Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for AWS

Version 5.2.0 of the Splunk Add-on for Amazon Web Services was released on October 4, 2021.

Compatibility

Version 5.2.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0 and later
CIM 4.20 and later
Supported OS for data collection Platform independent
Vendor products Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, Inspector, Kinesis, S3, VPC Flow Logs, Billing services, Metadata, SQS, and SNS.

Versions 5.0.0 and above of the Splunk Add-on for AWS are Python 3 releases, and only compatible with Splunk platform versions 8.0.0 and later. To use version 5.0.0 or later of this add-on, upgrade your Splunk platform deployment to version 8.0.0 or later. For users of Splunk platforms 6.x.x and Splunk 7.x.x, the Splunk Add-on for Amazon Web Services version 4.6.1 is supported. Do not upgrade to Splunk Add-on for AWS 5.0.0 or above on these versions of the Splunk platform.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 5.2.0 of the Splunk Add-on for AWS version contains the following new and changed features:

  • CIM 4.20 compatibility and enhanced CIM mapping
  • UI component upgrades (jQuery) that are compatible with future versions of the Splunk software.
  • The aws:cloudtrail sourcetype is updated for app field mapping.

See the following tables for information on field changes between 5.1.0 and 5.2.0:

Source-type Fields added Fields removed
aws:cloudfront:accesslogs action, app, bytes, bytes_in, bytes_out, c_port, category, cs_protocol_version, dest, duration, fle_encrypted_fields, fle_status, http_content_type, http_method, http_referrer, http_referrer_domain, http_user_agent, http_user_agent_length, response_time, sc_content_len, sc_content_type, sc_range_end, sc_range_start, src,src_ip, src_port, status, time_to_first_byte, uri_path, url, url_domain, url_length, vendor_product, x_edge_detail_result_type
aws:cloudtrail action, authentication_method, change_type, dest, men_free, object, object_attrs, object_id, rule_action, src_user, src_user_name, src_user_type, status, user_name, vendor_account, vendor_product user_agent, user_id, user_type
aws:cloudwatchlogs:guardduty body, findingType
aws:cloudwatchlogs:vpcflow app, protocol_version, user_id, vendor_product,
aws:config object_id, object_path, result, vendor_account, vendor_product,
aws:config:notification object_attrs, object_path, result, user, vendor_product
aws:description enabled, user_id, family, status, description, time, type, snapshot
aws:elb:accesslogs ActionExecuted, ChosenCertArn, ClientPort, DomainName, ELB, ELBStatusCode, ErrorReason, MatchedRulePriority, ReceivedBytes, RedirectUrl, Request, RequestCreationTime, RequestProcessingTime, RequestTargetIP, RequestTargetPort, RequestType, ResponseProcessingTime, ResponseTime, SSLCipher, SSLProtocol, SentBytes, TargetGroupArn, TargetPort, TargetProcessingTime, TargetStatusCode, TraceId, UserAgent, action, app, bytes, bytes_in, bytes_out, category, dest, dest_port, http_method, http_user_agent, http_user_agent_length, response_time, src, src_ip, src_port, status, url, url_length, vendor_product
aws:metadata enabled, region, snapshot, status, time, user_id, vendor_region
aws:s3 AuthType, BucketCreationTime, BucketName, BucketOwner, BytesSent, CipherSuite, ErrorCode, HTTPMethod, HTTPStatus, HostHeader, HostId, ObjectSize, OperationKey, Referer, RemoteIp, RequestID, RequestKey, RequestURI, RequestURIPath, Requester, SignatureVersion, TLSVersion, TotalTime, TurnAroundTime, UserAgent, VersionId, action, bytes, bytes_out, category, dest, error_code, http_method, http_user_agent, http_user_agent_length, operation,response_time, src, src_ip, status, storage_name, url, url_domain, url_length, user, vendor_product
aws:s3:accesslogs action, category, http_referrer, http_referrer_domain, http_user_agent_length, src_ip,status, storage_name, url, url_length, vendor_product

See the following table for a list of fields modified between 5.1.0 and 5.2.0:

Sourcetype CIM Field eventName, resourceID, resourceType, or source Vendor Field in 5.1.0 Vendor Field in 5.2.0
aws:cloudtrail app eventName: All eventSource,
example: sts.amazonaws.com 		eventType,
example: AwsApiCall
user eventName: AssumeRole userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		requestParameters.roleArn OR responseElements.assumedRoleUser.arn,
example: Role2WithTags
eventNames: AssumeRoleWithSAML, AssumeRoleWithWebIdentity userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		requestParameters.roleArn,
example: arnRoleSession@abc.com
eventNames: AttachVolume, AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CheckMfa, ConsoleLogin, CreateAccessKey, CreateBucket, CreateChangeSet, CreateDeliveryStream, CreateFunction20150331, CreateKeyspace, CreateLoadBalancerListeners, CreateLoadBalancerPolicy, CreateLogGroup, CreateLogStream, CreateLoginProfile, CreateNetworkAcl, CreateNetworkAclEntry, CreateNetworkInterface, CreateQueue, CreateSecurityGroup, CreateTable, CreateUser, CreateVirtualMFADevice, CreateVolume, DeleteNetworkAcl, DeleteNetworkAclEntry, DeleteSecurityGroup, DeleteVolume, DetachVolume, GetFederationToken, GetSessionToken, PutBucketAcl, PutBucketPublicAccessBlock, PutObject, RebootInstances, RevokeSecurityGroupEgress, ReplaceNetworkAclAssociation, ReplaceNetworkAclEntry, RevokeSecurityGroupIngress userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		userIdentity.userName,
example: test_user
eventNames: GetAccountSummary, GetUser, ListAccessKeys, ListAccountAliases, ListSigningCertificates - Failure Event userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		errorMessage,
example: userName
eventNames: GetBucketEncryption, ListAliases, ListRoles userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		userIdentity.sessionContext.sessionIssuer.userName,
example: SessionUserName
eventName: PutBucketAcl requestParameters.AccessControlPolicy.AccessControlList.Grant{}.Grantee.DisplayName OR requestParameters.AccessControlPolicy.AccessControlList.Grant{}.Grantee.URI,
example: splunk_aws_dsg_sa 		userIdentity.userName,
example: test_user
eventNames: RunInstances, StartInstances, StopInstances, TerminateInstances userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		userIdentity.userName OR userIdentity.sessionContext.sessionIssuer.userName,
example: test_user
eventName: UpdateUser requestParameters.userName,
example: OldUserName 		requestParameters.newUserName,
example: test_new_user
user_type eventNames: AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity userIdentity.type,
example: AWS::IAM::Role 		resources{}.type OR responseElements.assumedRoleUser.arn,
example: AWS::IAM::Role
eventNames: ListAliases, ListRoles userIdentity.type,
example: AWS::IAM::Role 		userIdentity.sessionContext.sessionIssuer.type,
example: Role
eventName: PutBucketAcl requestParameters.AccessControlPolicy.AccessControlList.Grant{}.Grantee.xsi:type,
example: CanonicalUser 		userIdentity.type,
example: AWS::IAM::Role
src_user eventNames: AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		userIdentity.userName OR requestParameters.sourceIdentity OR userIdentity.sessionContext.sessionIssuer.userName,
example: test_user
eventName: CreateUser userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV:abc@abc.com 		userIdentity.principalId,
example: abc@abc.com
eventNames: DeleteUser, GetUser, PutBucketAcl, UpdateUser userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		userIdentity.userName,
example: test_user
src_user_id eventNames: AssumeRole, AssumeRoleWithSAML userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV:abc@abc.com 		userIdentity.principalId OR userIdentity.sessionContext.sessionIssuer.principalId,
example: AIDA3HRA7T6MUVTYUHPKV
user_id AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity,
example: responseElements.assumedRoleUser.assumedRoleId 		userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		responseElements.assumedRoleUser.assumedRoleId
eventNames: AttachVolume, AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateAccessKey, CreateBucket, CreateChangeSet, CreateDeliveryStream, CreateFunction20150331, CreateNetworkAcl, CreateNetworkAclEntry, CreateSecurityGroup, CreateTable, CreateVirtualMFADevice, DeleteBucket, DeleteNetworkAcl, DeleteSecurityGroup, DeleteVolume, GetAccountSummary, ListSigningCertificates, PutBucketPublicAccessBlock, RebootInstances, ReplaceNetworkAclEntry, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress, RunInstances, StartInstances, StopInstances, TerminateInstances userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV 		userIdentity.userName,
example: test_user
eventName: ConsoleLogin userIdentity.principalId,
example: AIDA3HRA7T6MUVTYUHPKV:abc@abc.com 		userIdentity.principalId OR userIdentity.accountId OR userIdentity.sessionContext.sessionIssuer.principalId,
example: AIDA3HRA7T6MUVTYUHPKV
eventNames: ListAliases, ListRoles userIdentity.principalId,
example: AROACKCEVSQ6C2EXAMPLE:Session_Name 		userIdentity.sessionContext.sessionIssuer.principalId,
example: AROACKCEVSQ6C2EXAMPLE
object_category eventNames: AttachVolume, DeleteVolume, DetachVolume Static Value: disk Static Value: volume
eventNames: AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateSecurityGroup, DeleteSecurityGroup, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress Static Value: firewall Static Value: security_group
eventNames: CreateAccessKey, CreateLoginProfile, CreateVirtualMFADevice, GetAccountSummary, GetUser, ListAccessKeys, ListAccountAliases, ListRoles, ListSigningCertificates Static Value: unknown Static Value: user
eventNames: CreateBucket, DeleteBucket, PutBucket, PublicAccessBlock, PutObject Static Value: storage Static Value: bucket
eventName: CreateChangeSet Static Value: unknown Static Value: stack
eventName: CreateDeliveryStream Static Value: unknown Static Value: delivery_stream
eventName: CreateFunction20150331 Static Value: unknown Static Value: function
eventName: CreateKeyspace Static Value: unknown Static Value: keyspace
eventNames: CreateLoadBalancerListeners, CreateLoadBalancerPolicy Static Value: unknown Static Value: load_balancer
eventName: CreateLogGroup Static Value: unknown Static Value: log_group
eventName: CreateLogStream Static Value: unknown Static Value: log_stream
eventNames: CreateNetworkAcl, CreateNetworkAclEntry, DeleteNetworkAcl, DeleteNetworkAclEntry, ReplaceNetworkAclAssociation, ReplaceNetworkAclEntry Static Value: unknown Static Value: ACL
eventName: CreateNetworkInterface Static Value: unknown Static Value: network_interface
eventName: CreateQueue Static Value: unknown Static Value: message_queue
eventName: CreateTable Static Value: unknown Static Value: table
eventNames: GetBucketEncryption, PutBucketAcl Static Value: unknown Static Value: bucket
eventName: ListAliases Static Value: unknown Static Value: alias
user_idchange_type eventNames: AttachVolume, CreateVolume, DeleteVolume, DetachVolume Static Value: EC2 Static Value: storage
eventNames: AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateNetworkAcl, CreateNetworkAclEntry, CreateNetworkInterface, CreateSecurityGroup, DeleteNetworkAcl, DeleteNetworkAclEntry, DeleteSecurityGroup, ReplaceNetworkAclAssociation, ReplaceNetworkAclEntry, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress Static Value: EC2 Static Value: firewall
eventNames: CreateAccessKey, CreateLoginProfile, CreateUser, CreateVirtualMFADevice, DeleteUser, GetAccountSummary, GetUser, ListAccessKeys, ListAccountAliases, ListRoles, ListSigningCertificates, ListSigningCertificates, UpdateUser Static Value: IAM Static Value: AAA
eventNames: GetFederationToken, GetSessionToken Static Value: STS Static Value: AAA
eventNames: RunInstances, RebootInstances, StartInstances, StopInstances, TerminateInstances Static Value: EC2 Static Value: virtual_server
dest eventName: AttachVolume requestParameters.volumeId,
example: vol-3ox0otf8xaqxrptxi 		requestParameters.instanceId,
example: i-3ox0otf8xaqxrptxi
eventNames: AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateSecurityGroup, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress requestParameters.groupId,
example: sg-gnzeup7yzumo3f40i 		eventSource,
example: ec2.amazonaws.com
eventName: ConsoleLogin eventSource,
example: ec2.amazonaws.com 		additionalEventData.LoginTo OR eventSource,
example: https://console.aws.amazon.com/console/home
eventNames: CreateBucket, DeleteBucket, GetBucketEncryption, PutBucketAcl, PutBucketPublicAccessBlock, PutObject requestParameters.bucketName,
example: bucket1 		requestParameters.Host OR requestParameters.host{},
example: s3-us-east-2.amazonaws.com
eventNames: CreateNetworkAcl, CreateNetworkAclEntry requestParameters.networkAclId OR responseElements.networkAcl.networkAclId,
example: acl-328f8f90a8e21dc7e 		eventSource,
example: ec2.amazonaws.com
eventName: CreateUser responseElements.user.userId,
example: UB9BNXNERJHO8APB 		eventSource,
example: iam.amazonaws.com
eventNames: CreateVolume, DeleteVolume responseElements.volumeId,
example: vol-pjk4yh53x5xy3kldx 		eventSource,
example: ec2.amazonaws.com
eventNames: DeleteUser, UpdateUser requestParameters.userName,
example: test_user 		eventSource,
example: iam.amazonaws.com
eventName: DetachVolume responseElements.volumeId,
example: vol-pjk4yh53x5xy3kldx 		responseElements.instanceId,
example: i-3ox0otf8xaqxrptxi
eventNames: RunInstances, StartInstances responseElements.instancesSet.items{}.instanceId,
example: i-pjk4yh53x5xy3kldx 		responseElements.instancesSet.items{}.instanceId OR eventSource,
example: i-pjk4yh53x5xy3kldx
action eventNames: CreateAccessKey, CreateLoginProfile, CreateNetworkAclEntry, CreateVirtualMFADevice, DeleteNetworkAclEntry Static Value: created Static Value: modified
eventNames: GetAccountSummary, GetUser, ListAccessKeys, ListAccountAliases, ListSigningCertificates Static Value: unknown Static Value: read
protocol eventName: CreateNetworkAclEntry Static Value: TCP Static Value: IP
object_attrs eventName: PutBucketAcl requestParameters.AccessControlPolicy.AccessControlList.Grant{}.Permission,
example: "READ

READ_ACP WRITE FULL_CONTROL"

Static value: AccessControlList
object eventName: RunInstances responseElements.instancesSet.items{}.instanceId,
example: i-pjk4yh53x5xy3kldx 		responseElements.instancesSet.items{}.instanceId OR eventSource,
example: i-pjk4yh53x5xy3kldx
eventName: StartInstances requestParameters.instancesSet.items{}.instanceId,
example: i-pjk4yh53x5xy3kldx 		requestParameters.instancesSet.items{}.instanceId OR eventSource,
example: ec2.amazonaws.com
eventName: UpdateUser requestParameters.userName,
example: test_user 		requestParameters.newUserName,
example: test_new_user
object_id eventName: StartInstances requestParameters.instancesSet.items{}.instanceId, example: i-pjk4yh53x5xy3kldx requestParameters.instancesSet.items{}.instanceId OR eventSource, example: i-pjk4yh53x5xy3kldx
eventName: UpdateUser requestParameters.userName,
example: test_user 		requestParameters.newUserName,
example: test_new_user
aws:config object_category resourceIDs: AWS::Redshift::ClusterSnapshot, AWS::Config::ResourceCompliance Static Value: unknown Statc Value: file
object_id resourceIDs: AWS::Redshift::ClusterSnapshot, AWS::EC2::NetworkInterface ARN,
example: arn:aws:redshift:eu-central-2:00000:snapshot:redshift-cluster-1/rs:redshift-cluster-1-2021-10-11-12-32-53 		resourceId,
example: rs:redshift-cluster-1-2021-10-11-12-33-00
aws:config:notification object_category resourceTypes: AWS::Config::ResourceCompliance, AWS::Redshift::ClusterSnapshot Static Value: unknown Static Value: file
object_id resourceTypes: All N/A resourceId,
example: rs:redshift-cluster-1-2021-10-11-12-33-00
aws:description user_id source: All UserId,
example: ZWV5FIRT1Q4ZOFCQML63P 		UserID,
example: account_Id, ZWV5FIRT1Q4ZOFCQML63P
status source: *ec2_instances status,
example: completed 		image.attributes.state OR state OR status,
example: completed, available
aws:cloudwatchlogs:guardduty dest_type N/A Static value from lookup,
example: user 		detail.resource.resourceType,
example: AccessKey
user N/A detail.resource.accessKeyDetails.principleId,
example: GeneratedFindingPrincipalId 		detail.resource.accessKeyDetails.userName,
example: test_user
severity N/A Static Value: LOW, MEDIUM, HIGH Static Value: low, medium, high
aws:s3:accesslogs bytes N/A bytes,
example: 0 		bytes_sent,
example: 470
response_time N/A turn_around_time,
example: 0 		total_time,
example: 25

