Data source | Security Purpose | Collector service name | Devo table |
|---|
Any | The collector can be customized to process any data. Use a custom service only if there is no prebuilt service. | custom_service | All |
AWS CONFIGURATION LOGS | Cloud Resource Audit | aws_sqs_config
| cloud.aws.configlogs.events
|
AWS ELB | Load Balancer | aws_sqs_elb
| web.aws.elb.access
|
AWS ALB | Load Balancer | aws_sqs_alb
| web.aws.alb.access
|
CISCO UMBRELLA | DNS | aws_sqs_cisco_umbrella
| sig.cisco.umbrella.dns
|
CLOUDFLARE LOGPUSH | Content Distribution | aws_sqs_cloudflare_logpush
| cloud.cloudflare.logpush.http
|
CLOUDFLARE AUDIT | Content Distribution | aws_sqs_cloudflare_audit
| cloud.aws.cloudflare.audit
|
CLOUDTRAIL | AWS Audit | aws_sqs_cloudtrail
| cloud.aws.cloudtrail.*
|
CLOUDTRAIL VIA KINESIS FIREHOSE | AWS Audit | aws_sqs_cloudtrail_kinesis
| cloud.aws.cloudtrail.*
|
CLOUDWATCH | Instance Metrics | aws_sqs_cloudwatch
| cloud.aws.cloudwatch.logs
|
CLOUDWATCH VPC | Private Cloud Metrics | aws_sqs_cloudwatch_vpc
| cloud.aws.vpc.flow
|
CONTROL TOWER | In most cases, use the CloudTrail service instead. VPC Flow Logs, Cloudtrail, Cloudfront, and/or AWS config logs | aws_sqs_control_tower
| |
deprecated | | aws_sqs_fdr
| edr.crowdstrike.cannon
|
CROWDSTRIKE FALCON DATA REPLICATOR | Antivirus | aws_sqs_fdr_large
| edr.crowdstrike.cannon
|
GUARD DUTY | Threat Detection | aws_sqs_guard_duty
| cloud.aws.guardduty.findings
|
GUARD DUTY VIA KINESIS FIREHOUSE | | aws_sqs_guard_duty_kinesis
| cloud.aws.guardduty.findings
|
IMPERVA FLEXPROTECT | Content Delivery | aws_sqs_incapsula
| cef0.imperva.incapsula
|
LACEWORK | Container and Cloud | aws_sqs_lacework
| monitor.lacework.[agent].*
|
PALO ALTO | Firewall | aws_sqs_palo_alto
| firewall.paloalto.[file-log_type]
|
ROUTE 53 | Domain Name Service | aws_sqs_route53
| dns.aws.route53
|
OPERATING SYSTEM | Windows and Unix events | aws_sqs_os
| box.unix_cloudwatch
box.win_cloudwatch
|
SENTINEL ONE FUNNEL | Endpoint Detections | aws_sqs_s1_funnel
| edr.sentinelone.dv
|
S3 ACCESS | S3 Bucket Audit | aws_sqs_s3_access
| web.aws.s3.access
|
VPC LOGS Deprecated in favor of CloudWatch VPC Logs | Private Cloud Metrics
(published without CloudWatch) | aws_sqs_vpc
| cloud.aws.vpc.flow
|
WAF LOGS | Firewall | aws_sqs_waf
| cloud.aws.waf.logs
|
