Cloud services are for your SaaS products and will show ingress activity from these sources in InsightIDR.
These event sources do not use the common data collection methods, but rather look for authentication credentials, a domain, tokens and keys, and various ID types, depending on the event source.
When you connect a cloud service event source, you will be able to view cloud service authentication activity separate from VPN in the Ingress Locations. Since this data is provided by the cloud service, InsightIDR will collect and display cloud service access from anywhere - on or off your network.
Note that cloud service admins are tagged based on observed activity, not their administrative rights in the cloud environment.
All cloud services require administrative access.
Rapid7 Recommends setting up an admin service account for data collection.
How Does InsightIDR Collect Cloud Service Data?
InsightIDR integrates with various Enterprise Cloud Services to collect authentication events and administrative activity in the cloud environment. These events are captured using cloud service APIs - your Collector will pull these events from the cloud service API using an administrative account that you provide.
The cloud user accounts are then correlated with your Active Directory domain accounts, showing ingress activity for all users alongside their domain activity. Cloud service administrative events are also monitored and can be viewed in the Users & Accounts > Administrators > Admin Activity page.
Integrating Cloud Services Event Sources
InsightIDR can ingest logs from the following Cloud Services: