Capsule8 Console Docs
Capsule8 Console Docs
Help

Getting investigation data via AWS S3/Athena

1. S3

You will need to create two additional buckets: one for Capsule8 Metaevents and one for query results. Note the bucket names and regions.

2. Console

You will need to edit /etc/capsule8/capsule8-console.yaml to include the following two settings (fill in the correct values for your setup):

console:
  ...
  query_blob_storage_bucket_name: <investigations-metadata-bucket-name>
  query_athena_connection: db=capsule8_investigations&output_location=s3://<investigations-query-results-bucket-name>

Here is the equivalent configuration using only environment variables:

CAPSULE8_CONSOLE_QUERY_BLOB_STORAGE_BUCKET_NAME=<investigations-metadata-bucket-name>
CAPSULE8_CONSOLE_QUERY_ATHENA_CONNECTION="db=capsule8_investigations&output_location=s3://<investigations-query-results-bucket-name>"

3. Sensor

You can configure Sensors to emit data to support investigations by editing /etc/capsule8/capsule8-sensor.yaml where the Sensor is running:

cloud_meta: auto
investigations:
  reporting_interval: 10s
  sinks:
    - name: <investigations-metadata-bucket-name>
      backend: aws
      automated: true
      type: parquet
  flight_recorder:
    enabled: true
    tables:
      - name: "shell_commands"
        enabled: true
      - name: "tty_data"
        enabled: true
      - name: "sensors"
        enabled: true
      - name: "sensor_metadata"
        enabled: true
      - name: "connections"
        enabled: true
      - name: "process_events"
        enabled: true
      - name: "container_events"
        enabled: true

4. IAM

Sensor

You will need to grant the Sensors s3:CreateBucket and s3:PutObject permissions to the buckets you created. Grant access to all objects within the buckets.

Console

The Console will need the following permissions:

  • Investigations query results
    • s3:CreateBucket
    • s3:GetBucketLocation
    • s3:PutObject
    • s3:ListBucket
    • s3:GetObject
  • Athena (for querying S3 data via a SQL-interface)
    • athena:GetQueryExecution
    • athena:GetQueryResults
    • athenaStartQueryExecution
  • Glue (for managing Athena lifecycle)
    • glue:GetTable
    • glue:GetTables
    • glue:GetDatabase
    • glue:CreateTable