# What is AWS AppFabric for security?
<a name="what-is-appfabric-security"></a>

AWS AppFabric for security quickly connects software as a service (SaaS) applications across your organization, so IT and security teams can easily manage and secure applications using a standard schema.

**Topics**
+ [Benefits](#benefits)
+ [Use cases](#use-cases)
+ [Accessing AppFabric for security](#acessing-appfabric)
+ [Related services](#related-services)
+ [Open Cybersecurity Schema Framework for AWS AppFabric](ocsf-schema.md)
+ [Prerequisites and recommendations to use AWS AppFabric](prerequisites.md)
+ [Get started with AWS AppFabric for security](getting-started-security.md)
+ [Supported applications in AppFabric for security](supported-applications.md)
+ [Compatible security tools and services in AppFabric for security](security-tools.md)
+ [Delete AWS AppFabric for security resources](delete-resources.md)

## Benefits
<a name="benefits"></a>

You can use AppFabric for security to do the following:
+ Connect your applications in minutes, and reduce operational costs.
+ Increase visibility across SaaS application data to elevate your security posture.

## Use cases
<a name="use-cases"></a>

You can use AppFabric for security to:
+ Connect your SaaS applications quickly
  + AppFabric for security natively connects top SaaS productivity and security applications to each other, providing a fully managed SaaS interoperability solution.
+ Elevate your security posture
  + Application data is automatically normalized, enabling administrators to set common policies, standardize security alerts, and easily manage user access across multiple applications.

## Accessing AppFabric for security
<a name="acessing-appfabric"></a>

AppFabric for security is available in the US East (N. Virginia), Europe (Ireland), and Asia Pacific (Tokyo) AWS Regions. For more information about AWS Regions, see [AWS AppFabric endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/appfabric.html) in the *AWS General Reference*.

In each Region, you can access AppFabric for security in any of the following ways:

**AWS Management Console**

The AWS Management Console is a browser-based interface that you can use to create and manage AWS resources. The AppFabric console provides access to your AppFabric resources. You can use the AppFabric console to create and manage all AppFabric resources.

**AppFabric API**

To access AppFabric programmatically, use the AppFabric API, and issue HTTPS requests directly to the service. For more information, see the [AWS AppFabric API Reference](https://docs.aws.amazon.com/appfabric/latest/api/Welcome.html).

**AWS Command Line Interface (AWS CLI)**

With the AWS CLI, you can issue commands at your system's command line to interact with AppFabric and other AWS services. If you want to build scripts that perform tasks, the command line tools are also useful. For information about installing and using the AWS CLI, see the [AWS Command Line Interface User Guide for Version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html). For information about the AWS CLI commands for AppFabric, see the [AppFabric section of the AWS CLI Reference](https://docs.aws.amazon.com/cli/latest/reference/appfabric/).

## Related services
<a name="related-services"></a>

You can use the following AWS services with AppFabric for security:

**Amazon Data Firehose**

Amazon Data Firehose is an extract, transform, and load (ETL) service that reliably captures, transforms, and delivers streaming data to data lakes, data stores, and analytics services. When you use AppFabric, you can choose to output your Open Cybersecurity Schema Framework (OCSF) normalized or raw audit logs in JSON format to a Firehose stream as your destination. For more information, see [Create an output location in Firehose](prerequisites.md#output-location-firehose).

**Amazon Security Lake**

Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises and cloud sources into a purpose-built data lake stored in your account. You can integrate AppFabric audit log data with Security Lake by selecting Amazon Data Firehose as a destination and configuring Firehose to deliver data in the correct format and path in Security Lake. For more information, see [Collecting data from custom sources](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html) in the *Amazon Security Lake User Guide*.

**Amazon Simple Storage Service**

Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. When you use AppFabric, you can choose to output your OCSF normalized (JSON or Apache Parquet) or raw (JSON) audit logs to a new or existing Amazon S3 bucket as your destination. For more information, see [Create an output location in Amazon S3](prerequisites.md#output-location-s3).

**Amazon Quick**

Quick powers data-driven organizations with unified business intelligence (BI) at hyperscale. With Quick, all users can meet varying analytic needs from the same source of truth through modern interactive dashboards, paginated reports, embedded analytics, and natural language queries. You can analyze AppFabric audit log data in Quick, by choosing the Amazon S3 bucket where your AppFabric logs are stored as your source. For more information, see [Creating a dataset using Amazon S3 files](https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-set-s3.html) in the *Quick User Guide*. You can also import AppFabric data in Amazon S3 to Amazon Athena and select Amazon Athena as the data source in Quick. For more information, see [Creating a dataset using Amazon Athena data](https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-set-athena.html) in the *Quick User Guide*.

**AWS Key Management Service**

With AWS Key Management Service (AWS KMS), you can create, manage, and control cryptographic keys across your applications and AWS services. When you create an app bundle in AppFabric, you set up an encryption key to securely protect your authorized application data. This key encrypts your data within the AppFabric service. AppFabric can use an AWS owned key created and managed by AppFabric on your behalf, or a customer managed key that you create and manage in AWS KMS. For more information, see [Create an AWS KMS key](prerequisites.md#create-kms-keys).

# Open Cybersecurity Schema Framework for AWS AppFabric
<a name="ocsf-schema"></a>

The [Open Cybersecurity Schema Framework](https://schema.ocsf.io/) (OCSF) is a collaborative, open-source effort by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. The public source code for OCSF is hosted on [GitHub](https://github.com/ocsf/ocsf-schema).

## OCSF-based schema in AppFabric
<a name="appfabric-ocsf-schema"></a>

The AWS AppFabric for security [OCSF 1.1](https://schema.ocsf.io/1.1.0/) based schema is tailored specifically to address your needs for normalized, consistent, low-effort observability of their software as a service (SaaS) portfolio. AppFabric determines the right mapping for each field and events. AppFabric, in collaboration with the OCSF open source community, introduced new OCSF event categories, event classes, activities, and objects so that OCSF is applicable to SaaS application events. AppFabric automatically normalizes audit events that it receives from SaaS applications and delivers this data to the Amazon Simple Storage Service (Amazon S3) or Amazon Data Firehose services in your AWS account. For an Amazon S3 destination, you can choose between two normalization options (OCSF or Raw) and two data format options (JSON or Parquet). When delivering to Firehose, you can also choose between two normalization options (OCSF or Raw) but the data format is limited to JSON.

# Prerequisites and recommendations to use AWS AppFabric
<a name="prerequisites"></a>

If you're a new AWS customer, complete the setup prerequisites that are listed on this page before you start using AWS AppFabric for security. For these setup procedures, you use the AWS Identity and Access Management (IAM) service. For complete information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).

**Topics**
+ [Sign up for an AWS account](#sign-up-for-aws)
+ [Create a user with administrative access](#create-an-admin)
+ [(Required) Complete application prerequisites](#application-prerequisites)
+ [(Optional) Create an output location](#create-output-location)
+ [(Optional) Create an AWS KMS key](#create-kms-keys)

## Sign up for an AWS account
<a name="sign-up-for-aws"></a>

If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

## Create a user with administrative access
<a name="create-an-admin"></a>

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.

