Background
Splunk enables you to search and explore the telemetry collected by Red Canary's Linux EDR. This article covers your options for enabling this feature.
Estimated reading time: 3 minutes
Option 1: Red Canary -> AWS S3 -> Splunk
Support for
- Splunk Cloud
- Splunk On-prem
Details
- Canary Exporter will send standardized telemetry to an AWS S3 bucket you own.
- In your Splunk Cloud or On-prem instance, you configure a Generic S3 input to collect the data into Splunk
IAM policy for the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/DESIRED_PREFIX/*"
}
]
}
Learn more about configuring Generic S3 inputs for the Splunk Add-on for AWS.
If you would like to use this option, please contact Red Canary.
Option 2: Local Collection -> Splunk
Support for
- Splunk Cloud
- Splunk On-prem
Details
- Run Canary Exporter on an endpoint you own.
- Canary Exporter will collect and spool the telemetry locally.
- Configure your Splunk Universal Forwarder to send the locally spooled data to your Splunk Cloud or On-prem instance.
Comments
0 comments
Please sign in to leave a comment.