The SA-AwsAssets is another supporting add-on to make it easier to start with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices and SA-SentinelOneDevices, this new add-on takes the data ingested from AWS and allows it to be directly utilized within Splunk ES.

App Setup

The setup is easy and can be accomplished in just a few short steps.

1. Ingest AWS data into Splunk and have the AWS add-on installed.
2. Install SA-AwsAssets to your Enterprise Security search head.
3. Update the default search macro if the index you are using for the aws:metadata sourcetype data is not index=aws_security.

Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!

Resources

This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or AWS teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.

This app has passed Splunk AppInspect and is cloud ready.

Splunkbase: https://splunkbase.splunk.com/app/6660
GitHub: https://github.com/ZachChristensen28/SA-AwsAssets
Documentation: https://splunk-sa-aws.ztsplunker.com/
Prerequisites: https://splunk-sa-aws.ztsplunker.com/quickstart/prerequisites/