forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathget_all_aws_activity_from_city.yml
35 lines (35 loc) · 1.27 KB
/
get_all_aws_activity_from_city.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Get All AWS Activity From City
id: 0abeeb40-1255-4b68-91d1-7a7eb410c4b8
version: 1
date: '2018-03-19'
author: David Dorsey, Splunk
type: Investigation
datamodel: []
description: This search retrieves all the activity from a specific city and will
create a table containing the time, city, ARN, username, the type of user, the source
IP address, the AWS region the activity was in, the API called, and whether or not
the API call was successful.
search: '`cloudtrail` | iplocation sourceIPAddress | search City=$City$ | spath output=user
path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath
output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table
_time, City, user, userName, userType, src_ip, awsRegion, eventName, errorCode'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs.
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Suspicious Provisioning Activities
product:
- Splunk Phantom
required_fields:
- _time
- sourceIPAddress
- userIdentity.arn
- userIdentity.userName
- userIdentity.type
- awsRegion
- eventName
- errorCode
security_domain: network