Exporting Alerts to S3
blobstorage output type sends alerts to individual files in an AWS S3 bucket. The sensor can optionally create the target bucket or buckets so long as it has sufficient permisisons.
Access to an AWS S3 bucket can either be granted explicitly by specifying an access key in the config or implicitly by granting role-based access to the service that is running the Capsule8 Sensor (e.g. the EC2 role).
This output type is commonly used for easy archiving of Alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming Alert. At this point Alerts can be enriched, transformed, and shipped out to other systems as needed.
||yes||The output type.|
||yes||Enables/disables the output.|
||yes||The cloud provider name.|
||yes||The name of the bucket to write to.|
||no||Enables/disables bucket creation.|
aws_region | yes | The AWS region.
aws_access_key_id | no | The AWS Access Key ID.
aws_secret_access_key | no | The AWS Secret Access Key.
aws_session_token | no | The AWS Session Token.
Example sending Alerts to AWS:
# Write the Alert to AWS S3 authed through access keys - type: blobstorage enabled: true create_bucket: true bucket_name: capsule8-alerts provider: aws aws_access_key_id: $ACCESS_KEY_ID aws_secret_access_key: $SECRET_ACCESS_KEY aws_region: us-east-2
is set in thecapsule8-analytics.yaml` configuration file.