- Supported Cloud Connectors
- Armis Cloud Connector
- AWS Cloud Connector
- AWS Multi-Tenant Cloud Connector
- Azure Cloud Connector
- Azure Cloud Connector Overview
- Azure Audit Source and Event Support
- Prerequisites to Configure the Azure Cloud Connector
- Configure the Azure Cloud Connector
- Collect EventHub Information for Azure EventHub Endpoints
- Collect all Microsoft Defender ATP Events
- Configure Azure to Monitor Security Center Events in Azure VMs
- Bitglass Cloud Connector
- Box Cloud Connector
- Centrify Cloud Connector
- Cisco AMP for Endpoints Cloud Connector
- Cisco Meraki Cloud Connector
- Cisco Umbrella Cloud Connector
- Citrix ShareFile Cloud Connector
- Cloudflare Cloud Connector
- Code42 Incydr Cloud Connector
- CrowdStrike Falcon Cloud Connector
- Cybereason Cloud Connector
- CylanceProtect Cloud Connector
- Dropbox Business Cloud Connector
- Duo Security Cloud Connector
- Egnyte Cloud Connector
- Fidelis Cloud Connector
- GitHub Cloud Connector
- Google Cloud Platform (GCP) Cloud Connector
- Google Cloud Pub/Sub Cloud Connector
- Google Workspace (Formerly G Suite) Cloud Connector
- LastPass Enterprise Cloud Connector
- Mimecast Email Security Cloud Connector
- Netskope Cloud Connector
- Office 365 Cloud Connector
- Okta Cloud Connector
- OneLogin Cloud Connector
- Palo Alto Networks SaaS Security Cloud Connector
- Ping Identity Cloud Connector
- Proofpoint Cloud Connector
- Rapid7 InsightVM Cloud Connector
- Salesforce Cloud Connector
- SentinelOne Cloud Connector
- ServiceNow Cloud Connector
- Slack App Cloud Connector
- Slack Classic App Cloud Connector (Formerly known as Slack Enterprise Grid Cloud Connector)
- Snowflake Cloud Connector
- Sophos Central Cloud Connector
- Symantec CloudSOC Cloud Connector
- Symantec Endpoint Protection (SEP) Mobile Cloud Connector
- Symantec Email Security.cloud Cloud Connector
- Symantec WSS Cloud Connector
- Tenable.io Cloud Connector
- VMware Carbon Black Cloud Endpoint Standard Cloud Connector
- Workday Cloud Connector
- Zoom Cloud Connector
- Custom Cloud Connector
- Webhook Cloud Connector
Webhook Cloud Connector
Prerequisites to Configure the Webhook Cloud Connector
If you use a vendor and product that supports pushing alerts or logs into a webhook or an HTTP API endpoint, you can use the Webhook Cloud Connector to ingest application events.
Note
The Webhook Cloud Connector was a part of the Early Access program that is no longer available now. If you are using the early access Webhook Cloud Connector, consider migrating to the new Webhook Cloud Collector. Before you migrate, check if your early access deployment is eligible for migration. Not all early access deployments can be migrated. Continue using your existing early access version if you cannot migrate to the latest version. For more information see Migrate to the Generic Webhook Cloud Collector.
Consider the following limitations before you configure the Webhook Cloud Connector:
Batch requests – Each request is limited to 100 Mb and must complete within 2 minutes. For optimal performance it is advised to batch as many messages as possible within a single HTTP POST request, up to the request limit of 100 Mb.
Ingestion volume – Up to 500 Gb in Early Access
Preconfigured content – Support for preconfigured content is not guaranteed. Use the Auto Parser Generator to verify the parsing status and to develop new parsers, if needed.
Planned changes for GA – The request details such as URL and required headers are subject to change, and may require reconfiguring the settings of the product from which you send logs.
Configure the Webhook Cloud Connector
Download your authentication package using the following URL template based on your instance ID:
https://.<instanceId>:.aa.exabeam.com/api/setup/saas/authPackageOpen the info.yml file.
Take note of the base64 field in HTTP Post section:
-name: HTTP Post credentials: username: "my-username" password: "my-password" # base64(Username:password)" base64: "base64-username-password"Make an HTTPS request to
https://in one of the supported formats:<instanceId>.data.exabeam.comHEC format
Use this format to ingest a cloud log source that can integrate with Splunk HTTP Event Collector via HEC format. When you configure the cloud product to forward logs, use the following configuration:
URL:
https://<instanceId>.data.exabeam.com?format=hecHeaders: Authorization: Basic {base64}
HTTP Request Example:
curl https://<instanceId>.data.exabeam.com?format=hec -H "Authorization: Basic {base64}” -d ‘{ "time": 1437522387, "host": "stream-logfwd20-141065047-01261326-z3ho-harness-8gmw", "source": "Palo Alto Networks FLS LF", "event": { "LogType": "THREAT", "Severity": "Critical” } } { "time": 1437522387, "host": "stream-logfwd20-141065047-01261326-z3ho-harness-8gmw", "source": "Palo Alto Networks FLS LF", "event": { "LogType": "THREAT", "Severity": "Info" } }’
Line format
Use this format to ingest a cloud log source that can forward raw logs delimited by a newline. To forward the logs, use the following configuration:
URL:
https://<instanceId>.data.exabeam.comHeaders:
Authorization: Basic {base64}
Content-type: application/raw-newline
HTTP Request Example:
curl https://{instanceId}.data.exabeam.com -H "Authorization: Basic {base64}" -H 'Content-type: application/raw-newline' -d ‘Sep 11 15:53:33 zscaler-nss CEF:0|Zscaler|NSSWeblog|5.0|Allowed|Allowed|3|act=Allowed...‘
JSON format
Use this format to ingest a cloud log source that can forward logs in JSON format, containing single or multiple objects. To forward the logs, use the following configuration:
URL:
https://<instanceId>.data.exabeam.comHeaders:
Authorization: Basic {base64}
Content-type: application/json
HTTP Request Example:
curl https://{instanceId}.data.exabeam.com -H "Authorization: Basic {base64}" -H 'Content-type: application/json' -d '[ { "name":"John", "age":30 }, { "name":"Tom", "age":13, "car":"Bmw" } ]'