CCX Add-on for AWS Products
Overview
Details
CyberCX is Australia’s greatest force of cyber security experts. Our highly skilled professional services team operates a 24x7 on-shore security operations centre (SOC) servicing corporate and public sector organisations across Australia and New Zealand, specialising in Security Operations services leveraging Splunk.
Description:
CCX Security Operations has taken it upon ourselves to develop a CCX Add-on for AWS Products to provide further CIM compliance coverage not only for logs ingested via 'Splunk Add-on for AWS'.
This TA was built using a large dataset and endeavours to be the most CIM compliant comprehensive field extraction for AWS various products listed.
The Technical Addon is designed for ingest based on an SQS-Based S3 "Custom Data Type" via the Splunk Add-on for AWS or Syslog and is to be used on Search Heads.
Listed products supported:
- AWS Network Firewall
- AWS Web Application Firewall
- AWS S3 VPC Flow
- AWS Macie
- AWS API Gateway Access Logs
- AWS Security Hub Custom (HEC|JSON)
Features:
- This TA currently supports logtypes tagged under the following CIM datamodels: Alert, Change, Network Traffic and Web.
Description:
CCX Security Operations has taken it upon ourselves to develop a CCX Add-on for AWS Products to provide further CIM compliance coverage not only for logs ingested via 'Splunk Add-on for AWS'.
This TA was built using a large dataset and endeavours to be the most CIM compliant comprehensive field extraction for AWS various products listed.
The Technical Addon is designed for ingest based on an SQS-Based S3 "Custom Data Type" via the Splunk Add-on for AWS or Syslog and is to be used on Search Heads.
Listed products supported:
- AWS Network Firewall
- AWS Web Application Firewall
- AWS S3 VPC Flow
- AWS Macie
- AWS API Gateway Access Logs
- AWS Security Hub Custom (HEC|JSON)
Features:
- This TA currently supports logtypes tagged under the following CIM datamodels: Alert, Change, Network Traffic and Web.
Release Notes
Version 1.2.6
Requirements:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 7.10.0 or higher (https://splunkbase.splunk.com/app/1876/).
- This Add-on is intended to be installed on Search Heads and where 'Splunk Add-on for AWS' inputs are configured.
- The AWS S3 VPC Flow logs ingested via syslog has the field extractions dependencies on Add-on 'Splunk Add-on for AWS' version 7.10.0 or higher (https://splunkbase.splunk.com/app/1876/) and it is required to be installed along 'CCX Add-on for AWS Products'
Version 1.2.5
Requirements:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 7.10.0 or higher (https://splunkbase.splunk.com/app/1876/).
- This Add-on is intended to be installed on Search Heads and where 'Splunk Add-on for AWS' inputs are configured.
- The AWS S3 VPC Flow logs ingested via syslog has the field extractions dependencies on Add-on 'Splunk Add-on for AWS' version 7.10.0 or higher (https://splunkbase.splunk.com/app/1876/) and it is required to be installed along 'CCX Add-on for AWS Products'
Version 1.2.4
Requirements:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 7.10.0 or higher (https://splunkbase.splunk.com/app/1876/).
- This Add-on is intended to be installed on Search Heads and where 'Splunk Add-on for AWS' inputs are configured.
- The AWS S3 VPC Flow logs ingested via syslog has the field extractions dependencies on Add-on 'Splunk Add-on for AWS' version 7.10.0 or higher (https://splunkbase.splunk.com/app/1876/) and it is required to be installed along 'CCX Add-on for AWS Products'
Version 1.2.3
- Optimized AWS Macie configuration for better performance
-
- Through props.conf config as well as regex parsing
Version 1.2.2
Added support for
- Application Load Balancer Access Logs
- API Gateway Access Logs
Version 1.2.1
- Added support for AWS Macie logs through sourcetype "ccx:aws:macie"
Version 1.2.0
Requirements:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 5.0.3 or higher (https://splunkbase.splunk.com/app/1876/).
- This Add-on is intended to be installed on Search Heads and where 'Splunk Add-on for AWS' inputs are configured.
- The AWS S3 VPC Flow logs ingested via syslog has the field extractions dependencies on Add-on 'Splunk Add-on for AWS' version 5.0.3 or higher (https://splunkbase.splunk.com/app/1876/) and it is required to be installed along 'CCX Add-on for AWS Products'
Version 1.1.0
Listed products supported:
- AWS Network Firewall
- AWS Web Application Firewall
Requirements:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 5.0.3 or higher (https://splunkbase.splunk.com/app/1876/).
- This Add-on is intended to be installed on Search Heads and where 'Splunk Add-on for AWS' inputs are configured.
Version 1.0.0
Requirements:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 5.0.3 or higher (https://splunkbase.splunk.com/app/1876/).
- This Add-on is intended to be installed on Search Heads.
Installation:
- To retrieve AWS Network Firewall logs based on an SQS-Based S3 "Custom Data Type" is required additional Add-on 'Splunk Add-on for AWS' version 5.0.3 or higher (https://splunkbase.splunk.com/app/1876/) installed where "inputs" is to be configured.
- This Add-on is intended to be installed on Search Heads.