Skip to content

Exporting Alerts to Google Cloud Storage

The blobstorage output type sends alerts to individual files in a Google Cloud Storage bucket. Sophos Linux Sensor (SLS) can optionally create the target bucket or buckets so long as it has sufficient permissions.

Access to a Google Cloud Storage bucket can be granted by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable. See Setting the environment variable.

This output type is commonly used for easy archiving of Alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming Alert. At this point Alerts can be enriched, transformed, and shipped out to other systems as needed.

Configuration:

KeyRequiredDescription
typeyesThe output type.
enabledyesEnables/disables the output.
provideryesThe cloud provider name.
bucket_nameyesThe name of the bucket to write to. This can be found from the project dashboard as shown below
create_bucketnoEnables/disables bucket creation.

Bucket name: From the Google Cloud Project Home > Dashboard, click on Storage. From there you can find the bucket name that can be used.

Click on Storage.

Google Cloud has no additional configuration.

Example sending Alerts to Google Cloud:

alert_output:
  outputs:
  # Write the Alert to GCP Storage authed through GOOGLE_APPLICATION_CREDENTIALS
    - type: blobstorage
      enabled: true
      bucket_name: sophos-alerts
      provider: gcp