Splunk® Supported Add-ons

Splunk Add-on for Amazon Kinesis Firehose

Release notes for the Splunk Add-on for Amazon Kinesis Firehose

Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose was released on October 8, 2021.

Compatibility

Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3.x, 8.0.x, 8.1.x, 8.2.x
CIM 4.20 and later
Platforms Platform independent
Vendor Products Amazon Kinesis Firehose data, CloudWatch, VPC Flow Logs, AWS CloudTrail, GuardDuty, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Security Hub findings events

The Splunk Add-on for Amazon Kinesis Firehose uses different source types than the Amazon GuardDuty Add-on for Splunk. Because of this, the Splunk Add-on for Amazon Kinesis Firehose is incompatible with the Amazon GuardDuty Add-on for Splunk.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose contains the following new features:

  • Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
  • Enhanced CIM mapping for the following sourcetypes:
    • aws:cloudtrail
    • aws:cloudwatch:guardduty
    • aws:securityhub:finding
    • aws:cloudwatchlogs:vpcflow
  • Added new sourcetype aws:metadata for Mustang users. There is no index-time support for this sourcetype at the moment, events can only be ingested using a lambda function. Added eventtype stanzas for IAM users (aws_metadata_iam_users) and EC2 instances (aws_metadata_ec2_instances)
  • Added index-time support for new sourcetype aws:accessanalyzer:finding for Mustang Users and the Enterprise Security (ES) Cloud Security dashboards.
  • In the aws:cloudwatch:guardduty sourcetype, events with low severity will be mapped to Alerts data model, and events with high severity will be mapped to Intrusion Detection data model.
  • In the aws:cloudtrail sourcetype for Authentication events updated mapping for app field. i.e. In this version, the app field is aliasing from the eventType instead of eventSource.
  • The following table displays the field that have been added and removed in this release, listed by sourcetype.
Sourcetype Fields added Fields removed Fields modified
aws:cloudwatchlogs:vpcflow vendor_product, app, user_id, protocol_version eventtype:vpcflow (modified search filter)
aws:cloudtrail action, authentication_method, change_type, dest, eventtype, object, object_attrs, object_id, reason, rule_action, src_user, src_user_id, src_user_type, src_user_name, status, tag, tag::eventtype, user_name, userName, vendor_account, vendor_product, user_type aws_cloudtrail_consolelogin_auth (tags: authentication, default), aws_cloudtrail_auth_privileged (tags: authentication, privileged, cloud)


aws:cloudwatch:guardduty affectedResources, AWS__CloudTrail__Trail, aws_count, AWS__S3__Bucket, body, dest_port, src_name, src_port, user_name, guardduty_events_alert (tag for Alerts DM for the guardduty events), guardduty_events_ids (tag for IDS DM for the guardduty events) dest, dest_ip, dest_name, dest_type, src_ip
aws:securityhub:finding account_user, dest_ip, dest_name, managed_instance_extract, security_group_extract, src_ip, src, user, volume_extract, vpc_extract, eventtype:securityhub_events (modified search filter)

Fixed issues

Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose fixes the following, if any, issues.

Known issues

Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose contains the following known issues.

If no issues appear below, no issues have yet been reported.


Date filed Issue number Description
2022-02-28 ADDON-48779 mitre_technique_id lookup naming conflict between Kinesis Firehose add-on v1.3.2 and AWS add-on is showing error on the search UI
2021-10-06 ADDON-43184 Lookup generated field values are case insensitive in 8.1.2009 but not in Splunk Enterprise Versions


Third-party software attributions

Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose does not incorporate any third-party software or libraries.

Last modified on 28 February, 2022
Source types for the Splunk Add-on for Amazon Kinesis Firehose   Release history for the Splunk Add-on for Amazon Kinesis Firehose

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters