Release notes for the Splunk Add-on for Amazon Kinesis Firehose
Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose was released on October 8, 2021.
Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose is compatible with the following software, CIM versions, and platforms.
|Splunk platform versions||7.2, 7.3.x, 8.0.x, 8.1.x, 8.2.x|
|CIM||4.20 and later|
|Vendor Products||Amazon Kinesis Firehose data, CloudWatch, VPC Flow Logs, AWS CloudTrail, GuardDuty, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Security Hub findings events|
The Splunk Add-on for Amazon Kinesis Firehose uses different source types than the Amazon GuardDuty Add-on for Splunk. Because of this, the Splunk Add-on for Amazon Kinesis Firehose is incompatible with the Amazon GuardDuty Add-on for Splunk.
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose contains the following new features:
- Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
- Enhanced CIM mapping for the following sourcetypes:
- Added new sourcetype
aws:metadatafor Mustang users. There is no index-time support for this sourcetype at the moment, events can only be ingested using a lambda function. Added eventtype stanzas for IAM users (aws_metadata_iam_users) and EC2 instances (aws_metadata_ec2_instances)
- Added index-time support for new sourcetype
aws:accessanalyzer:findingfor Mustang Users and the Enterprise Security (ES) Cloud Security dashboards.
- In the
aws:cloudwatch:guarddutysourcetype, events with low severity will be mapped to Alerts data model, and events with high severity will be mapped to Intrusion Detection data model.
- In the
aws:cloudtrailsourcetype for Authentication events updated mapping for app field. i.e. In this version, the app field is aliasing from the eventType instead of eventSource.
- The following table displays the field that have been added and removed in this release, listed by sourcetype.
|Sourcetype||Fields added||Fields removed||Fields modified|
||vendor_product, app, user_id, protocol_version||eventtype:vpcflow (modified search filter)|
||action, authentication_method, change_type, dest, eventtype, object, object_attrs, object_id, reason, rule_action, src_user, src_user_id, src_user_type, src_user_name, status, tag, tag::eventtype, user_name, userName, vendor_account, vendor_product,||user_type||aws_cloudtrail_consolelogin_auth (tags: authentication, default), aws_cloudtrail_auth_privileged (tags: authentication, privileged, cloud)
||affectedResources, AWS__CloudTrail__Trail, aws_count, AWS__S3__Bucket, body, dest_port, src_name, src_port, user_name, guardduty_events_alert (tag for Alerts DM for the guardduty events), guardduty_events_ids (tag for IDS DM for the guardduty events)||dest, dest_ip, dest_name, dest_type, src_ip|
||account_user, dest_ip, dest_name, managed_instance_extract, security_group_extract, src_ip, src, user, volume_extract, vpc_extract,||eventtype:securityhub_events (modified search filter)|
Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose fixes the following, if any, issues.
Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose contains the following known issues.
If no issues appear below, no issues have yet been reported.
|Date filed||Issue number||Description|
|2022-02-28||ADDON-48779||mitre_technique_id lookup naming conflict between Kinesis Firehose add-on v1.3.2 and AWS add-on is showing error on the search UI|
|2021-10-06||ADDON-43184||Lookup generated field values are case insensitive in 8.1.2009 but not in Splunk Enterprise Versions|
Third-party software attributions
Version 1.3.2 of the Splunk Add-on for Amazon Kinesis Firehose does not incorporate any third-party software or libraries.
Source types for the Splunk Add-on for Amazon Kinesis Firehose
Release history for the Splunk Add-on for Amazon Kinesis Firehose
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released