Detect New API Calls From User Roles
This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is
This content is not mapped to any local saved search. Add mapping
Detect New API Calls From User Roles Help
You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in CloudTrail" support search once to create a history of previously seen user roles.
Open in Search