Cloud Services
Cloud services is the term that is used in SIEM (InsightIDR) to include any SaaS products that your organization uses.
By integrating your cloud services as event sources, you can analyze ingress and administrator activity from these sources in SIEM (InsightIDR).
These event sources do not use the common data collection methods, but rather look for authentication credentials, a domain, tokens and keys, and various ID types, depending on the event source.
When you connect a cloud service event source, you will be able to view cloud service authentication activity separate from VPN in the Ingress Locations display, which appears on the SIEM (InsightIDR) dashboard. Since this data is provided by the cloud service, SIEM (InsightIDR) will collect and display cloud service access from anywhere - on or off your network.
SIEM (InsightIDR) assigns Cloud service administrator status to users based on their observed activity in Log Search, rather than using API lists or LDAP comparison. SIEM (InsightIDR) observes log entries coming in from event sources and watches for specific actions that take place in the cloud environment. These actions indicate the users who have administrator-level access.
To collect data, you need cloud service administrator access
To configure any cloud service event source to collect data in SIEM (InsightIDR), you must have administrator access to that cloud service. Visit the cloud service event source documentation for more information.
How Does SIEM (InsightIDR) Collect Cloud Service Data?
SIEM (InsightIDR) integrates with various Enterprise Cloud Services to collect authentication events and administrative activity in the cloud environment. These events are captured using cloud service APIs - your Collector will pull these events from the cloud service API using an administrative account that you provide.
The cloud user accounts are then correlated with your Active Directory domain accounts, showing ingress activity for all users alongside their domain activity.
Cloud service administrative events are also monitored and can be viewed in the Users & Accounts > Administrators > Admin Activity page.
Integrating Cloud Services Event Sources
SIEM (InsightIDR) can ingest logs from the following Cloud Services:
- AWS CloudTrail
- Box.com
- Centrify SSO
- Cisco AMP for Endpoints
- Cloudflare
- Duo Security
- Google Apps
- Google Cloud Platform
- Imperva WAF
- Microsoft Azure
- Microsoft Office 365
- Mimecast
- Netskope
- Okta
- OneLogin
- Palo Alto Cortex Data Lake
- Proofpoint
- Salesforce
- Zoom Pro
Integrating Cloud Services Admin Activity Event Sources
You can also configure SIEM (InsightIDR) to ingest logs about the admin activity that occurs in these Cloud Services: