Skip to main content
Lantern Home

 

Splunk Lantern

Using ingest actions to filter AWS CloudTrail logs

  1. Last updated
  2. Save as PDF

 

AWS CloudTrail logs can pose challenges for Splunk Cloud Platform users because of their volume and complexity. These logs, while rich in information, can inundate cloud environments, producing a lot of noise and leading to inefficiencies. This article introduces a strategic approach to filter AWS CloudTrail logs using ingest actions to ensure that only relevant data reaches your cloud environment, which will enhance query efficiency and speed up delivery of results.

Ingest actions offer a sophisticated toolkit for refining data at the point of ingestion. This feature allows you to selectively process logs based on predefined criteria, significantly improving data quality and operational efficiency.

For comprehensive details and guidelines on the prerequisites and capabilities of ingest actions, see Ingest actions requirements.

To follow the steps below, you'll need to ensure the Splunk Add-on for Amazon Web Services is installed and configured, as well as verify that you have access to ingest actions with appropriate role permissions.

When managing AWS CloudTrail logs, it’s important to filter out low-value data, retain high-value events, and trim unnecessary fields to reduce storage costs and improve search performance in Splunk.

In addition to filtering and trimming, storing raw or infrequently accessed log data in Amazon S3 is a smart strategy for long-term retention or compliance, while keeping only high-priority data in Splunk for real-time analysis. 

Interested in security use cases for CloudTrail logs in S3? Check out Detection: AWS Excessive Security Scanning


To see samples, go to: AWS CloudTrail Log file examples.

Store Logs

You’ll filter events based on the eventName field in CloudTrail logs. The following API descriptors are ideal candidates for offloading to S3:

You should offload the following API calls to S3 by filtering CloudTrail eventName fields:

  • List*: These calls return detailed lists (e.g., ListBuckets, ListUsers) that are overly verbose. The volume of List calls is more valuable for detection than their contents.
  • Get*: These read operations (e.g., GetObject, GetRole) are frequent and often do not indicate risk. The count of Get calls is useful for behavior baselining, not the full payload.
  • Describe*: These calls (e.g., DescribeInstances, DescribeSecurityGroups) return static configuration data. This information is typically not actionable in fraud detection workflows.

To see samples, go to: AWS CloudTrail Log file examples.

Drop logs

You'll filter your events by CloudTrail EventNames inside CloudTrail logs. You should filter the following API descriptors:

  • List*: This response is overly verbose. The list is not critical in troubleshooting; instead, the count of List API calls is more valuable.
  • Get*: This response is overly verbose. The response is not critical in troubleshooting; instead, the count of Get API calls is more valuable.
  • Describe*: This response is overly verbose, and returns static configuration data. The actual description of a service is not critical in troubleshooting.

Trim logs

The following fields are not required for troubleshooting and can be trimmed:

  • .responseElements.credentials.sessionToken - Temporary token generated for that session.
  • .requestParameters.resultToken - An encrypted token that associates an evaluation with an AWS Config rule.

These fields can likely be trimmed due to their low value, high cardinality, and because they do not assist with troubleshooting.

Configuring ingest actions to store logs in S3

For Splunk Cloud Platform, follow these steps to create a ruleset:

  1. Navigate to Settings > Data > Ingest Actions.
  2. Click to create a New Ruleset and provide a Ruleset Name. An example of this isAWS_CLOUDTRAIL_LOGS_GET_LIST_DESC_S3_ROUTING_RULESET
  3. Identify and select the appropriate data source for your logs, such as aws:cloudtrail. If you're using Splunk Data Manager, select Select source type from list and in the next option titled Source Type select the source type assigned in the input created from Data Manager. The ingest action rule will be applied to the specific source type assigned to the data coming in from the Data Manager, dropping events in this scenario.
  4. Click + Add Rule > Route > Route with regular expression
  5. Set Source Field as _raw.
  6. Set Match Regular Expression as List|Get|Describe.
  7. Set Action to Route to Amazon S3.
  8. Choose or configure your S3 destination (e.g., a designated low-priority CloudTrail bucket)
  9. Click Apply. Ensure that the filter correctly filters the events. You can view this on the right hand side. The events highlighted in red will be dropped before data is ingested.
  10. Click Save to save the new ruleset.

  11. Configuring ingest actions to drop logs

For Splunk Cloud Platform, perform these steps to create a ruleset:

  1. Navigate to Settings > Data > Ingest Actions.
  2. Click to create a New Ruleset and provide a Ruleset Name. An example of this is:
    • AWS_CLOUDTRAIL_LOGS_GET_LIST_DESC_FILTER_RULESET
  3. Identify and select the appropriate data source for your logs, such as aws:cloudtrail.
    • If you're using Splunk Data Manager, select Select source type from list and in the next option titled Source Type select the source type assigned in the input created from Data Manager. The ingest action rule will be applied to the specific source type assigned to the data coming in from the Data Manager, dropping events in this scenario.
  4. Select +Add Rule > Filter > Filter with regular expression to start the filtering process.
  5. Set Source Field as _raw.
  6. Set Drop Events Matching Regular Expression as List|Get|Describe.
  7. Click Apply.
  8. Ensure that the filter correctly filters the events. You can view this on the right hand side. The events highlighted in red will be dropped before data is ingested.
  9. Click Save to save the new Ruleset.

Configuring ingest actions to trim logs

For Splunk Cloud Platform, perform these steps to create a ruleset:

  1. Navigate to Settings > Data > Ingest Actions.
  2. Click to create a New Ruleset and provide a Ruleset Name. Two examples of this are:
    1. AWS_CLOUDTRAIL_LOGS_SESSIONTOKEN_TRIM_RULESET
    2. AWS_CLOUDTRAIL_LOGS_RESULTTOKEN_TRIM_RULESET
  3. Identify and select the appropriate data source for your logs, such as aws:cloudtrail.
  4. Select +Add Rule > Mask > Mask with Regex to start the filtering process.
  5. Set Match Regular Expression as:
    • .responseElements.credentials.sessionToken
    • .requestParameters.resultToken
  6. In Replace Expression enter a blank space.
  7. Click Apply.
  8. Ensure that the filter correctly trims the events. You can view this on the right hand side. The red highlighted events will be trimmed before being ingested.
  9. Click Save to save the new Ruleset.

You now have successfully configured ingest actions to filter out unnecessary verbosity from AWS CloudTrail Logs and streamline your data before it enters Splunk Cloud Platform.

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.