Release notes for the Splunk Add-on for AWS
Version 7.5.0 of the Splunk Add-on for Amazon Web Services was released on April 2, 2024.
Billing (Legacy) input will be deprecated in future releases. Please ensure the active Billing (Legacy) inputs are migrated to Billing (Cost and Usage Report) input expeditiously.
Starting in version 7.1.0 of the Splunk Add-on for AWS, the file based checkpoint mechanism was migrated to the Splunk KV Store for Billing Cost and Usage Report, CloudWatch Metrics, and Incremental S3 inputs. The inputs must be disabled whenever the Splunk software is restarted. Otherwise, it will result in data duplication against your already configured inputs.
Version 7.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. Configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into your Splunk platform deployment.
If you use both the Splunk Add-on for Amazon Security Lake as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Security Lake before upgrading the Splunk Add-on for AWS to version 7.0.0 or later in order to avoid any data duplication and discrepancy issues.
Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. Configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into your Splunk platform deployment.
If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose after upgrading the Splunk Add-on for AWS to version 6.0.0 or later in order to avoid any data duplication and discrepancy issues.
Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 of the Splunk Add-on for AWS.
If you are not currently using the Splunk Add-on for Amazon Kinesis Firehose, but plan to use it in the future, then the best practice is to download and configure version 6.0.0 or later of the Splunk Add-on for AWS, instead of the Splunk Add-on for Amazon Kinesis Firehose.
Compatibility
Version 7.5.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.2.x, 9.0.x, 9.1.x |
CIM | 5.1.1 and later |
Supported OS for data collection | Platform independent |
Vendor products | Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, EventBridge (CloudWatch API), Inspector Classic, Inspector, Kinesis, S3, VPC Flow Logs, Billing services, Metadata, SQS, SNS, AWS Identity and Access Management (IAM) Access Analyzer, AWS Security Hub findings, and Amazon Security Lake events |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 7.5.0 of the Splunk Add-on for AWS version contains the following new and changed features:
- Provided support of Cloudtrail Lake Input.
- Provided support of Assume role in Cloudwatch Logs Input.
- Enhanced the CIM support for
aws:cloudwatch:guardduty
andaws:cloudwatchlogs:guardduty
sourcetypes.- The CIM field
mitre_technique_id
was removed in this release because:- The existing values were found inaccurate and misleading.
- The vendor does not provide the mitre technique IDs in the GuardDuty events.
- The fields
src_type
anddest_type
were corrected or added for all the GuardDuty events. - The
transport
field got corrected for a few events. - The
signature
andsignature_id
field got corrected for the GuardDuty events. - The
src
field was added or corrected for certain events. -
See the following table to review the data model information based on the
service.actionType
field in your GuardDuty events.
Alerts Data Model Intrusion Detection Data Model AWS_API_CALL
,KUBERNETES_API_CALL
,RDS_LOGIN_ATTEMPT
ORservice.actionType
isnull
.NETWORK_CONNECTION
,DNS_REQUEST
,PORT_PROBE
- The CIM field
- Enhanced data collection for Metadata Input. Previously, if input is configured with multiple regions then input was collecting the global services data from every configured region which was causing the data duplication in the single input execution. In this version, this data duplication for global services is removed by collecting data from any one region if multiple regions are configured in the same input.
- Minor bug fixes.
Fixed issues
Version 7.5.0 of the Splunk Add-on for Amazon Web Services fixes the following, if any, issues:
Known issues
Version 7.5.0 of the Splunk Add-on for Amazon Web Services has the following, if any, known issues.
Date resolved | Issue number | Description |
---|---|---|
2024-03-29 | ADDON-69465 | [AWS][Guardduty][CIM] src, dest, src_type, dest_type fields extractions not supported for aws:cloudwatch:guardduty & aws:cloudwatchlogs:guardduty sourcetypes when there are multi-values for PORT_PROBE events. |
Third-party software attributions
Version 7.5.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.
Third-party software attributions for the Splunk Add-on for Amazon Web Services
PREVIOUS AWS Health Check Dashboards |
NEXT Release history for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!