws:cloudwatchlogs:vpcflow

aws:config:rule

Also I suggest guardduty logs.

 

 
 
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma
Reply
Solved! Jump to solution

vikkysplunk
Path Finder
‎04-07-2021 01:07 AM

Hi, thanks for the below details..pls could you let me know have you created any use cases fir aws logs.. if yes please can you provide me that use case details.

 

thanks in advance

0 Karma
Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-07-2021 01:14 AM

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

vikkysplunk
Path Finder
‎04-08-2021 07:18 PM

Hello @aasabatini 

Thanks for the below use case details and same way do you have any document for aws:cloudwatchlogs:vpcflow?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...