Introducing SA-AwsAssets for Splunk Enterprise Security
Introducing SA-AwsAssets for Splunk Enterprise Security. Quickly populate your asset database with data from AWS.
The SA-AwsAssets is another supporting add-on to make it easier to start with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices and SA-SentinelOneDevices, this new add-on takes the data ingested from AWS and allows it to be directly utilized within Splunk ES.
The setup is easy and can be accomplished in just a few short steps.
- Ingest AWS data into Splunk and have the AWS add-on installed.
- Install SA-AwsAssets to your Enterprise Security search head.
- Update the default search macro if the index you are using for the
aws:metadatasourcetype data is not
Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!
This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or AWS teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.
This app has passed Splunk AppInspect and is cloud ready.