Splunk Enterprise Security

AWS LOGS for SIEM

vikkysplunk
Path Finder

Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ?

aws:cloudtrail
aws:cloudwatchlogs:vpcflow
aws:config
aws:config:notification
aws:config:rule

Labels (1)
Tags (1)
0 Karma
1 Solution

aasabatini
Motivator

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini
Motivator

hi @vikkysplunk 

The sourcetype for the security content in AWS are:

aws:cloudtrail

aws:cloudwatchlogs:vpcflow

aws:config:rule

Also I suggest guardduty logs.

 

 
 
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

vikkysplunk
Path Finder

Hi, thanks for the below details..pls could you let me know have you created any use cases fir aws logs.. if yes please can you provide me that use case details.

 

thanks in advance

0 Karma

aasabatini
Motivator

hi @vikkysplunk 

please check this blog for the security use-cases, it is awesome!

 this page is for the guardduty use-cases

https://www.chrisfarris.com/post/reinforce-threat-hunting/

and this link  is for the cloudtrail

https://www.chrisfarris.com/post/reinvent2019-sec339/

confirmation solution or karma given is appreciated

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

vikkysplunk
Path Finder

Hello @aasabatini 

Thanks for the below use case details and same way do you have any document for aws:cloudwatchlogs:vpcflow?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...