Skip to main content

Exporting Alerts to Azure Storage

  • Updated

Introduction

The blobstorage output type sends alerts to individual files in an Azure Storage bucket. The sensor can optionally create the target bucket or buckets so long as it has sufficient permissions.

This output type is commonly used for easy archiving of Alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming Alert. At this point Alerts can be enriched, transformed, and shipped out to other systems as needed.

Azure Storage Configuration:

There are no specific configuration needed in Azure storage. A storage account should be set up where the bucket will be created or modified to write the alerts. An account key with write permissions should also be available. This key can be requested from the Azure Storage helpdesk.

Key Env Variable Required Description
azure_account_name AZURE_ACCOUNT_NAME yes The name of the Azure storage account.
azure_account_key AZURE_ACCOUNT_KEY  yes /
no(4.7+)		 An account key that has permissions to write to the blob container.
azure_storage_sas_token AZURE_STORAGE_SAS_TOKEN no An optional SAS token which can be used.

 

Capsule8 Sensor Configuration:

C8 sensor should be having the configuration set up in the file capsule8-analytics.yaml

 

alert_output:
  outputs:
  - type: blobstorage 
    enabled: true 
    bucket_name: capsule8-alerts 
    provider: azure 
    azure_account_name: <account-name> 
    azure_account_key: <account-key>
    azure_storage_sas_token: <sas-token>

 

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
provider yes The cloud provider name.
bucket_name yes The name of the bucket to write to.
create_bucket no Enables/disables bucket creation. Defaults to False.

Note:

The is a known issue where the underlying azure library will sometimes display a HTTP 409 error message during startup when create_bucket is enabled and the bucket already exists. This error is expected and can be ignored.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.