Skip to content

Dumping data

Jump to bottom
Bhavin Patel edited this page Sep 11, 2020 · 1 revision

The Cloud Attack Range is enabled to export data in _raw format out of the Splunk server, in order to do so:

  1. Enable dump_cloudtrail_data = 1 in cloud_attack_range.conf
  2. Edit attack_data/dumps.yml with the following parameters
   - name: <name of the dump folder>
     out: <name of the dump file>
     search: <the search query you want the results dumped for>
     sourcetype: <sourcetype of the logs>
     time: <the earliest time for the export logs
     enabled: True

Here's an example to export Cloudtrail data for the last 2 hours:

- name: aws:cloudtrail
  out: aws:cloudtrail.out
  search: index=* sourcetype=aws:cloudtrail
  sourcetype: aws:cloudtrail
  time: -2h
  enabled: True

Clone this wiki locally