Cloud-to-Cloud Integration Framework Sources
The Cloud-to-Cloud Integration Framework is a fully-managed collection system that collects logs and events directly from SaaS and Cloud platforms. This data often includes custom events and user data critical for operations monitoring, security, and compliance use cases. As a fully managed collection system, integrations running within the Cloud-to-Cloud Integration Framework provide a secure endpoint to receive event data in your account. Integration authentication, scheduling, and state tracking are all managed by the framework
Currently, only selected Cloud-to-Cloud Sources are available in the Fed deployment.
Limitations
- The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts.
- You are warned when you reach 80% of the limit (16 Sources for free accounts, and 40 Sources for other accounts).
- You are notified when you have reached the Source limit.
Static IP addresses
The following table provides the static IP addresses used for Cloud-to-Cloud Integration Sources by deployment. These are provided in case you want to explicitly allow the IP addresses on your third-party target SaaS or Cloud platform.
| Deployment | Static IP addresses |
|---|---|
| AU | 13.210.38.180, 54.253.14.8, 52.63.30.49 |
| CA | 3.96.85.212, 3.97.51.58, 3.96.95.249 |
| DE | 52.28.151.126, 18.193.176.46, 18.192.147.254 |
| EU | 54.74.133.34, 18.200.219.230, 54.216.109.182 |
| IN | 65.0.114.18, 3.7.177.71, 3.6.131.26 |
| JP | 52.69.8.121, 54.248.157.127, 18.182.95.102 |
| US1 | 54.209.19.175, 23.22.90.93, 23.22.11.54, 34.228.131.3, 34.237.107.105, 3.88.82.220 |
| US2 | 54.149.79.97, 54.218.43.134, 44.239.32.230, 35.161.2.93 |
For the Federal environments, a different set of Static IPs is available for each C2C deployment.
| Deployment | Static IP addresses |
|---|---|
| Fed C2C 1A | 50.19.6.130 |
| Fed C2C 1B | 171.129.156.86 |
| Fed C2C 1C | 52.202.74.197 |
| Fed C2C 1D | 100.25.65.170 |
| Fed C2C 1E | 3.226.78.211 |
| Fed C2C 1F | 23.22.209.147 |
Integrations
The topics below are the available integrations. In Sumo Logic these are called Sources. Check out the Sources we have available in beta. You are invited to request new Sources for the Cloud-to-Cloud Integration Framework from our Ideas Portal.
Versions
Sources in the Cloud-to-Cloud Integration Framework need updates over time to maintain data collection. Updates can vary in severity and may not require any input from you. See Cloud-to-Cloud Source Versions for details on how to upgrade and how versions are structured.
Guide contents
In this section, we'll introduce the following concepts:
📄️ 1Password
1Password source
📄️ Akamai SIEM API
The Akamai SIEM API Source provides a secure endpoint to receive security events generated on the Akamai platform by leveraging the V1 SIEM API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Azure Event Hubs
If you're using our new Cloud-to-Cloud source collection, please see Migration from Azure function-based collection to Event Hub Cloud-to-Cloud Source.
📄️ Azure Event Hubs C2C Source Migration
As Cloud-to-Cloud Event Hub source supports logs, you can migrate your ARM-based Azure Monitor Logs Collection (functions prefixed with SUMOAzureLogs). This source is available in all deployments, including FedRAMP.
📄️ Box
The Box API integration ingests events from the Get Events API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Carbon Black Cloud
The Carbon Black Cloud Source provides a secure endpoint to receive data from the Carbon Black Cloud, Enriched Event Search, and Alerts APIs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Carbon Black Inventory
The Carbon Black Inventory Source provides a secure endpoint to receive data from the CB Devices API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Cisco AMP
The Cisco AMP Source provides a secure endpoint to receive data from the Cisco Amp System Log API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Cloud-to-Cloud Versions
Sources in the Cloud-to-Cloud Integration Framework need updates over time to maintain data collection. Updates can vary in severity and may not require any input from you.
