Changes made to AWS cloud infrastructure
Knowing what modifications have been made to cloud infrastructure resources, when they were made, and who made them can help you identify or isolate the origin of a problem or incident. You need a search that shows what changes have been made to AWS resources.
Data required
AWS: CloudTrail logs
Procedure
To optimize the search shown below, you should specify an index and a time range.
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="aws:cloudtrail" readOnly=False |eval requestParameters=mvindex(split(mvindex(split(_raw, "\"requestParameters\":"),1),"\"responseElements\":"),0) |table _time src requestParameters
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Search only AWS CloudTrail data. |
readOnly=False |
Filter to Depending on the type of changes being reported in Cloudtrail logs, you may want to add additional filters. For instance adding ( |
|
Divide the full text into two parts using The text of the event is a JSON document and the entire text is in the |
|
Display the results in a table with columns in the order shown. |
Next steps
Sample results for this search are shown in the table below. The table shows the time of the event, the src
or host
the changes were made on, and all the request parameters extracted by the search. This is a way of gaining understanding of the activity taking place on your AWS cloud. For example, you can see that ipPermissions
were changed for tcp port 22 on the 204.107.141.244 src (host)
.
_time |
src |
requestParameters |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can update the table to show additional fields, such as the following:
|table _time eventName userIdentity.arn userIdentity.userName src requestParameters
You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.