Cloud services is the term that is used in InsightIDR to include any SaaS products that your organization uses.
By integrating your cloud services as event sources, you can analyze ingress and administrator activity from these sources in InsightIDR.
These event sources do not use the common data collection methods, but rather look for authentication credentials, a domain, tokens and keys, and various ID types, depending on the event source.
When you connect a cloud service event source, you will be able to view cloud service authentication activity separate from VPN in the Ingress Locations display, which appears on the InsightIDR dashboard. Since this data is provided by the cloud service, InsightIDR will collect and display cloud service access from anywhere - on or off your network.
InsightIDR assigns Cloud service administrator status to users based on their observed activity in Log Search, rather than using API lists or LDAP comparison. InsightIDR observes log entries coming in from event sources and watches for specific actions that take place in the cloud environment. These actions indicate the users who have administrator-level access.
To collect data, you need cloud service administrator access
To configure any cloud service event source to collect data in InsightIDR, you must have administrator access to that cloud service. Visit the cloud service event source documentation for more information.
How Does InsightIDR Collect Cloud Service Data?
InsightIDR integrates with various Enterprise Cloud Services to collect authentication events and administrative activity in the cloud environment. These events are captured using cloud service APIs - your Collector will pull these events from the cloud service API using an administrative account that you provide.
The cloud user accounts are then correlated with your Active Directory domain accounts, showing ingress activity for all users alongside their domain activity.
Cloud service administrative events are also monitored and can be viewed in the Users & Accounts > Administrators > Admin Activity page.
Integrating Cloud Services Event Sources
InsightIDR can ingest logs from the following Cloud Services:
- AWS CloudTrail
- Centrify SSO
- Cisco AMP for Endpoints
- Duo Security
- Google Apps
- Google Cloud Platform
- Microsoft Azure
- Microsoft Office 365
- Palo Alto Cortex Data Lake
- Zoom Pro
Integrating Cloud Services Admin Activity Event Sources
You can also configure InsightIDR to ingest logs about the admin activity that occurs in these Cloud Services: