The SA-AwsAssets is another supporting add-on to make it easier to start with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices and SA-SentinelOneDevices, this new add-on takes the data ingested from AWS and allows it to be directly utilized within Splunk ES.

App Setup

The setup is easy and can be accomplished in just a few short steps.

  1. Ingest AWS data into Splunk and have the AWS add-on installed.
  2. Install SA-AwsAssets to your Enterprise Security search head.
  3. Update the default search macro if the index you are using for the aws:metadata sourcetype data is not index=aws_security.

Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!


This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or AWS teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.

This app has passed Splunk AppInspect and is cloud ready.

This post is licensed under CC BY 4.0 by the author.