Stream Capsule detections, findings, and policy violations into Hunters so your SOC can triage AI-agent and shadow-AI signals alongside the rest of your security telemetry.
Capsule continuously exports security events to a dedicated Amazon S3 bucket that Capsule provisions and manages for each integration. Hunters ingests directly from that bucket by assuming a read-only IAM role, scoped with the External ID Hunters gives you.
| Event type | What gets exported |
|---|---|
| Detections | Real-time detections raised on agent activity, with full event context |
| Findings | Posture and configuration findings across your AI inventory |
| Policy violations | Guardrail and policy breaches, including the offending request or response |
Events are written verbosely as newline-delimited JSON (NDJSON) as they are produced, so Hunters receives the same detail Capsule holds internally.
Capsule event (detection / finding / policy violation)
→ written to Capsule-managed S3 bucket (one per integration)
→ Hunters assumes the read-only role (External ID enforced)
→ Hunters ingests the objectsThis is separate from Settings → Notifications. Notifications push individual alerts to a channel; the SIEM integration streams the full, verbose event record to S3 for ingestion and long-term correlation.
Hunters' Set up bucket access guide, under "Create a new IAM role for Hunters manually", normally asks you to create the S3 bucket and the IAM role yourself in your own AWS account.
With Capsule you don't do any of that. Capsule owns the bucket and creates the read role for you. Your only job is to copy the Principal ARN and External ID that Hunters shows you into Capsule — Capsule provisions everything else and hands you back the connection details to finish the Hunters side.
Before you begin, ensure you have:
- A Capsule account with admin access, and the SIEM tab visible under Settings
- A Hunters account with permission to add an AWS S3 data source (Data > Connect Data Source)
In Hunters, begin the bucket-access setup and choose Create a new IAM role for Hunters manually (see the Hunters guide).
- Locate the Principal ARN — Hunters' AWS identity, e.g.
arn:aws:iam::685648138888:root. - Locate the External ID — a unique value Hunters generates for this connection.
- Keep both values handy. Leave the Hunters tab open; you'll return to it in Step 3.
Stop after copying these two values. Do not follow Hunters' AWS instructions to create the bucket, the
HuntersBucketAccesspolicy, or thehunters-assume-rolerole. Capsule performs all of that for you in the next step.
- In Capsule, go to Settings → SIEM and click Add integration.
- Destination is fixed to Amazon S3 — this is the bucket Hunters will read from.
- Enable the event types you want Hunters to receive: Detections, Findings, and Policy violations.
- Paste the Principal ARN from Step 1 into the Principal ARN field.
- Paste the External ID from Step 1 into the External ID field. An External ID is required whenever a Principal ARN is set — this is what protects the role against confused-deputy access.
- Click Save.
On save, Capsule provisions a dedicated S3 bucket for this integration and a read-only IAM role whose trust policy allows the Hunters Principal ARN to assume it, but only when the request carries your External ID.
You can create more than one SIEM integration — each gets its own isolated bucket and role, so different Hunters environments or event scopes never share a destination.
- In the SIEM list, open the integration's row menu and choose View details.
- Under Connection details, copy the values Capsule generated:
- Bucket name — the S3 bucket Hunters ingests from
- Region — the AWS region the bucket lives in
- Read role ARN — the role Hunters assumes to read the bucket
- Return to the Hunters tab and provide these values where Hunters asks for the bucket and the role it should assume, then run Hunters' connection validation to finish.
Connection details will appear once the bucket is provisioned. If the section shows a pending hint, give provisioning a moment and reopen the drawer.
- Layout — objects are keyed by event type and date:
<event-type>/YYYY/MM/DD/<timestamp>-<id>.ndjson. - Format — each object is NDJSON: one JSON event per line, with the full verbose record.
- Retention — objects expire automatically 30 days after they are written. Configure Hunters to ingest continuously so nothing is missed before expiry.
Every object lives under one of three top-level prefixes — these are the only keys at the bucket root:
detections/
findings/
policy-violations/Hunters asks for a Prefix here (it rejects the setup with must have required property 'Prefix(es)' until you provide one). The field is not a free-form regex — it's a comma-separated list of path templates. Each entry may contain literal segments ([\w\-.]), / separators, * wildcards, and the date placeholders {YYYY} {MM} {DD} {HH} {mm}. Use no leading slash, no spaces, and no trailing comma.
Because Capsule partitions objects by date, point the placeholders at that layout so Hunters lists new partitions efficiently:
detections/{YYYY}/{MM}/{DD}/,findings/{YYYY}/{MM}/{DD}/,policy-violations/{YYYY}/{MM}/{DD}/If you don't need date partitioning, the plain literal prefixes also validate:
detections/,findings/,policy-violations/Drop any event types you didn't enable from the list.
- The bucket and role live in Capsule's managed AWS account, not yours — there is nothing to maintain on your side.
- The read role grants only
s3:ListBucket,s3:GetBucketLocation, ands3:GetObject, and only on that one integration's bucket. - The trust policy requires both the Hunters Principal ARN and the matching External ID, so no other party can assume the role even if the ARN is known.
- Confirm the integration is enabled and has at least one event type turned on.
- Reopen the details drawer after a short wait — the bucket and role are provisioned on save.
- Verify the External ID in Capsule matches exactly what Hunters displays — a mismatch blocks the role assumption.
- Verify the Principal ARN you pasted is the one from Hunters (no trailing spaces or truncation).
- Confirm Hunters is configured with the Read role ARN and Bucket name exactly as shown in the Capsule details drawer.
- Confirm the relevant event types (Detections, Findings, Policy violations) are enabled on the integration.
- New events flow only after the integration is created — historical events are not backfilled.
- Remember objects expire after 30 days; a paused ingestion can miss older data.
For help with this integration, contact support@capsule.security.
For Hunters-side configuration: