Overview
SA-AwsAssets for Enterprise Security brings AWS cloud asset visibility into Splunk ES's asset framework. As organizations move workloads to AWS, their asset inventory becomes dynamic — instances spin up and down, auto-scaling groups expand, and IP addresses change. This add-on tracks that dynamic inventory and keeps ES's asset lookup current with EC2 instance metadata from across an AWS environment.
Cloud assets are frequent targets in modern attacks. When GuardDuty findings, CloudTrail events, or VPC flow logs generate alerts in Splunk, analysts need to immediately understand what the affected resource is, who owns it, and what it does. SA-AwsAssets provides that context automatically.
How It Works
The add-on uses the AWS SDK to enumerate EC2 instances and their metadata across configured accounts and regions. Instance ID, private and public IP addresses, hostname, tags (including owner and environment), instance type, and state are all extracted. This data is normalized to ES's asset schema and written to the asset lookup on a scheduled basis. The integration supports multi-account and multi-region deployments. Documentation is available at the project site.