Splunk Enterprise Security 7

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Documentation

Splunk Enterprise Security 7

Splunk Enterprise Security 7 Contents

Install

Administer

User Guide

7.3

Risk-Based Alerting

Tutorials and Use Cases

API Reference

Release Notes and Resources

Mission Control

Security Content Update

Splunk Security Essentials

Splunk App for Fraud Analytics

Splunk App for PCI Compliance

Common Information Model

Splunk Machine Learning Toolkit

User and Authentication Activity in Splunk Enterprise Security

Monitor your Amazon Web Services (AWS) user activity to uncover suspicious behaviors that may be associated with malicious activity, such as activity spikes or unusual events.

Use the IAM Activity Dashboard

Use the IAM Activity Dashboard to monitor user activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.

From the Splunk Enterprise Security menu bar, select Cloud Security.
Click IAM Activity.

The IAM Activity Dashboard includes the following panels:


Panel	Source Type	Datamodel
Error Events	`aws:cloudtrail`	`datamodel=Change.All_Changes` `nodename=All_Changes.Account_Management`
Activity by User	`aws:cloudtrail`	`datamodel=Change.All_Changes` `nodename=All_Changes.Account_Management`
IAM Actions	`aws:cloudtrail`	`datamodel=Change.All_Changes` `nodename=All_Changes.Account_Management`
IAM Actions Over Time	`aws:cloudtrail`	`datamodel=Change.All_Changes` `nodename=All_Changes.Account_Management`
Success vs. Failure Activity	`aws:cloudtrail`	`datamodel=Change.All_Changes` `nodename=All_Changes.Account_Management`
Most Recent IAM Activity	`aws:cloudtrail`	`datamodel:"Change.Account_Management"`
IAM Error Activity	`aws:cloudtrail`	`datamodel:"Change.Account_Management"`

Filter your panel results

You can filter the results that you see in the dashboard panels.


Filter	Description
Account ID	Specify one or more of the data account IDs that you chose during onboarding.
Regions	Specify one or more of the data source regions that you chose during onboarding.
Status	Choose from the following statuses: All - All event statuses, including both successes and errors. Error - Only error event statuses. Some panels are based on error trends, so there is no difference in the results if you select All or if you select Error.
Action	Choose from the following actions: All - All event actions. Each action - You can filter on each action individually or a combination of actions.
Time Range	Define the time range of a search with the time range picker.

ON THIS PAGE

Use the IAM Activity Dashboard
Filter your panel results

Product Guides

Splunk Enterprise Security

Last updated: May 12, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

About This Site

Community Support

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.