SA-AwsAssets
The SA-AwsAssets is another supporting add-on to make it easier to start with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices and SA-SentinelOneDevices, this new add-on takes the data ingested from AWS and allows it to be directly utilized within Splunk ES.
App Setup
The setup is easy and can be accomplished in just a few short steps.
- Ingest AWS data into Splunk and have the AWS add-on installed.
- Install SA-AwsAssets to your Enterprise Security search head.
- Update the default search macro if the index you are using for the
aws:metadatasourcetype data is notindex=aws_security.
Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!
Resources
This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or AWS teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.
This app has passed Splunk AppInspect and is cloud ready.
- Splunkbase: https://splunkbase.splunk.com/app/6660
- GitHub: https://github.com/ZachChristensen28/SA-AwsAssets
- Documentation: https://splunk-sa-aws.ztsplunker.com/
- Prerequisites: https://splunk-sa-aws.ztsplunker.com/quickstart/prerequisites/