Skip to main content

CollectorsGet Started with Collector Onboarding

Which Collector to Use?

This guide outlines the data sources you can collect using New-Scale Cloud Collectors and identifies those that still require the existing Cloud Connectors application. To determine which option is appropriate for your needs, refer to the following sections:

  • Dedicated Collectors – These collectors support the following collection capabilities:

    • Preferred methods of ingestion that are certified end-to-end by Exabeam

    • Built-in parsing

    • Dedicated onboarding workflows

  • Generic Collectors – Generic collection options you can use if you don't find a specific option. Custom content development may be required using Log Stream.

If you need to set up any Cloud Connectors that aren't yet available as a New-Scale Collector, see Set up a New Cloud Connectors Instance.

Dedicated Collectors

Vendor/Product

Data Source

Recommended Collection Method

New Scale Availability

Abnormal_security_logo.png

Abnormal Security

  • Threats

  • Cases

Abnormal Security Cloud Collector

armis.png

Armis

Alerts logs

Armis Cloud Connector

aws-cloudtrail.png

AWS

  • CloudWatch events

  • CloudWatch logs

  • GaurdDuty alerts

  • Inspector alerts

  • Macie logs

  • Redshift audit logs

  • Redshift events

  • Shield alerts

AWS Cloud Connector

aws-cloudtrail.png

AWS CloudTrail

CloudTrail event logs from multiple AWS accounts

AWS CloudTrail (via S3) Cloud Collector

AWS_CloudWatch_logo.png

AWS CloudWatch

CloudTrail, CloudWatch Logs, and Lambda logs of AWS services

AWS CloudWatch Cloud Collector

aws-cloudtrail.png

AWS S3

Events from AWS S3 buckets

AWS S3 Cloud Collector

aws-cloudtrail.png

AWS SQS

Events from SQS queue

AWS SQS Cloud Collector

azure_icon.png

Azure

  • Activity logs

  • Analytics logs

  • NSG flow logs

  • Storage analytics logs

Azure Cloud Connector

Azure_Active_Directory_logo.png

Azure Active Directory

  • Audit Logs

  • Sign-in Logs

  • Identify Protection

Microsoft Entra ID Logs Cloud Collector

Azure_Active_Directory_logo.png

Azure Active Directory Context

Context data from the Azure Active Directory service

Microsoft Entra ID Context Cloud Collector

Azure_Event_Hub_Logo.png

Azure Event Hub

Security events from Azure workspace

Azure Event Hub Cloud Collector

Azure_Activity_Logs_Cloud_Collector_logo.png

Azure Activity Logs

Azure Activity Logs

Azure Activity Logs Cloud Collector

Azure_Log_Analytics_Logo.png

Azure Log Analytics Cloud Collector

Azure Log Analytics workspace

Azure Log Analytics Cloud Collector

Azure_storage_analytics_logo.png

Azure Storage Analytics

Azure Storage Analytics data that includes metrics data for a storage account, and logs for blobs, queues, and tables

Azure Storage Analytics Cloud Collector

bitglass_icon.png

Bitglass

Audit events

Bitglass Cloud Connector

box_icon.png

Box

  • Admin logs

  • Shield alerts

Box Cloud Connector

carbon-black.png

Carbon Black

Audit log events

VMware Carbon Black Cloud Endpoint Standard Cloud Connector

carbon-black.png

Carbon Black Cloud Enterprise EDR

Events

AWS S3 Cloud Collector

carbon-black.png

Carbon Black Cloud Endpoint Standard

Events

AWS S3 Cloud Collector

Cato_logo.png

Cato

Security, connectivity, routing, detection and response events from Cato Networks

Cato Cloud Collector

centrify-logo.png

Centrify

Audit logs

Centrify Cloud Connector

cisco.png

Cisco AMP

Advanced Malware Protection logs

Cisco AMP for Endpoints Cloud Connector

duo_logo.png

Cisco Duo Cloud Collector

Administrator Logs, Authentication Logs, and Telephony Logs.

Cisco Duo Cloud Collector

cisco.png

Cisco Meraki

Security events

Cisco Meriaki Cloud Connector

cisco.png

Cisco Umbrella

Security activity

Cisco Umbrella Cloud Connector

citrix-sharefile.png

Citrix ShareFile

  • SharedSend

  • SharedRequest

  • Activity

  • AccessChange

Citrix ShareFile Cloud Collector

cloudflare.png

Cloudflare

  • Account audit logs

  • CDN logs

  • Firewall events

Cloudflare Cloud Connector

code42.png

Code42 Incyder

File events

Code42 Incydr Cloud Connector

Cribl_logo.png

Cribl

Events from your Cribl Stream pipeline

Cribl Cloud Collector

crowdstrike_icon.png

CrowdStrike Falcon

Audit events and alerts from the Falcon streaming API

Crowdstrike Falcon (via API) Cloud Collector

crowdstrike_icon.png

CrowdStrike Falcon

Raw threat graph events replicated from S3 storage

Crowdstrike Falcon (via FDR) Cloud Collector

cybereason.png

Cybereason

Malops

Cybereason Cloud Connector

cylance.png

CylanceProtect

  • Threats

  • Memory protection

  • Devices

CylanceProtect Cloud Connector

dropbox_icon.png

Dropbox

Events

Dropbox Business Cloud Connector

duosecurity_icon.png

Duo Security

  • Administratory logs

  • Authentication logs

  • Telephony logs

Duo Security Cloud Connector

egnyte.png

Egnyte

  • Login audit report

  • Files audit report

  • Permissions audit report

  • Users audit report

  • Groups audit report

Egnyte Cloud Collector

fidelis.png

Fidelis

Network activity

Fidelis Cloud Connector

github.png

GitHub

Repository events

GitHub Cloud Connector

google-workspace.png

Google Cloud Platform

  • StackDriver admin activities

  • StackDriver data access logs

GCP Cloud Connector

google-workspace.png

Google Workspace

Google application events:

  • Login

  • Admin

  • Drive

  • Token

  • Mobile

  • Calendar

  • Groups

  • GPlus

  • Rules

  • SAML

  • Gmail Logs

Google Workspace Cloud Connector

google-workspace.png

GCP Pub/Sub

Events from the GCP Pub/Sub

GCP Pub/Sub Cloud Collector

lastpass_icon.png

LastPass Enterprise

Report events

LastPass Enterprise Cloud Connector

mimecastemailsecurity_icon.png

Mimecast Email Security

Email data feed logs

Mimecast Email Security Cloud Connector

ms365-management-activity-icon.png

Microsoft 365

  • Active Directory

  • Exchange

  • Sharepoint

  • DLP

  • General audit events

MS 365 Management Activity Cloud Collector

office365_icon.png

Microsoft Defender for Cloud

Security alerts

Office 365 Cloud Connector

Defender_logo.png

Microsoft Defender XDR

Microsoft Cloud App Security (MCAS) events

Microsoft Defender XDR Cloud Collector

Microsoft_Exchange_Admin_Reports_Logo.png

Microsoft Exchange Admin Reports

  • SpoofMailReport

  • MailDetailDlpPolicy

  • MailDetailATP

  • Message Trace

Microsoft 365 Exchange Admin Reports Cloud Collector

Microsoft_Entra_ID_logo.png

Microsoft Entra ID Context

User context data from your Microsoft Entra ID service.

Microsoft Entra ID Context Cloud Collector

Microsoft_Entra_ID_logo.png

Microsoft Entra ID Logs

Audit Logs, Sign-in Logs, and Identity Protection

Microsoft Entra ID Logs Cloud Collector

MIcrosoft_Management_Activity_logo.png

Microsoft 365 Management Activity

Active-directory, general, sharepoint, exchange, and dlp

Microsoft 365 Management Activity Cloud Collector

Microsoft_Security_Alerts_Cloud_Collector_logo.png

Microsoft Security Alerts

Security logs

Microsoft Security Alerts Cloud Collector

Microsoft_Sentinel_Logo.png

Microsoft Sentinel

Microsoft Sentinel Cloud Collector

netskope_icon.png

Netskope Alerts

Alerts from REST API V2 endpoints

Netskope Alerts Cloud Collector

netskope_icon.png

Netskope Events

Events from REST API V2 endpoints

Netskope Events Cloud Collector

Okta_logo.png

Okta

Okta system logs

Okta Logs Cloud Collector

Okta_logo.png

Okta

Okta user data

Okta Context Cloud Collector

onelogin_icon.png

OneLogin

Events

OneLogin Cloud Connector

PAN_logo.png

Palo Alto Networks Cortex Data Lake

Security log events

Palo Alto Networks Cortex Data Lake Cloud Collector

panw_icon.png

Palo Alto Networks SaaS Security Cloud

Security log events

PAN SaaS Security Cloud Connector

ping.png

Ping Identity

  • Administrator login

  • Administrator activity

  • Ping ID administrative activity

  • Directory

  • Provisioning

  • SSO

  • Ping ID

Ping Identity Cloud Connector

proofpoint.png

Proofpoint

  • ATP - SIEM

  • Proofpoint on Demand

Proofpoint Cloud Connector

Proofpoint_TAP_logo.png

Proofpoint Targeted Attack Protection

  • clicksPermitted

  • clicksBlocked

  • messagesDelivered

  • messagesBlocked

Proofpoint Targeted Attack Protection Cloud Collector

Proofpoint_TAP_logo.png

Proofpoint On-Demand

Proofpoint Endpoints Message, and Maillog

Proofpoint On-Demand Cloud Collector

rapid7-insightvm.png

Rapd7 InsightVM

Reports

Rapid7 InsightVM Cloud Connector

salesforce.png

Salesforce

  • Login history

  • Setup audit trail

  • Content version

  • Content version history

  • Content distribution view

  • Content distribution

  • Content workspace

  • Event monitoring

Salesforce Cloud Connector

sentinelone.png

SentinelOne

Management API

SentinelOne Cloud Connector

sentinelone.png

SentinelOne

Deep Visibility

SentinelOne Cloud Funnel Cloud Collector

sentinelone.png

SentinelOne Alerts

Security alerts related logs from resources monitored by SentinelOne

SentinelOne Alerts Cloud Collector

sentinelone.png

SentinelOne Threats

Security threats related logs from resources monitored by SentinelOne

SentinelOne Threats Cloud Collector

servicenow_icon.png

ServiceNow

  • Event logs

  • System audit

  • System audit delect

  • User

  • Roles

  • Transaction logs

  • Report view

  • System attachement

ServiceNow Cloud Connector

slack_icon.png

Slack

Slack Enterprise Grid apps

Slack App Cloud Connector

slack_icon.png

Slack

Slack Classic apps

Slack Classic App Cloud Connector

snowflake.png

Snowflake

  • Audit logs

  • Data warehouse

Snowflake Cloud Connector

icon-free-central.png

Sophos Central

  • Events

  • Alerts

Sophos Central Cloud Connector

splunk_logo_2.png

Splunk

Any events in the Splunk cloud

Splunk Cloud Collector

symantec.png

Symantec CloudSOC

Management API

Symantec CloudSOC Cloud Connector

symantec.png

Symantec Email Security.cloud

Advanced Threat Protection events

Symantec Email Security.cloud Cloud Connector

symantec.png

Symantec Endpoint Protection Mobile

Security events

Symantec Endpoint Protection Mobile Cloud Connector

symantec.png

Symantec Endpoint Detection and Response (EDR)

Security events

Symantec Endpoint Security Cloud Collector

symantec.png

Symantec Web Security Service

Sync API logs

Symantec WSS Cloud Connector

tenable_io.png

Tenable.io

Tenable scan results

Tenable.io Cloud Connector

Trend_Vision_logo.png

Trend Vision One

Observed Attack Techniques events and Workbench Alerts

Trend Vision One Cloud Collector

workday.png

Workday

Web services events

Workday Cloud Connector

zoom_icon.png

Zoom

  • Operations logs report

  • Sign-in/Sign-out activities report

Zoom Cloud Connector

Wiz_logo.png

Wiz

Audit logs from Wiz

Wiz API Cloud Collector

Wiz_logo.png

Wiz

Issues from Wiz

Wiz Issues Cloud Collector

zscaler.png

Zscaler ZIA

Web, Firewall

Zscaler ZIA Cloud Collector

Generic Collectors

If the data source you're looking to onboard does not have a dedicated collector, you may still be able to ingest the data using one of the generic collectors, as long as your data source supports one of the generic event transport methods.

Vendor/Product

Data Source

Collector to Use

New Scale?

aws-cloudtrail.png

AWS SQS

Any events stored in an SQS queue

AWS SQS Cloud Collector

aws-cloudtrail.png

AWS S3

Any events stored in an AWS S3 bucket

AWS S3 Cloud Collector

Azure_Event_Hub_Logo.png

Azure EventHub

Event monitoring logs:

  • Resources

  • Subscriptions

  • ISS

  • SQL DB

  • WAF

Azure Event Hub Cloud Collector

azure_icon.png

Azure Storage

Any events stored in an Azure Storage account

Custom Cloud Connector

google-workspace.png

Google Cloud Platform Pub/Sub

Events from any GCP service that can be forwarded to GCP Pub/Sub

GCP Pub/Sub Cloud Collector

webhook.png

Generic Webhook

Events from any product that supports forwarding to Webhook and fullfills Exabeam requirements

Generic Webhook Cloud Collector

Recommended Collector:

Cribl Cloud Collector