📄️ Crowdstrike FDR
The CrowdStrike Falcon Data Replicator (FDR) Source provides a secure endpoint to ingest Falcon Data Replicator events using the S3 ingestion capability by consumed SQS notifications of new S3 objects. It securely stores the required authentication, scheduling, and state tracking information.
📄️ CrowdStrike
The CrowdStrike Source provides a secure endpoint to receive event data from the CrowdStrike Streams API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ CSE AWS EC2 Inventory
The CSE AWS EC2 Inventory Source provides a secure endpoint to receive event data from the EC2 describe instances API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ CyberArk EPM
This integration accesses CyberArk EPMs API to retrieve administrative audit events from every Set in the environment.
📄️ Cybereason
The Cybereason Source provides a secure endpoint to receive authentication logs from the Cybereason Malops API. It securely stores the required authentication, scheduling, and state
📄️ Dropbox
The Dropbox Source provides a secure endpoint to receive team events from the Get Events API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Duo
The Duo Source provides a secure endpoint to receive authentication logs from the Duo Authentication Logs API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Gmail TraceLogs
Gmail TraceLogs Integration
📄️ Google Workspace AlertCenter
Configure Google Workspace AlertCenter Cloud-to-Cloud connector.
📄️ Google Workspace
The Google Workspace Source collects a list of users from the Google Workspace Users API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Microsoft Azure AD Inventory
The Microsoft Azure AD Inventory Source collects user and device data from the Microsoft Graph API Security endpoint. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Microsoft Graph Security API
The Microsoft Graph Security API Source provides a secure endpoint to receive alerts from the Microsoft Graph Security API endpoint. It securely stores the required authentication, scheduling, and state tracking information. One threat event is reported for each
📄️ Mimecast
The Mimecast Source supports collecting SIEM, DLP, Audit, and Hold Message List data from the Mimecast API. It securely stores the required authentication, scheduling, and state
📄️ MS Graph Azure AD Reporting
The Microsoft Graph Azure AD Reporting Source collects Directory Audit, Sign-in, and Provisioning data from the Microsoft Graph API Azure AD activity reports. It securely stores the required authentication, scheduling, and state tracking information.
📄️ MS Graph Identity Protection
The Microsoft Graph Identity Protection Source collects Risk Detection and Risky User data from the Microsoft Graph Identity Protection API. It
📄️ Netskope
The Netskope Source provides a secure endpoint to receive event data from the Netskope API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Netskope WebTx
The Netskope WebTx API integration ingests Web Transaction logs from Netskope Event Stream.
📄️ Okta
The Okta Source provides a secure endpoint to receive event data from the Okta System Log API and Users API.
📄️ Palo Alto Cortex XDR
The Palo Alto Cortex XDR Source provides a secure endpoint to receive alerts from the Get Alerts Incident Management API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Proofpoint On Demand
The Proofpoint On Demand (PoD) Source collects data from the Proofpoint On Demand (PoD) Log Service and uses the secure WebSocket (WSS) protocol to stream logs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Proofpoint TAP
The Proofpoint TAP Source provides a secure endpoint to receive data from the Proofpoint TAP SIEM API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ SailPoint
The SailPoint Source provides a secure endpoint to receive Events and User Inventory data from the IdentityNow V3 API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Salesforce
The Salesforce Source provides a secure endpoint to receive event data from the Salesforce through its Rest API. The source securely stores the required authentication, scheduling, and state tracking information.
📄️ SentinelOne Mgmt API
The SentinelOne Mgmt API Source collects data from the SentinelOne Management Console. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Slack
Install the Slack Source
📄️ Sophos Central
The Sophos Central Source provides a secure endpoint to receive authentication logs from the Sophos Central APIs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Symantec Web Security Service
The Symantec Web Security Service Source provides a secure endpoint to receive WSS Access logs from the Symantec WSS API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Tenable
The Tenable Source provides a secure endpoint to ingest audit-log events, vulnerability, and asset data from the Tenable.io APIs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Workday
When you create a Workday Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.
