Skip to main content
Splunk Lantern

Analyzing AWS service action errors

Applicability

  • Product: Splunk Enterprise or Splunk Cloud Platform
  • Feature: Search
  • Function: AWS service actions

Problem

CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Any user, role, or service that attempts successfully or unsuccessfully to act as a service in AWS will generate a log containing information about that event. You want to use errors in those logs not only for alerting, but for proactive security hunting.

Solution

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:

    sourcetype=aws:cloudtrail
    |stats count BY errorCode
    |sort - count
  2. After you find errors you want to investigate, run the following search:
    sourcetype=aws:cloudtrail errorCode=<error name>
    |table awsregion eventName userName src_ip userAgent errorMessage

Explanations

Splunk Search Explanation
sourcetype=aws:cloudtrail
 
Search only AWS CloudTrail logs.
|stats count BY errorCode
 
Calculate a count total for each error code.
|sort - count Sort with the most frequently occuring first.
errorCode=<error name> Search for more information on a specific error.
|table awsregion eventName userName src_ip userAgent errorMessage Display the results in a table with columns in the order shown.

Additional resources

These additional Splunk resources might help you understand and implement these recommendations:

  • Was this article helpful?