Skip to content

Release notes for the Splunk Add-on for AWS

Version 7.9.0 of the Splunk Add-on for Amazon Web Services was released on January 7, 2025.

Billing (Legacy) input is deprecated in add-on version 7.6.0. Please configure Billing (Cost and Usage Report) inputs to collect billing data.

The file based checkpoint mechanism was migrated to the Splunk KV Store for below mentioned inputs in the specific versions. The inputs must be disabled whenever the Splunk software is restarted. Otherwise, it will result in data duplication against your already configured inputs. Input disablement is not applicable to the Kinesis inputs.

Version 7.1.0

  • Billing Cost and Usage Report
  • CloudWatch Metrics
  • Incremental S3
Version 7.3.0
  • Inspector
  • InspectorV2
  • Config Rules
  • Cloudwatch Logs
  • Kinesis

Version 7.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. Configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into your Splunk platform deployment.

If you use both the Splunk Add-on for Amazon Security Lake as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Security Lake before upgrading the Splunk Add-on for AWS to version 7.0.0 or later in order to avoid any data duplication and discrepancy issues.

Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. Configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into your Splunk platform deployment.

If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose after upgrading the Splunk Add-on for AWS to version 6.0.0 or later in order to avoid any data duplication and discrepancy issues.

Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 of the Splunk Add-on for AWS.

If you are not currently using the Splunk Add-on for Amazon Kinesis Firehose, but plan to use it in the future, then the best practice is to download and configure version 6.0.0 or later of the Splunk Add-on for AWS, instead of the Splunk Add-on for Amazon Kinesis Firehose.

Compatibility

Version 7.9.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 9.1.x, 9.2.x, 9.3.x,9.4.x
CIM 5.1.1 and later
Supported OS for data collection Platform independent
Vendor products Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, EventBridge (CloudWatch API, S3 Event Notifications using EventBridge), Inspector Classic, Inspector, Kinesis, S3, VPC Flow Logs, Transit Gateway Flow Logs, Billing Cost and Usage Report, Metadata, SQS, SNS, AWS Identity and Access Management (IAM) Access Analyzer, AWS Security Hub findings, and Amazon Security Lake events

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.9.0 of the Splunk Add-on for AWS version contains the following new and changed features:

  • Upgraded the Splunk SDK to the latest version, ensuring compatibility with future cloud-based deployments.
  • Enhanced CIM support for aws:cloudtrail sourcetype.

CIM model changes

See the following CIM model changes between 7.8.0 and 7.9.0

Sourcetype eventName Previous CIM model New CIM model
aws:cloudtrail AttachRolePolicy, CreatePolicy, CreateServiceLinkedRole Change.Account_Management Change.All_Changes
aws:cloudtrail CreateVpc, DeleteDBSubnetGroup, DeleteVpcEndpoints Change.Network_Changes Change.All_Changes
aws:cloudtrail AddMemberToGroup, AdminCreateUser, AdminGetUser, AdminResetUserPassword Change.Account_Management
aws:cloudtrail BatchGetImage, Decrypt, DescribeAccessPoints, DescribeAccountSubscription, DescribeAddresses, DescribeBackupPolicy, DescribeCluster, DescribeContinuousBackups, DescribeCustomerGateways, DescribeDBClusterSnapshotAttributes, DescribeDBClusterSnapshots, DescribeDBClusters, DescribeDBEngineVersions, DescribeDBInstances, DescribeDBSecurityGroups, DescribeDBSnapshotAttributes, DescribeDBSnapshots, DescribeDBSubnetGroups, DescribeDRTAccess, DescribeDeliveryStream, DescribeDirectories, DescribeEndpoint, DescribeFileSystemPolicy, DescribeFileSystems, DescribeFleets, DescribeHosts, DescribeHub, DescribeImages, DescribeInstances, DescribeInternetGateways, DescribeJobs, DescribeKeyPairs, DescribeListeners, DescribeLoadBalancers, DescribeSecret, GetDomainPermissionsPolicy, GetSecretValue, GetSecurityConfigurations, ListOrganizationAdminAccounts Change.All_Changes
aws:cloudtrail DescribeAddresses, DescribeCustomerGateways, DescribeDBSecurityGroups, DescribeDBSubnetGroups, DescribeInternetGateways Change.All_Changes

Field Changes

Sourcetype eventName Added Fields Modified Fields Removed Fields v1 v2
aws:cloudtrail AddMemberToGroup user, change_type, object_id, status, action, src_user_type, src_user, object, object_attrs, src_user_name object_category, tag, eventtype, tag::eventtype user_name unknown, , , user, account,management,change, aws_cloudtrail_iam_change_acctmgmt, account,management,change
aws:cloudtrail AdminCreateUser change_type, object_id, status, action, object, object_attrs, src_user_name object_category, tag, eventtype, user, tag::eventtype, user_name unknown, , , digital_nomad,dev-swb-svc, , digital_nomad,dev-swb-svc user, account,management,change, aws_cloudtrail_iam_change_acctmgmt, HIDDEN_DUE_TO_SECURITY_REASONS, account,management,change, HIDDEN_DUE_TO_SECURITY_REASONS
aws:cloudtrail AdminGetUser change_type, object_id, status, action, object, object_attrs, src_user_name object_category, tag, eventtype, user, tag::eventtype, user_name unknown, , , digital_nomad,dev-swb-svc, , digital_nomad,dev-swb-svc user, account,management,change, aws_cloudtrail_iam_change_acctmgmt, HIDDEN_DUE_TO_SECURITY_REASONS, account,management,change, HIDDEN_DUE_TO_SECURITY_REASONS
aws:cloudtrail AdminResetUserPassword change_type, user, object_id, status, action, src_user_type, src_user, object, object_attrs, src_user_name object_category, tag, eventtype, tag::eventtype, user_name unknown, , , , ACOE-AWS-Developer user, account,management,change, aws_cloudtrail_iam_change_acctmgmt, account,management,change, HIDDEN_DUE_TO_SECURITY_REASONS
aws:cloudtrail AssumeRole object, src_user_name object_category, change_type, user_type, user unknown, EC2,STS, , user, AAA,virtual computing, AssumedRole, AWSAccountAuditFunction-role-85lvmt4g
aws:cloudtrail AssumeRoleWithSAML change_type STS AAA
aws:cloudtrail AssumeRoleWithWebIdentity change_type, src_user_id STS, AAA, accounts.google.com:.apps.googleusercontent.com
aws:cloudtrail AttachRolePolicy object_id, object, object_attrs object_category, tag, eventtype, tag::eventtype, user, action, user_name unknown, account,management, aws_cloudtrail_iam_change_acctmgmt, account,management, , unknown, AWSReservedSSO_AWSAdministratorAccess_d8318c70c7f3047c role, , aws_cloudtrail_change, , johndoe1@example.com, , johndoe1@example.com
aws:cloudtrail BatchGetImage change_type, user, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , image, change, aws_cloudtrail_change, change
aws:cloudtrail CreateAuthorizer change_type, user, object_id, status, action, object, object_attrs object_category, user_name unknown, ACOE-AWS-Developer authorizer, johndoe1@example.com
aws:cloudtrail CreateClientVpnEndpoint user, object_id, status, action, object, object_attrs object_category, change_type, user_name unknown, EC2, AWSReservedSSO_AWSAdministratorAccess_e5ad140e18859391 client-vpn-endpoint, network, johndoe1@example.com
aws:cloudtrail CreateConnection change_type, user, result, object_id, status, action, object, object_attrs object_category, user_name unknown, AWSReservedSSO_AWSAdministratorAccess_d8318c70c7f3047c connection, johndoe1@example.com
aws:cloudtrail CreateDBClusterSnapshot change_type, object_id, status, action, object_path, object, object_attrs object_category unknown cluster
aws:cloudtrail CreateDataChannel user, change_type, status, action, object, object_attrs object_category unknown service
aws:cloudtrail CreateLoadBalancer object_id, status, action, object_path, object, object_attrs object_category unknown load balancer
aws:cloudtrail CreateNamespace change_type, object_id, status, action, object_path, object, object_attrs object_category, user, user_name unknown, , AWSReservedSSO_AWSAdministratorAccess_d8318c70c7f3047c namespace, johndoe1@example.com, johndoe1@example.com
aws:cloudtrail CreatePolicy object_path, object, object_attrs, object_id object_category, tag, eventtype, tag::eventtype, user, action, user_name unknown, account,management, aws_cloudtrail_iam_change_acctmgmt, account,management, , unknown, AWSReservedSSO_AWSAdministratorAccess_d8318c70c7f3047c policy, , , , johndoe1@example.com, , johndoe1@example.com
aws:cloudtrail CreateServiceLinkedRole object_id, status, action, object_path, object, object_attrs object_category, tag, eventtype, tag::eventtype, user, user_name unknown, account,management, aws_cloudtrail_iam_change_acctmgmt, account,management, , AWSReservedSSO_AWSAdministratorAccess_e5ad140e18859391 service linked role, , , , johndoe1@example.com, johndoe1@example.com
aws:cloudtrail CreateSnapshot object_id, status, action, object, object_attrs object_category, change_type, user unknown, EC2, snapshot, virtual computing, PrismaCloudRole-member
aws:cloudtrail CreateVpc object_id, status, action, object, object_attrs object_category, change_type, tag, eventtype, tag::eventtype, user unknown, EC2, network, aws_cloudtrail_notable_network_events, network, vpc, virtual computing, , , , PrismaCloudRole-member
aws:cloudtrail CreateWorkgroup change_type, object_id, status, action, object, object_attrs object_category, user, user_name unknown, , AWSReservedSSO_AWSAdministratorAccess_d8318c70c7f3047c workgroup, johndoe1@example.com, johndoe1@example.com
aws:cloudtrail Decrypt change_type, user, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user_name unknown, , , , ACOE-AWS-Developer ciphertext, change, aws_cloudtrail_change, change, johndoe1@example.com
aws:cloudtrail MonitorInstances, DescribeNatGateways, DescribeSubnets, DeleteNetworkInterface, DeleteAccessKey, DescribeNetworkAcls, DescribeEgressOnlyInternetGateways, DescribeNetworkInterfaces, DescribeSecurityGroups, DescribeVpcEndpointServiceConfigurations, DescribeVpcPeeringConnections, DescribeRouteTables, DescribeVpcEndpoints, DescribeVpcs, DescribeVpnGateways change_type EC2 virtual computing
aws:cloudtrail DeleteDBSubnetGroup change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user, user_name unknown, network, aws_cloudtrail_notable_network_events, network, , ACOE-AWS-SRE subnet_group, , , , johndoe1@example.com, johndoe1@example.com
aws:cloudtrail DeleteVpcEndpoints user, object_id, status, action, object, object_attrs object_category, change_type, tag, eventtype, tag::eventtype unknown, EC2, network, aws_cloudtrail_notable_network_events, network vpc endpoint, virtual computing, , ,
aws:cloudtrail DescribeAccessPoints change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , access point, change, aws_cloudtrail_change, change, AWSServiceRoleForConfig
aws:cloudtrail DescribeAccountSubscription change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, user, tag::eventtype unknown, , , , aws account, change, aws_cloudtrail_change, AWSServiceRoleForConfig, change
aws:cloudtrail DescribeAddresses object_id, status, action, object, object_attrs object_category, change_type, tag, eventtype, tag::eventtype, user unknown, EC2, , , , AWS account, virtual computing, change, aws_cloudtrail_change, change, CloudHealthRole,AWSServiceRoleForTrustedAdvisor
aws:cloudtrail DescribeBackupPolicy user, change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , Elastic filesystem, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeCluster user, change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , EKS cluster, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeConfigurationSettings user, change_type, object_id, status, action, object, object_attrs object_category, eventtype unknown, application, aws_cloudtrail_change
aws:cloudtrail DescribeContinuousBackups user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , table, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeCustomerGateways status, action object_category, tag, eventtype, user, tag::eventtype, change_type unknown, , , , , EC2 VPN customer gateways, change, aws_cloudtrail_change, AWSServiceRoleForConfig, change, network
aws:cloudtrail DescribeDBClusterSnapshotAttributes change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , DB cluster snapshot attribute, change, aws_cloudtrail_change, change, sgs-cloud-security-audit,AWSServiceRoleForConfig
aws:cloudtrail DescribeDBClusterSnapshots change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , DB cluster snapshot, change, aws_cloudtrail_change, change, AWSServiceRoleForConfig
aws:cloudtrail DescribeDBClusters change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , DB cluster, change, aws_cloudtrail_change, change, AWSServiceRoleForConfig
aws:cloudtrail DescribeDBEngineVersions change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user, user_name unknown, , , , , ACOE-AWS-SRE DB engine, change, aws_cloudtrail_change, change, johndoe1@example.com, johndoe1@example.com
aws:cloudtrail DescribeDBInstances change_type, status, object_attrs, action object_category, tag, eventtype, tag::eventtype, object_id, object unknown, , , , , rds.amazonaws.com DB instance, change, aws_cloudtrail_change, change, TestAccess, DB instance,TestAccess
aws:cloudtrail DescribeDBSecurityGroups change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , DB security group, change, aws_cloudtrail_change, change, CloudHealthRole,AWSServiceRoleForTrustedAdvisor,AWSServiceRoleForConfig
aws:cloudtrail DescribeDBSnapshotAttributes user, change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , DB snapshot attribute, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeDBSnapshots change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , DB snapshot, change, aws_cloudtrail_change, change, IVP-Backup-EucDev-iamRoleForBackup-yi08ESmGB1MV
aws:cloudtrail DescribeDBSubnetGroups change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , DB Subnet Group, change, aws_cloudtrail_change, change, CloudHealthRole,AWSServiceRoleForConfig
aws:cloudtrail DescribeDRTAccess user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , Amazon S3 log buckets, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeDeliveryStream user, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, change_type unknown, , , , stream Delivery stream, change, aws_cloudtrail_change, change, data
aws:cloudtrail DescribeDirectories change_type, status, action, object, object_attrs object_category, tag, eventtype, user, tag::eventtype unknown, , , , directory, change, aws_cloudtrail_change, PrismaCloudRole-member, change
aws:cloudtrail DescribeEndpoint user, change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , endpoint, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeFileSystemPolicy user, change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , Filesystem Policy, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeFileSystems user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , Elastic filesystem, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeFleets user, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, change_type unknown, , , , EC2 fleet, change, aws_cloudtrail_change, change, virtual computing
aws:cloudtrail DescribeHosts user, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, change_type unknown, , , , EC2 Dedicated Host, change, aws_cloudtrail_change, change, virtual computing
aws:cloudtrail DescribeHub change_type, status, action, object, object_attrs object_category, tag, eventtype, user, tag::eventtype unknown, , , , Security Hub, change, aws_cloudtrail_change, PrismaCloudRole-member, change
aws:cloudtrail DescribeImages status, object, object_attrs, action object_category, tag, eventtype, user, tag::eventtype, change_type unknown, , , , , EC2 Image, change, aws_cloudtrail_change, CloudHealthRole, change, virtual computing
aws:cloudtrail DescribeInstances status, object_attrs, action object_category, tag, eventtype, tag::eventtype, change_type, object object_id unknown, , , , EC2, ec2.amazonaws.com Instance, change, aws_cloudtrail_change, change, virtual computing, Instance
aws:cloudtrail DescribeInternetGateways user, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, change_type unknown, , , , EC2 internet gateway, change, aws_cloudtrail_change, change, virtual computing
aws:cloudtrail DescribeJobs user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , DRS batch jobs, change, aws_cloudtrail_change, change
aws:cloudtrail DescribeKeyPairs object_id, status, action, object, object_attrs object_category, change_type, tag, eventtype, tag::eventtype, user unknown, EC2, , , , key pairs, AAA, change, aws_cloudtrail_change, change, PrismaCloudRole-member
aws:cloudtrail DescribeListeners status, object, object_attrs, action object_category, tag, eventtype, tag::eventtype, user unknown, , , , listeners, change, aws_cloudtrail_change, change, PrismaCloudRole-member
aws:cloudtrail DescribeLoadBalancers object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user unknown, , , , load balancers, change, aws_cloudtrail_change, change, PrismaCloudRole-member
aws:cloudtrail DescribeSecret change_type, user, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , secret, change, aws_cloudtrail_change, change
aws:cloudtrail GetDomainPermissionsPolicy user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , policy, change, aws_cloudtrail_change, change
aws:cloudtrail GetSecretValue user, change_type, object_id, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype, user_name unknown, , , , AWSReservedSSO_AWSAdministratorAccess_d8318c70c7f3047c secret, change, aws_cloudtrail_change, change, johndoe1@example.com
aws:cloudtrail GetSecurityConfigurations user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , security configurations, change, aws_cloudtrail_change, change
aws:cloudtrail ListOrganizationAdminAccounts user, change_type, status, action, object, object_attrs object_category, tag, eventtype, tag::eventtype unknown, , , admin accounts, change, aws_cloudtrail_change, change

Fixed issues

Version 7.9.0 of the Splunk Add-on for Amazon Web Services fixes the following, if any, issues.

Known issues

Version 7.9.0 of the Splunk Add-on for Amazon Web Services has the following, if any, known issues.

Third-party software attributions

Version 7.9.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.

Third-party software attributions for the Splunk Add-on for Amazon Web Services