-
Notifications
You must be signed in to change notification settings - Fork 375
/
Copy pathget_all_aws_activitiy_from_country.json
52 lines (52 loc) · 1.74 KB
/
get_all_aws_activitiy_from_country.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{
"creation_date": "2018-03-19",
"data_metadata": {
"data_source": [
"AWS CloudTrail logs"
],
"data_sourcetypes": [
"aws:cloudtrail"
],
"providing_technologies": [
"AWS"
]
},
"description": "This search retrieves all the activity from a specific country and will create a table containing the time, country, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful.",
"entities": [
"Country"
],
"how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.",
"id": "e763cdb9-00da-41e0-9bda-444debc9501a",
"investigate": {
"splunk": {
"fields_required": [
"Country"
],
"schedule": {
"cron_schedule": "",
"earliest_time": "14400",
"latest_time": "0"
},
"search": "| search sourcetype=aws:cloudtrail | iplocation sourceIPAddress | search Country={Country} | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Country, user, userName, userType, src_ip, awsRegion, eventName, errorCode"
}
},
"maintainers": [
{
"company": "Splunk",
"email": "davidd@splunk.com",
"name": "David Dorsey"
}
],
"modification_date": "2018-03-19",
"name": "Get All AWS Activity From Country",
"original_authors": [
{
"company": "Splunk",
"email": "davidd@splunk.com",
"name": "David Dorsey"
}
],
"spec_version": 2,
"type": "splunk",
"version": "1.0"
}