Security Groups for your VPC in Splunk Enterprise Security
Monitor security groups in your Amazon Web Services (AWS) environment so that you have visibility into your virtual firewalls and can manually detect any suspicious activity.
Security Group Dashboard
Use the Security Group Dashboard to monitor security group activity in the AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities.
Note: The Security Groups and Security Group Rules panels are snapshots based on the AWS lambda ingestion interval of three hours. If no events occur during that interval, your dashboards continue to show data based on the last snapshot from three hours ago. Also, if no events occur during the time you've chosen in the time range picker, such as one hour, your dashboards still show data based on the last snapshot from three hours ago. See Data Ingestion Mechanisms and Intervals in Data Manager in the Data Manager User Manual.
- From the Splunk Enterprise Security menu bar, select Cloud Security.
- Click Security Groups.
The Security Group Dashboard includes the following panels:
| Panel | Source Type | Datamodel |
|---|---|---|
| Error Events |
aws:cloudtrail
|
datamodel=Change.All_Changes
|
| Security Group Actions |
aws:cloudtrail
|
datamodel=Change.All_Changes
|
| Security Group Activity Over Time |
aws:cloudtrail
|
datamodel=Change.All_Changes
|
| Most Recent Security Group Activity |
aws:cloudtrail
|
datamodel:"Change"."Network_Changes"
|
| Most Recent Authorize and Revoke Activity |
aws:cloudtrail
|
datamodel:"Change"."Network_Changes"
|
| Security Group Error Activity |
aws:cloudtrail
|
datamodel:"Change"."Network_Changes"
|