Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Inspector v2 inputs for the Splunk Add-on for AWS

Complete the steps to configure Inspector v2 inputs for the Splunk Add-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See the Manage accounts for the Splunk Add-on for AWS topic in this manual.
  2. Configure AWS services for the Inspector v2 input.
  3. Configure AWS permissions for the Inspector v2 input.
  4. Configure Inspector v2 inputs either through Splunk Web or configuration files.

Configure Amazon Inspector v2 permissions

You need these required permissions for Inspector v2:

  • Describe*
  • List*

See the following sample inline policy to configure Inspector v2 input permissions: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "inspector2:Describe*",
                "inspector2:List*"
            ],
            "Resource": "*"
        }
    ]
}

For more information, see http://docs.aws.amazon.com/IAM/latest/UserGuide/list_inspector.html.

Configure an Inspector v2 input using Splunk Web

To configure inputs using Splunk Web:

  1. Click Splunk Add-on for AWS in the navigation bar on Splunk Web home.
  2. Click Create New Input > Inspector > Inspector (v2).
  3. Use the following table to complete the fields for the new input in Splunk Web or in the .conf file:
Argument in configuration file Field in Splunk Web Description
account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your Inspector findings. In Splunk Web, select an account from the drop-down list. In aws_inspector_v2_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the automatically discovered EC2 IAM role.
regions AWS Region The AWS region that contains the data. In aws_inspector_v2_tasks.conf, enter region IDs in a comma-separated list.
sourcetype Source type A source type for the events. Enter a value only if you want to override the default of aws:inspector:v2:findings. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
index Index The index name where the Splunk platform puts the Inspector findings. The default is main.
polling_interval Pooling interval The number of seconds to wait before the Splunk platform runs the command again. The default is 300 seconds.

Configure an Inspector v2 input using configuration files

To configure the input using the configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_inspector_v2_tasks.conf using the following template: 

[<name>]
account = <value>
region = <value>
index = <value>
polling_interval = <value>
sourcetype = <value>

The following is an example stanza that collects Inspector v2 findings: 

[splunkapp2:us-west-2]
account = splunkapp2
region = us-west-2
index = default
polling_interval = 300
sourcetype = aws:inspector:v2:findings
Last modified on 25 May, 2023
PREVIOUS
Configure Metadata inputs for the Splunk Add-on for AWS 		  NEXT
Configure VPC Flow Logs inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters