Background

Splunk enables you to search and explore the telemetry collected by Red Canary's Cloud Workload Protection.

Read below to explore your options for enabling this feature.

Option 1: Red Canary -> AWS S3 -> Splunk

Support for

• Splunk Cloud
• Splunk On-prem

Details

• Red Canary runs Canary Exporter on your behalf.
• Canary Exporter will send standardized telemetry to an AWS S3 bucket you own.
• In your Splunk Cloud or On-prem instance, you configure a Generic S3 input to collect the data into Splunk

 IAM policy for the bucket:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "VisualEditor0",
 "Effect": "Allow",
 "Action": [
   "s3:PutObject",
   "s3:AbortMultipartUpload",
   "s3:ListMultipartUploadParts"
 ],
 "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/DESIRED_PREFIX/*"
 }
 ]
}

References

• https://docs.splunk.com/Documentation/AddOns/released/AWS/S3

If you would like to use this option, please contact us.

Option 2: Local Collection -> Splunk

Support for

• Splunk Cloud
• Splunk On-prem

Details

• You run Canary Exporter on an endpoint you own.
• Canary Exporter will collect and spool the telemetry locally.
• You configure your Splunk Universal Forwarder to send the locally spooled data to your Splunk Cloud or On-prem instance.