Skip to main content
 
 
 
Splunk Lantern

Analyzing AWS service action errors

 

CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Any user, role, or service that attempts successfully or unsuccessfully to act as a service in AWS will generate a log containing information about that event. You want to use errors in those logs not only for alerting, but for proactive security hunting.

Data required

Amazon Web Services: CloudTrail

How to use Splunk software for this use case

  1. Run the following search. You can optimize it by specifying an index and adjusting the time range

    sourcetype=aws:cloudtrail
    |stats count BY errorCode
    |sort - count
  2. After you find errors you want to investigate, run the following search:
    sourcetype=aws:cloudtrail errorCode=<error name>
    |table awsregion eventName userName src_ip userAgent errorMessage

Search explanation

Splunk Search Explanation
sourcetype=aws:cloudtrail Search only AWS CloudTrail logs.
|stats count BY errorCode Calculate a count total for each error code.
|sort - count Sort with the most frequently occurring first.
errorCode=<error name> Search for more information on a specific error.
|table awsregion eventName userName src_ip userAgent errorMessage Display the results in a table with columns in the order shown.

Next steps

This additional Splunk resource might help you understand and implement these recommendations:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.