Cloud-to-Cloud Integration Framework Sources
The Cloud-to-Cloud Integration Framework is a fully-managed collection system that collects logs and events directly from SaaS and Cloud platforms. This data often includes custom events and user data critical for operations monitoring, security, and compliance use cases. As a fully managed collection system, integrations running within the Cloud-to-Cloud Integration Framework provide a secure endpoint to receive event data in your account. Integration authentication, scheduling, and state tracking are all managed by the framework
Currently, only selected Cloud-to-Cloud Sources are available in the Fed deployment.
Limitations
- The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts.
- You are warned when you reach 80% of the limit (16 Sources for free accounts, and 40 Sources for other accounts).
- You are notified when you have reached the Source limit.
Static IP addresses
The following table provides the static IP addresses used for Cloud-to-Cloud Integration Sources by deployment. These are provided in case you want to explicitly allow the IP addresses on your third-party target SaaS or Cloud platform.
| Deployment | Static IP addresses |
|---|---|
| AU | 13.210.38.180, 54.253.14.8, 52.63.30.49 |
| CA | 3.96.85.212, 3.97.51.58, 3.96.95.249 |
| DE | 52.28.151.126, 18.193.176.46, 18.192.147.254 |
| EU | 54.74.133.34, 18.200.219.230, 54.216.109.182 |
| IN | 65.0.114.18, 3.7.177.71, 3.6.131.26 |
| JP | 52.69.8.121, 54.248.157.127, 18.182.95.102 |
| US1 | 54.209.19.175, 23.22.90.93, 23.22.11.54, 34.228.131.3, 34.237.107.105, 3.88.82.220 |
| US2 | 54.149.79.97, 54.218.43.134, 44.239.32.230, 35.161.2.93 |
For the Federal environments, a different set of Static IPs is available for each C2C deployment.
| Deployment | Static IP addresses |
|---|---|
| Fed C2C 1A | 50.19.6.130 |
| Fed C2C 1B | 171.129.156.86 |
| Fed C2C 1C | 52.202.74.197 |
| Fed C2C 1D | 100.25.65.170 |
| Fed C2C 1E | 3.226.78.211 |
| Fed C2C 1F | 23.22.209.147 |
Integrations
The topics below are the available integrations. In Sumo Logic these are called Sources. Check out the Sources we have available in beta. You are invited to request new Sources for the Cloud-to-Cloud Integration Framework from our Ideas Portal.
Versions
Sources in the Cloud-to-Cloud Integration Framework need updates over time to maintain data collection. Updates can vary in severity and may not require any input from you. See Cloud-to-Cloud Source Versions for details on how to upgrade and how versions are structured.
Guide contents
In this section, we'll introduce the following concepts:
📄️ 1Password
The 1Password Source provides a secure endpoint to receive Sign-in Attempts and Item Usage from the 1Password Event API.
📄️ Airtable Source
This document explains how to retrieve Airtable audit logs into the Sumo Logic environment.
📄️ Akamai SIEM API
The Akamai SIEM API Source provides a secure endpoint to receive security events generated on the Akamai platform by leveraging the V1 SIEM API.
📄️ Armis API Source
This document explains how to fetch device and alerts logs from Armis platform and send it to Sumo Logic.
📄️ Azure Event Hubs
If you're using our new Cloud-to-Cloud source collection, please see Migration from Azure function-based collection to Event Hub Cloud-to-Cloud Source.
📄️ Azure Event Hubs C2C Source Migration
As Cloud-to-Cloud Event Hub source supports logs, you can migrate your ARM-based Azure Monitor Logs Collection (functions prefixed with SUMOAzureLogs). This source is available in all deployments, including FedRAMP.
📄️ Box
The Box API integration ingests events from the Get Events API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Carbon Black Cloud
The Carbon Black Cloud Source provides a secure endpoint to receive data from the Carbon Black Cloud, Enriched Event Search, and Alerts APIs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Carbon Black Inventory
The Carbon Black Inventory Source provides a secure endpoint to receive data from the CB Devices API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Cisco AMP
The Cisco AMP Source provides a secure endpoint to receive data from the Cisco Amp System Log API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Citrix Cloud Source
This document explains how to collect System Log from the Citrix Cloud and send it to Sumo Logic.
📄️ Cloud-to-Cloud Versions
Sources in the Cloud-to-Cloud Integration Framework need updates over time to maintain data collection. Updates can vary in severity and may not require any input from you.
📄️ Crowdstrike FDR
The CrowdStrike Falcon Data Replicator (FDR) Source provides a secure endpoint to ingest Falcon Data Replicator events using the S3 ingestion capability by consumed SQS notifications of new S3 objects. It securely stores the required authentication, scheduling, and state tracking information.
📄️ CrowdStrike
The CrowdStrike Source provides a secure endpoint to receive event data from the CrowdStrike Streams API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ CSE AWS EC2 Inventory
The CSE AWS EC2 Inventory Source provides a secure endpoint to receive event data from the EC2 describe instances API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ CyberArk EPM
This integration accesses CyberArk EPMs API to retrieve administrative audit events from every Set in the environment.
📄️ Cybereason
The Cybereason Source provides a secure endpoint to receive authentication logs from the Cybereason Malops API.
📄️ Dropbox
The Dropbox Source provides a secure endpoint to receive team events from the Get Events API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Duo
The Duo Source provides a secure endpoint to receive authentication logs from the Duo Authentication Logs API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Gmail Trace Logs Source
Gmail Trace Logs Integration
📄️ Google Workspace AlertCenter
Configure Google Workspace AlertCenter Cloud-to-Cloud connector.
📄️ Google Workspace
The Google Workspace Source collects a list of users from the Google Workspace Users API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ KnowBe4 API Source
This document explains how to configure the KnowBe4 Cloud-to-Cloud source setup using the Sumo logic environment.
📄️ Microsoft Azure AD Inventory
The Microsoft Azure AD Inventory Source collects user and device data from the Microsoft Graph API Security endpoint. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Microsoft Exchange Trace Logs
The Microsoft Exchange Trace Logs Source collects email trace logs from the Office 365 reporting web service via the MessageTrace report under “Exchange reports”. Specific API reference information can be found here).
📄️ Microsoft Graph Security API
The Microsoft Graph Security API Source provides a secure endpoint to receive alerts from the Microsoft Graph Security API endpoint. It securely stores the required authentication, scheduling, and state tracking information. One threat event is reported for each
📄️ Mimecast
The Mimecast Source supports collecting SIEM, DLP, Audit, and Hold Message List data from the Mimecast API. It securely stores the required authentication, scheduling, and state
📄️ Miro
Configure Miro Source Cloud-to-Cloud connector
📄️ MS Graph Azure AD Reporting
The Microsoft Graph Azure AD Reporting Source collects Directory Audit, Sign-in, and Provisioning data from the Microsoft Graph API Security endpoint.
📄️ MS Graph Identity Protection
The Microsoft Graph Identity Protection Source collects Risk Detection and Risky User from the Microsoft Graph Identity Protection API.
📄️ Netskope
The Netskope Source provides a secure endpoint to receive event data from the Netskope API.
📄️ Netskope WebTx
The Netskope WebTx API integration ingests Web Transaction logs from Netskope Event Stream.
📄️ Okta
The Okta Source provides a secure endpoint to receive event data from the Okta System Log API.
📄️ Palo Alto Cortex XDR
The Cortex Cloud-to-Cloud Source Integration allows you to ingest alerts and incidents from your Cortex XDR application.
📄️ Proofpoint On Demand
The Proofpoint On Demand (PoD) Source collects data from the Proofpoint On Demand (PoD) Log Service and uses the secure WebSocket (WSS) protocol to stream logs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Proofpoint TAP
The Proofpoint TAP Source provides a secure endpoint to receive data from the Proofpoint TAP SIEM API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Qualys VMDR
The Qualys VMDR Source tracks errors, reports its health, and start-up progress.
📄️ SailPoint
The SailPoint Source provides a secure endpoint to receive Events and User Inventory data from the IdentityNow V3 API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Salesforce
The Salesforce Source provides a secure endpoint to receive event data from the Salesforce through its Rest API. The source securely stores the required authentication, scheduling, and state tracking information.
📄️ SentinelOne Mgmt API
The SentinelOne Mgmt API Source collects data from the SentinelOne Management Console. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Slack
Install the Slack Source
📄️ Sophos Central
The Sophos Central Source provides a secure endpoint to receive authentication logs from the Sophos Central APIs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Symantec Web Security Service
The Symantec Web Security Service Source provides a secure endpoint to receive WSS Access logs from the Symantec WSS API. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Tenable
The Tenable Source provides a secure endpoint to ingest audit-log events, vulnerability, and asset data from the Tenable.io APIs. It securely stores the required authentication, scheduling, and state tracking information.
📄️ Workday
When you create a Workday Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.