Analyzing AWS service action errors
CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Any user, role, or service that attempts successfully or unsuccessfully to act as a service in AWS will generate a log containing information about that event. You want to use errors in those logs not only for alerting, but for proactive security hunting.
Amazon Web Services: CloudTrail
How to use Splunk software for this use case
Run the following search. You can optimize it by specifying an index and adjusting the time range
sourcetype=aws:cloudtrail |stats count BY errorCode |sort - count
- After you find errors you want to investigate, run the following search:
sourcetype=aws:cloudtrail errorCode=<error name> |table awsregion eventName userName src_ip userAgent errorMessage
|sourcetype=aws:cloudtrail||Search only AWS CloudTrail logs.|
||stats count BY errorCode||Calculate a count total for each error code.|
||sort - count||Sort with the most frequently occurring first.|
|errorCode=<error name>||Search for more information on a specific error.|
||table awsregion eventName userName src_ip userAgent errorMessage||Display the results in a table with columns in the order shown.|
This additional Splunk resource might help you understand and implement these recommendations:
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.