Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ?
aws:cloudtrail
aws:cloudwatchlogs:vpcflow
aws:config
aws:config:notification
aws:config:rule
hi @vikkysplunk
please check this blog for the security use-cases, it is awesome!
this page is for the guardduty use-cases
https://www.chrisfarris.com/post/reinforce-threat-hunting/
and this link is for the cloudtrail
https://www.chrisfarris.com/post/reinvent2019-sec339/
confirmation solution or karma given is appreciated
hi @vikkysplunk
The sourcetype for the security content in AWS are:
aws:cloudtrail
aws:cloudwatchlogs:vpcflow
aws:config:rule
Also I suggest guardduty logs.
Hi, thanks for the below details..pls could you let me know have you created any use cases fir aws logs.. if yes please can you provide me that use case details.
thanks in advance
hi @vikkysplunk
please check this blog for the security use-cases, it is awesome!
this page is for the guardduty use-cases
https://www.chrisfarris.com/post/reinforce-threat-hunting/
and this link is for the cloudtrail
https://www.chrisfarris.com/post/reinvent2019-sec339/
confirmation solution or karma given is appreciated
Hello @aasabatini
Thanks for the below use case details and same way do you have any document for aws:cloudwatchlogs:vpcflow?