CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Any user, role, or service that attempts successfully or unsuccessfully to act as a service in AWS will generate a log containing information about that event. You want to use errors in those logs not only for alerting, but for proactive security hunting.
How to use Splunk software for this use case
Run the following search. You can optimize it by specifying an index and adjusting the time range
sourcetype=aws:cloudtrail |stats count BY errorCode |sort - count
- After you find errors you want to investigate, run the following search:
sourcetype=aws:cloudtrail errorCode=<error name> |table awsregion eventName userName src_ip userAgent errorMessage
|sourcetype=aws:cloudtrail||Search only AWS CloudTrail logs.|
||stats count BY errorCode||Calculate a count total for each error code.|
||sort - count||Sort with the most frequently occurring first.|
|errorCode=<error name>||Search for more information on a specific error.|
||table awsregion eventName userName src_ip userAgent errorMessage||Display the results in a table with columns in the order shown.|
These additional Splunk resources might help you understand and implement these recommendations:
- Blog: Digital breadcrumbs for AWS
- Blog: Using Splunk to detect abuse of AWS permanent and temporary credentials
Need technical help? Explore our customer success resources to find education and training, engage experts through OnDemand services, view support options, and more.