Capsule8 Docs
Capsule8 Docs

Exporting Alerts to S3

The blobstorage output type sends alerts to individual files in an AWS S3 bucket. The sensor can optionally create the target bucket or buckets so long as it has sufficient permisisons.

Access to an AWS S3 bucket can either be granted explicitly by specifying an access key in the config or implicitly by granting role-based access to the service that is running the Capsule8 Sensor (e.g. the EC2 role).

This output type is commonly used for easy archiving of Alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming Alert. At this point Alerts can be enriched, transformed, and shipped out to other systems as needed.


Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
provider yes The cloud provider name.
bucket_name yes The name of the bucket to write to.
create_bucket no Enables/disables bucket creation.

AWS-specific configuration:

Key Required Description
aws_region yes The AWS region.
aws_access_key_id no The AWS Access Key ID.
aws_secret_access_key no The AWS Secret Access Key.
aws_session_token no The AWS Session Token.
aws_acl no An ACL string such as “bucket-owner-full-control” to add to the request

Example sending Alerts to AWS:

    # Write the Alert to AWS S3 authed through access keys
    - type: blobstorage
      enabled: true
      create_bucket: true
      bucket_name: capsule8-alerts
      provider: aws
      aws_access_key_id: $ACCESS_KEY_ID
      aws_secret_access_key: $SECRET_ACCESS_KEY
      aws_region: us-east-2
      aws_acl: "bucket-owner-full-control"