Background

Splunk enables you to search and explore the telemetry collected by Red Canary's Linux EDR. This article covers your options for enabling this feature.

Estimated reading time: 3 minutes

Option 1: Red Canary -> AWS S3 -> Splunk

Support for

Splunk Cloud
Splunk On-prem

Details

Canary Exporter will send standardized telemetry to an AWS S3 bucket you own.
In your Splunk Cloud or On-prem instance, you configure a Generic S3 input to collect the data into Splunk

IAM policy for the bucket:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "VisualEditor0",
 "Effect": "Allow",
 "Action": [
   "s3:PutObject",
   "s3:AbortMultipartUpload",
   "s3:ListMultipartUploadParts"
 ],
 "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/DESIRED_PREFIX/*"
 }
 ]
}

Learn more about configuring Generic S3 inputs for the Splunk Add-on for AWS.

If you would like to use this option, please contact Red Canary.

Option 2: Local Collection -> Splunk

Support for

Splunk Cloud
Splunk On-prem

Details

Run Canary Exporter on an endpoint you own.
Canary Exporter will collect and spool the telemetry locally.
Configure your Splunk Universal Forwarder to send the locally spooled data to your Splunk Cloud or On-prem instance.

Configure Splunk

Background

Option 1: Red Canary -> AWS S3 -> Splunk

Support for

Details

IAM policy for the bucket:

Option 2: Local Collection -> Splunk

Support for

Details

Comments