Background

Splunk enables you to search and explore the telemetry collected by Red Canary's Cloud Workload Protection.

Read below to explore your options for enabling this feature.

Option 1: Red Canary -> AWS S3 -> Splunk

Support for

Splunk Cloud
Splunk On-prem

Details

Red Canary runs Canary Exporter on your behalf.
Canary Exporter will send standardized telemetry to an AWS S3 bucket you own.
In your Splunk Cloud or On-prem instance, you configure a Generic S3 input to collect the data into Splunk

IAM policy for the bucket:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "VisualEditor0",
 "Effect": "Allow",
 "Action": [
   "s3:PutObject",
   "s3:AbortMultipartUpload",
   "s3:ListMultipartUploadParts"
 ],
 "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/DESIRED_PREFIX/*"
 }
 ]
}

References

https://docs.splunk.com/Documentation/AddOns/released/AWS/S3

If you would like to use this option, please contact us.

Option 2: Local Collection -> Splunk

Support for

Splunk Cloud
Splunk On-prem

Details

You run Canary Exporter on an endpoint you own.
Canary Exporter will collect and spool the telemetry locally.
You configure your Splunk Universal Forwarder to send the locally spooled data to your Splunk Cloud or On-prem instance.

Background

Option 1: Red Canary -> AWS S3 -> Splunk

Option 2: Local Collection -> Splunk

Related articles