-
Notifications
You must be signed in to change notification settings - Fork 382
/
Copy pathget_all_aws_activity_from_ip_address.yml
31 lines (31 loc) · 1.27 KB
/
get_all_aws_activity_from_ip_address.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: Get All AWS Activity From IP Address
id: 446ec87a-85c6-40d4-b060-bea4498281d6
version: 1
date: '2018-03-19'
author: David Dorsey, Splunk
type: Investigation
status: deprecated
description: This search retrieves all the activity from a specific IP address and
will create a table containing the time, ARN, username, the type of user, the IP
address, the AWS region the activity was in, the API called, and whether or not
the API call was successful.
search: '`cloudtrail` | iplocation sourceIPAddress | search src_ip=$src_ip$ | spath
output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName
| spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip
| table _time, user, userName, userType, src_ip, awsRegion, eventName, errorCode'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs.
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Network ACL Activity
- AWS Suspicious Provisioning Activities
- Suspicious AWS S3 Activities
- Suspicious AWS Traffic
- Suspicious Cloud Instance Activities
- Command And Control
product:
- Splunk Phantom
security_domain: network