CIM model changes

See the following CIM model changes between 5.1.0 and 5.2.0:

Sourcetype metric_name Previous CIM model New CIM model
aws:cloudwatch FreeableMemory Database:Stats, All_Performance:Memory All_Performance:Memory
Sourcetype eventName Previous CIM model New CIM model
aws:cloudtrail AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, GetFederationToken, GetSessionToken Authentication:Default_Authentication
aws:cloudtrail GetBucketEncryption, PutBucketAcl Change:Account_Management Change:All_Changes
aws:cloudtrail GetBucketEncryption, PutBucketAcl Change:Account_Management Change:All_Changes
aws:cloudtrail ListRoles, ListAliases Change:All_Changes
aws:cloudtrail RunInstances Change:Endpoint_Changes, Change:Instance_Changes Change:Instance_Changes
Sourcetype source Previous CIM model New CIM model
aws:description *:ec2_instances, *:ec2_images All_Inventory All_Inventory:Virtual_OS:Snapshot
aws:description *:ec2_instances All_Inventory All_Inventory:Virtual_OS:Snapshot
aws:inspector *:inspector:assessmentRun All_Inventory:Newtwok, All_Inventory:User, All_Inventory:Virtual_OS:Snapshot
Sourcetype Previous CIM model New CIM model
aws:cloudfront:accesslogs, aws:elb:accesslogs Web
aws:cloudwatchlogs:guardduty Alerts, Malware_Attacks Alerts
aws:config:rule All_Inventory:Network, All_Inventory:Virtual_OS:Snapshot Alerts
aws:s3 Web:Storage

Fixed issues

Version 5.2.0 of the Splunk Add-on for Amazon Web Services fixes the following, if any, issues.

Date resolved Issue number Description
2021-09-21 ADDON-41646 aws:metadata input is populating S3 buckets for AWS accounts where the bucket does not exist.
2021-09-13 ADDON-35220 In Splunk_TA_aws KeyError: 'LaunchConfigurationName' appearing when attempting to ingest cloudwatch data
2021-09-10 ADDON-41009 cloudwatch input timeout issue
2021-09-07 ADDON-39428 On upgrade to 5.1.0 - Cloudwatch Inputs need manual line added in conf - private_endpoint_enabled

Known issues

Version 5.2.0 of the Splunk Add-on for Amazon Web Services has the following, if any, known issues.

Date filed Issue number Description
2021-09-14 ADDON-42117 If Inputs Page page size is more than 25, then the alignment of input details is not consistent

Third-party software attributions

Version 5.2.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.

Last modified on 19 October, 2021
PREVIOUS
Configure permissions for all inputs for the Splunk Add-on for AWS at once 		  NEXT
Release history for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters