With the proliferation of security SaaS platforms, such as Cloudflare, Proofpoint, and PingOne, enterprises must figure out how to integrate third-party data shipped over the internet into their analytics and SIEM platforms. This requirement to integrate third-party data raises a host of security, infrastructure, and data quality questions. Enterprises can lower risk, and complete projects faster, by using Cribl Stream Cloud to solve their challenges in managing third-party SaaS platform data.

Key Challenges

1. Enterprises have a standard set of questions and concerns about SaaS logging integration:
2. How do we securely exchange data with SaaS platforms over the Internet?
3. How do we support protocols such as syslog that do not support authentication?
4. How do we manage allowed lists when SaaS platforms’ source IP addresses constantly change?
5. How do we support several data delivery options with no clear standards, where more formats mean more overhead?

Made Easier in the Cloud

These challenges get easier with the release of Stream Cloud. Use Stream Cloud to handle connections from all of your SaaS data sources. Then transform the data to your preferred format and ship it to your logging platform.

Basic Cloudflare Integration

Cloudflare is a very popular SaaS platform that provides several services, including managed DNS, CDN, WAF, and DDOS mitigation. It has an enormous scale and provides detailed data that any enterprise would want in its analytics and SIEM platforms.

If your enterprise requires Cloudflare logging, it only needs to do the following to integrate Cloudflare into Stream Cloud:

• Create an allow list for Stream Cloud data sources to reach your logging platform, either in the Cloud or on-prem. Platform docs can supply a list and/or a block of IP addresses.
• Create a Stream Cloud account
• Review Cloudflare documentation
• You have two options for ingesting Cloudflare logs with plus/minus for either approach:
  • AWS S3 bucket – Cloudflare writes data to your S3 bucket, and Stream Cloud consumes the data and pushes it to your destination.
  • Splunk HTTP Event Collection (HEC) – you create an HEC source in Stream Cloud. Splunk HEC is a secure, high-volume alternative if AWS S3 is not an option.

If you choose the AWS S3 bucket option, then create a Stream S3 Source.

If you choose Splunk HEC, then create a Splunk HEC Source.

Use the Cloudflare console to configure logging per your data-source decisions.

Once you make your ingest decision, then you determine your format:

• The data is in JSON by default.
• Most platforms fully support JSON, but with Stream, you have transformation options.

Finally, ship the data securely – using the method of your choice – back to your analytics platform.

Bottom Line

Adopting Stream Cloud to integrate SaaS logging reduces risk and increases speed to the solution, giving enterprises easier, faster access to SaaS platform data while maintaining a strong security posture. Want more information? Join the Community Slack and sign up for Cribl.Cloud, free up to 1 TB/day, at https://cribl.cloud/