Capsule8 Docs
Capsule8 Docs

Exporting Alerts to S3

The blobstorage output type sends alerts to individual files in an AWS S3 bucket. The sensor can optionally create the target bucket or buckets so long as it has sufficient permisisons.

Access to an AWS S3 bucket can either be granted explicitly by specifying an access key in the config or implicitly by granting role-based access to the service that is running the Capsule8 Sensor (e.g. the EC2 role).

This output type is commonly used for easy archiving of Alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming Alert. At this point Alerts can be enriched, transformed, and shipped out to other systems as needed.


Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
provider yes The cloud provider name.
bucket_name yes The name of the bucket to write to.
create_bucket no Enables/disables bucket creation.

AWS-specific configuration:

aws_region | yes | The AWS region. aws_access_key_id | no | The AWS Access Key ID. aws_secret_access_key | no | The AWS Secret Access Key. aws_session_token | no | The AWS Session Token.

Example sending Alerts to AWS:

# Write the Alert to AWS S3 authed through access keys
- type: blobstorage
  enabled: true
  create_bucket: true
  bucket_name: capsule8-alerts
  provider: aws
  aws_access_key_id: $ACCESS_KEY_ID
  aws_secret_access_key: $SECRET_ACCESS_KEY
  aws_region: us-east-2

_enabled: trueis set in thecapsule8-analytics.yaml` configuration file.