To setup the splunk app, simply follow the standard Splunk steps to install the app via .spl
provided.
Once the app has been installed, the alerts by default are setup to use following base searches which should be customized for user's environment via the Advanced Search > Search macros option for the app:
aws_cloudtrail_search
to use the correct index/sourcetype. Default value is provided below:index=main sourcetype="aws:cloudtrail"
aws_cloudtrail_rename_fields
can be updated if any field mappings are not correctPlease note that the alerts are templates only following the Mitre attack framework, and may need to be baselined for your AWS environment.
Each alert configured in the AWS Security Monitoring app for Splunk will execute every hour by default. Alerts that are triggered will be appended to a alerts.csv
file within the app and the Splunk dashboard will be updated accordingly with these alerts.
To emulate the alerts, refer to the following link which contains details about all supported alerts, and how to emulate them.
Added alerts:
aws_detect_iam_login_profile_update
aws_detect_iam_login_profile_create
aws_detect_ecr_image_auth_token_get
aws_detect_ecr_new_repo_image_create
Added 1 alert for aws_detect_ec2_ssh_public_key_addition
Added 2 new alerts - aws_detect_iam_group_added_with_user_from_ec2, aws_detect_ec2_instances_run
Added alert (aws_detect_iam_default_policy_version_set)
Added new alerts aws_detect_iam_group_added_with_user, aws_detect_iam_new_policy_version_assignment
Added new alerts: aws_detect_iam_password_policy_enumeration, aws_detect_iam_password_policy_update
Added 4 new alerts -
aws_detect_s3_cloudtrail_bucket_lifecycle_rule_applied
aws_detect_ec2_vpc_flow_config_deleted
aws_detect_cloudwatch_log_stream_delete
aws_detect_cloudwatch_log_group_delete
Added new alerts aws_detect_signin_credential_stuffing, aws_detect_iam_user_created, aws_detect_iam_user_deleted, aws_detect_iam_accesskey_created, aws_detect_iam_accesskey_deleted
Fixed userIdentity.userName field in renaming search macro for consistency
Added alert for detection of cloudtrail logging disabling by disabling of cloudtrail (aws_detect_cloudtrail_trail_deleted)
Added alert for detection of Guardduty Finding Suppression (aws_detect_guardduty_suppression_filter_creation)
Added alert for archiving of guardduty alerts (aws_detect_guardduty_archive_findings)
Add new alert aws_detect_lambda_function_deletion_serverless_execution
Fixed the field renaming macro so that empty fields don't break the body
field
Added an alert for AWS serverless execution (aws_detect_lambda_function_creation_serverless_execution)
Added alerts aws_detect_guardduty_disable, aws_detect_cloud_infrastructure_discovery_via_golang_smogcloud
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.