Detect AWS API Activities From Unapproved Accounts


This search looks for successful CloudTrail activity by user accounts that are not listed in the identity table or aws_service_accounts.csv. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.


Detect AWS API Activities From Unapproved Accounts Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also populate the identity_lookup_expanded lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called "Create a list of approved AWS service accounts": run it once every 30 days to create and validate a list of service accounts.\ This search produces fields (eventName,firstTime,lastTime) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: AWS Event Name, Field: eventName\ 1. \ 1. Label: First Time, Field: firstTime\ 1. \ 1. Label: Last Time, Field: lastTime\ Detailed documentation on how to create a new field within Incident Review may be found here:


Open in Search

   Baseline Generation Searches

This detection relies on the following search to generate the baseline lookup.

  • Create a list of approved AWS service accounts