Introduction
The blobstorage
output type sends alerts to individual files in an Azure Storage bucket. The sensor can optionally create the target bucket or buckets so long as it has sufficient permissions.
This output type is commonly used for easy archiving of Alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming Alert. At this point Alerts can be enriched, transformed, and shipped out to other systems as needed.
Azure Storage Configuration:
Azure storage requires primarily two pieces of information to work correctly. 1) The account name that should be written to by the sensor. 2) One of the following forms of authentication:
- Azure storage account key provided either via environment variables or in the sensor config
- Azure storage SAS token provided either via environment variables or in the sensor config. It is worth noting that azure provides no way to renew these tokens so that needs to be handled as part of orchestration.
- Lastly, using Azure managed identities. For managed identities, no configuration options need to be passed to the sensor as these are already provided on the host and can be auto detected.
Key | Env Variable | Required | Description |
azure_account_name |
AZURE_ACCOUNT_NAME |
yes | The name of the Azure storage account. |
azure_account_key |
AZURE_ACCOUNT_KEY |
yes / no(4.7+) |
An account key that has permissions to write to the blob container. |
azure_storage_sas_token |
AZURE_STORAGE_SAS_TOKEN |
no | An optional SAS token which can be used. |
azure_storage_domain |
AZURE_STORAGE_DOMAIN |
no(4.8+) | Can be used to specific a specific azure storage domain instead of the public cloud. |
Capsule8 Sensor Configuration:
C8 sensor should be having the configuration set up in the file capsule8-analytics.yaml
alert_output: outputs:
- type: blobstorage
enabled: true
bucket_name: capsule8-alerts
provider: azure
azure_account_name: <account-name>
azure_account_key: <account-key>
azure_storage_sas_token: <sas-token>
azure_storage_domain: <storage-domain>
Key | Required | Description |
---|---|---|
type |
yes | The output type. |
enabled |
yes | Enables/disables the output. |
provider |
yes | The cloud provider name. |
bucket_name |
yes | The name of the bucket to write to. |
create_bucket |
no | Enables/disables bucket creation. Defaults to False. |
Note:
The is a known issue where the underlying azure library will sometimes display a HTTP 409 error message during startup when create_bucket
is enabled and the bucket already exists. This error is expected and can be ignored.
Comments
0 comments
Please sign in to leave a comment.