Background
Splunk enables you to search and explore the telemetry collected by Red Canary's Cloud Workload Protection.
Read below to explore your options for enabling this feature.
Option 1: Red Canary -> AWS S3 -> Splunk
Support for
- Splunk Cloud
- Splunk On-prem
Details
- Red Canary runs Canary Exporter on your behalf.
- Canary Exporter will send standardized telemetry to an AWS S3 bucket you own.
- In your Splunk Cloud or On-prem instance, you configure a Generic S3 input to collect the data into Splunk
Example Splunk Generic S3 input:
IAM policy for the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/DESIRED_PREFIX/*"
}
]
}
References
If you would like to use this option, please contact us.
Option 2: Local Collection -> Splunk
Support for
- Splunk Cloud
- Splunk On-prem
Details
- You run Canary Exporter on an endpoint you own.
- Canary Exporter will collect and spool the telemetry locally.
- You configure your Splunk Universal Forwarder to send the locally spooled data to your Splunk Cloud or On-prem instance.