Overview
Huntress data export allows you to export your Process Insights data to an external AWS S3 bucket so that you can satisfy specific needs, such as compliance. This process transfers compressed data from Huntress to your S3 bucket of choice.
You must prepare an AWS S3 Bucket to receive those events and add the necessary permissions for Huntress to access and write objects to that bucket. Specifically, the bucket needs a policy that allows a role in the Huntress AWS account to write objects to your bucket, be able to list all of objects in the bucket, and read the AWS region of the bucket.
This feature currently only supports data export to AWS S3 in the US-EAST-1 region. This export will fail if any other region is selected.
Configuration Steps
-
If you don’t already have one, create an AWS account.
-
In the us-east-1 region, create an S3 bucket. This is a requirement for the export to work.
- Create a Bucket Policy with the necessary permissions. Using the Policy Generator, you can paste the following policy into the Policy field of the Edit Policy page.
Be sure to fill in <your bucket name here> with your actual bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::068738303278:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<your bucket name here>/*",
"arn:aws:s3:::<your bucket name here>"
]
}
]
}
IMPORTANT: This bucket policy is compatible with the S3 block public access settings. We highly recommend enabling these settings on any S3 bucket that does not explicitly require public (or anonymous) access. Misconfigured S3 buckets have led to numerous cybersecurity incidents and these block public access settings can help ensure that your S3 data remains secure.
Next open a support ticket with the subject "Process Insights Data Export" that includes your S3 bucket name and region in the body of the text. You can do so here.
Decompression
Our process insight data is compressed using zstd. You can decompress this on windows by downloading the application binary from GitHub. Next you need to extract the binary which you can do by right clicking on the downloaded archive, and clicking “Extract All”
Next, search and open “Command Prompt” in Windows search. The run the following commands:
C:\Users\Name>cd Downloads\zstd-v1.5.4-win64
C:\Users\Name\Downloads\zstd-v1.5.4-win64>zstd -d 192514.json.zstd
192514.json.zst : 1454901 bytes
You need to replace “192514.json.zst” with the name of your data file. You should also add “.zst” to the downloaded file.
You should now have access to your data.
Comments
0 comments
Please sign in to leave a comment.