## (Required) Complete application prerequisites
<a name="application-prerequisites"></a>

To use AppFabric for security to receive user information and audit logs from applications, many applications require that you have specific role and plan types. Ensure that you have reviewed the prerequisites for each application that you want to authorize with AppFabric for security, and that you have the proper plans and roles. For more information about the application-specific prerequisites, see [Supported Applications](supported-applications.md), or choose one of the following application-specific topics.
+ [Configure 1Password for AppFabric](1password.md)
+ [Configure Asana for AppFabric](asana.md)
+ [Configure Azure Monitor for AppFabric](azure-monitor.md)
+ [Configure Atlassian Confluence for AppFabric](confluence.md)
+ [Configure Atlassian Jira suite for AppFabric](jira.md)
+ [Configure Box for AppFabric](box.md)
+ [Configure Cisco Duo for AppFabric](cisco-duo.md)
+ [Configure Dropbox for AppFabric](dropbox.md)
+ [Configure Genesys Cloud for AppFabric](genesys.md)
+ [Configure GitHub for AppFabric](github.md)
+ [Configure Google Analytics for AppFabric](google-analytics.md)
+ [Configure Google Workspace for AppFabric](google-workspace.md)
+ [Configure HubSpot for AppFabric](hubspot.md)
+ [Configure IBM Security® Verify for AppFabric](ibm-security.md)
+ [Configure JumpCloud for AppFabric](jumpcloud.md)
+ [Configure Microsoft 365 for AppFabric](microsoft-365.md)
+ [Configure Miro for AppFabric](miro.md)
+ [Configure Okta for AppFabric](okta.md)
+ [Configure OneLogin by One Identity for AppFabric](onelogin.md)
+ [Configure PagerDuty for AppFabric](pagerduty.md)
+ [Configure Ping Identity for AppFabric](pingidentity.md)
+ [Configure Salesforce for AppFabric](salesforce.md)
+ [Configure ServiceNow for AppFabric](servicenow.md)
+ [Configure Singularity Cloud for AppFabric](singularity-cloud.md)
+ [Configure Slack for AppFabric](slack.md)
+ [Configure Smartsheet for AppFabric](smartsheet.md)
+ [Configure Terraform Cloud for AppFabric](terraform.md)
+ [Configure Webex by Cisco for AppFabric](webex.md)
+ [Configure Zendesk for AppFabric](zendesk.md)
+ [Configure Zoom for AppFabric](zoom.md)

## (Optional) Create an output location
<a name="create-output-location"></a>

AppFabric for security supports Amazon Simple Storage Service (Amazon S3) and Amazon Data Firehose as audit log ingestion destinations.

### Amazon S3
<a name="output-location-s3"></a>

You can create a new Amazon S3 bucket using the AppFabric console when you create an ingestion destination. You can also create a bucket using the Amazon S3 service. If you choose to create your bucket using the Amazon S3 service, you must create the bucket before creating the AppFabric ingestion destination, and then select the bucket when you create the ingestion destination. You can choose to use an existing Amazon S3 bucket in your AWS account, as long as it meets the following requirements for existing buckets:
+ AppFabric for security requires that your Amazon S3 bucket be in the same AWS Region as your Amazon S3 resources.
+ Your can encrypt your bucket using one of the following:
  + Server-side encryption with Amazon S3 managed keys (SSE-S3)
  + Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) using the default AWS managed key (`aws/s3`).

### Amazon Data Firehose
<a name="output-location-firehose"></a>

You can choose to use Amazon Data Firehose as your ingestion destination for AppFabric for security data. To use Firehose, you can create the Firehose delivery stream in your AWS account before creating an ingestion or while you're creating an ingestion destination in AppFabric. You can create a Firehose delivery stream using the AWS Management Console, AWS CLI, or the AWS APIs or SDKs. For stream configuration instructions, see the following topics:
+ AWS Management Console instructions – [Creating an Amazon Data Firehose Delivery Stream](https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html) in the *Amazon Data Firehose Developer Guide*
+ AWS CLI instructions – [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/) in the *AWS CLI Command Reference* 
+ AWS APIs and SDKs instructions – [https://docs.aws.amazon.com/firehose/latest/APIReference/API_CreateDeliveryStream.html](https://docs.aws.amazon.com/firehose/latest/APIReference/API_CreateDeliveryStream.html) in the *Amazon Data Firehose API Reference* 

The requirements when using Amazon Data Firehose as the AppFabric for security output destination are as follows:
+ You must create the stream in the same AWS Region as your AppFabric for security resources.
+ You must select **Direct PUT** as the source.
+ Attach **AmazonKinesisFirehoseFullAccess** AWS managed policy to your user, or attach the following permissions to your user:

  ```
  {
      "Sid": "TagFirehoseDeliveryStream",
      "Effect": "Allow",
      "Action": ["firehose:TagDeliveryStream"],
      "Condition": {
          "ForAllValues:StringEquals": {"aws:TagKeys": "AWSAppFabricManaged"}
      },
      "Resource": "arn:aws:firehose:*:*:deliverystream/*"
  }
  ```

Firehose supports integration with a variety of third-party security tools, such as Splunk and Logz.io. For information about how to properly configure Amazon Kinesis so that it outputs data to these tools, see [Destination Settings](https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html) in the *Amazon Data Firehose Developer Guide*.

## (Optional) Create an AWS KMS key
<a name="create-kms-keys"></a>

In the process of creating an AppFabric for security app bundle, you will select or set up an encryption key to securely protect your data from all authorized applications. This key will be used to encrypt your data within the AppFabric service.

AppFabric for security encrypts data by default. AppFabric for security can use an AWS owned key created and managed by AppFabric on your behalf or a customer managed key that you create and manage in AWS Key Management Service (AWS KMS). AWS owned keys are a collection of AWS KMS keys that an AWS service owns and manages for use in multiple AWS accounts. Customer managed keys are AWS KMS keys in your AWS account that you create, own, and manage. For more information about AWS owned keys and customer managed keys, see [Customer keys and AWS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) in the *AWS Key Management Service Developer Guide*.

If you want to use a customer managed key to encrypt your data, such as authorization tokens, within AppFabric for security, you can create one with [AWS KMS](https://aws.amazon.com/kms/). For more information about the permissions policy that grants access to your customer managed key in AWS KMS, see the [Key policy](data-protection.md#key-policy) section of this guide.

# Get started with AWS AppFabric for security
<a name="getting-started-security"></a>

To get started with AWS AppFabric for security, you must first create an app bundle and then authorize and connect applications to your app bundle. After app authorizations are connected to applications, you can use AppFabric for security features such as audit log ingestions and user access.

This section explains how to start using AppFabric in the AWS Management Console.

**Topics**
+ [Prerequisites](#getting-started-prerequisites)
+ [Step 1: Create app bundle](#getting-started-1-create-app-bundle)
+ [Step 2: Authorize applications](#getting-started-2-authorize-application)
+ [Step 3: Set up audit log ingestions](#getting-started-3-set-up-ingestion)
+ [Step 4: Use the user access tool](#getting-started-4-user-access-tool)
+ [Step 5: Connect AppFabric for security data in security tools and other destinations](#getting-started-5-connect-appfabric-to-security-tools)

## Prerequisites
<a name="getting-started-prerequisites"></a>

Before you get started, you must first create an AWS account and an administrative user. For more information, see [Sign up for an AWS account](prerequisites.md#sign-up-for-aws) and [Create a user with administrative access](prerequisites.md#create-an-admin).

## Step 1: Create app bundle
<a name="getting-started-1-create-app-bundle"></a>

An app bundle stores all of your AppFabric for security app authorizations and ingestions. To create an app bundle, set up an encryption key to securely protect your authorized application data.

1. Open the AppFabric console at [https://console.aws.amazon.com/appfabric/](https://console.aws.amazon.com/appfabric/).

1. In the **Select a Region** selector in the upper-right corner of the page, select an AWS Region. AppFabric is available in the US East (N. Virginia), Europe (Ireland), and Asia Pacific (Tokyo) Regions only.

1. Choose **Getting started**.

1. On the **Getting started** page, for **Step 1. Create app bundle**, choose **Create app bundle**.

1. In the **Encryption** section, set up an encryption key to securely protect your data from all authorized applications. This key is used to encrypt your data within the AppFabric for security service.

   AppFabric for security encrypts data by default. AppFabric can use an AWS owned key created and managed by AppFabric on your behalf or a customer managed key that you create and manage in AWS Key Management Service (AWS KMS).

1. For **AWS KMS Key**, choose either **Use AWS owned key** or **Customer managed key**.

   If you choose to use a customer managed key, enter either the Amazon Resource Name (ARN) or the key ID of the existing key that you want to use, or choose **Create an AWS KMS key**.

   Consider the following when choosing an AWS owned key or a customer managed key:
   + **AWS owned keys** are a collection of AWS Key Management Service (AWS KMS) keys that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned keys are not in your AWS account, an AWS service can use an AWS owned key to protect the resources in your account. AWS owned keys don't count against the AWS KMS quotas for your account. You don't need to create or maintain the key or its key policy. The rotation of AWS owned keys varies across services. For information about the rotation of an AWS owned key for AppFabric, see [Encryption at rest](data-protection.md#encryption-rest).
   + Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these AWS KMS keys. You can establish and maintain their key policies, AWS Identity and Access Management (IAM) policies, and grants. You can enable and disable them, rotate their cryptographic material, add tags, create aliases that refer to the AWS KMS keys, and schedule the AWS KMS keys for deletion. Customer managed keys appear on the **Customer managed keys page** of the AWS Management Console for AWS KMS.

     To definitively identify a customer managed key, use the `DescribeKey` operation. For customer managed keys, the value of the `KeyManager` field of the `DescribeKey` response is `CUSTOMER`. You can use your customer managed key in cryptographic operations and audit usage in AWS CloudTrail logs. With many AWS services that integrate with AWS KMS, you can specify a customer managed key to protect the data stored and managed for you. Customer managed keys incur a monthly fee and a fee for use in excess of the AWS Free Tier. Customer managed keys count against the AWS KMS quotas for your account.

   For more information about AWS owned keys and customer managed keys, see [Customer keys and AWS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) in the *AWS Key Management Service Developer Guide*.
**Note**  
When an app bundle is created, AppFabric for security also creates a special IAM role in your AWS account called a service-linked role (SLR) for AppFabric. It allows the service to send metrics to Amazon CloudWatch. After you add an audit log destination, the SLR allows the AppFabric for security service access to your AWS resources (Amazon S3 buckets, Amazon Data Firehose delivery streams). For more information, see [Using service-linked roles for AppFabric](using-service-linked-roles.md).

1. (Optional) For **Tags**, you have the option to add tags to your app bundle. Tags are key-value pairs that assign metadata to resources that you create. For more information, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *AWS Tag Editor User Guide*.

1. To create your app bundle, choose **Create app bundle**.

## Step 2: Authorize applications
<a name="getting-started-2-authorize-application"></a>

After your app bundle is created successfully, you can now authorize AppFabric for security to connect and interact with each of your applications. Authorized applications are encrypted and stored in your app bundle. To set up multiple app authorizations per app bundle, repeat the app authorization step as needed for each application.

Before you begin the steps to authorize applications, review and verify prerequisites for each application, such as the plan type needed, in [Supported applications in AppFabric for security](supported-applications.md).

1. On the **Getting started** page, for **Step 2. Authorize applications**, choose **Create app authorization**.

1. In the **App authorization** section, select the application that you want to grant permission for AppFabric for security to connect to from the **Application** dropdown. The applications shown are those that are currently supported by AppFabric for security.

1. When you select an application, required fields of information appear. These fields include tenant ID and tenant name and might also include client ID, client secret, or personal access token. The input values for these fields varies by application. For detailed application-specific instructions on how to find these values, see [Supported applications in AppFabric for security](supported-applications.md).

1. (Optional) For **Tags**, you have the option to add tags to your app authorization. Tags are key-value pairs that assign metadata to resources that you create. For more information, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *AWS Tag Editor User Guide*.

1. Choose **Create app authorization**.

1. If a pop-up window appears (dependent upon the application that is being connected), select **Allow** to authorize AppFabric for security to connect with your application.

   If your app authorization was successful, you will see a success message of **App authorization connected** on the **Getting Started** page.

1. You can check the status of your app authorization at any time on the **App authorizations** page listed in the navigation pane, under status for each application. A **Connected** status means that your app authorization has been granted for AppFabric for security to connect to the application and is complete.

1. Possible app authorization statuses are shown in the following table, including troubleshooting steps that you can take to fix related errors.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/getting-started-security.html)

1. To authorize additional applications, repeat steps 1 through 8 as needed.

## Step 3: Set up audit log ingestions
<a name="getting-started-3-set-up-ingestion"></a>

After you have at least one app authorization created in your app bundle, you can now set up an audit log ingestion. An audit log ingestion consumes audit logs from an authorized application and normalizes them into the Open Cybersecurity Schema Framework (OCSF). It then delivers them to one or more destinations within AWS. You can also choose to deliver raw JSON files to your destinations.

1. On the **Getting started** page, for the **Step 3. Set up audit log ingestions** section, select **Ingestions quick setup**.
**Note**  
For faster setup, use the **Ingestions quick setup** page, accessible from the **Getting started** page only, to create ingestions for multiple app authorizations at a time, with the same ingestion destination. For example, the same Amazon S3 bucket or Amazon Data Firehose data stream.  
You can also create ingestions from the **Ingestions** page, accessible from the navigation pane. On the **Ingestions** page, you can set up one ingestion at a time to distinct destinations. On the **Ingestions** page, you can also create a tag for an ingestion. The following instructions are for the **Ingestions quick setup** page.

1. For **Select app authorizations**, select the app authorizations that you want to create an audit log ingestions for. The tenant names that appear in the **App authorizations** dropdown are the tenant names of applications that you have previously created an app authorization for with AppFabric for security.

1. For **Add destination**, select a destination for the audit log ingestions of the applications that you selected. Destination options include **Amazon S3 - Existing Bucket**, **Amazon S3 - New Bucket**, or **Amazon Data Firehose**. If you select multiple tenant names, the destination you choose is applied to each ingestion of an app authorization.

1. When you choose a destination, additional required fields appear.

   1. If you choose **Amazon S3 — New bucket** as your destination, you must enter the name of the S3 bucket that you want to create. For more instructions on how to create an Amazon S3 bucket, see [Create an output destination](prerequisites.md#create-output-location).

   1. If you choose **Amazon S3 — Existing bucket** as your destination, select the name of the Amazon S3 bucket that you want to use.

   1. If you choose **Amazon Data Firehose** as your destination, select the name of the delivery stream from the Firehose delivery stream name dropdown list. For more instructions on how to create an Amazon Data Firehose delivery stream, see [Create an output destination](prerequisites.md#create-output-location), and note the permissions policy required for AppFabric for security.

1. For **Schema & Format**, you can choose to store your audit logs in **Raw - JSON**, **OCSF - JSON**, **OCSF - Parquet for Amazon S3 buckets**, or **Raw - JSON or OCSF-JSON for Firehose**.

   The Raw data format provides your audit log data converted to JSON from a string of data. The OCSF data format normalizes your audit log data to the AppFabric for security Open Cybersecurity Schema Framework (OCSF) schema. For more information about how AppFabric uses OCSF, see [Open Cybersecurity Schema Framework for AWS AppFabric](ocsf-schema.md). You can select only one schema and format data type at a time for an ingestion. If you want to add an additional schema and format data type, you can set up an additional ingestion destination by repeating the ingestion creation process.

1. (Optional) If you want to add a tag to an ingestion, go to the **Ingestions** page from the navigation pane. To go to the ingestion details page, select the tenant name. For **Tags**, you have the option to add tags to your ingestion. Tags are key-value pairs that assign metadata to resources that you create. For more information, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *AWS Tag Editor User Guide*.

1. Choose **Set up ingestions**.

   When you successfully set up an ingestion, you will see a success message of **Ingestion created** on the **Getting Started** page.

1. You can also check the state of your ingestions and status of your ingestion destinations at any time on the **Ingestions** page from the navigation pane. On this page, you can see the tenant name created upon creating app authorization, destination, and state of your ingestions. A state of **Enabled** for your ingestion means that your ingestion is enabled. If you choose the tenant name of an app authorization on this page, you can see a detail page for that app authorization, including destination details and status. A status of **Active** for your ingestion destination means that the destination is set up properly and active. If the app authorization has the **Connected** status and the ingestion destination status is **Active**, then the audit log should be processed and delivered. If the app authorization status or the ingestion destination status are any of the failed states, the audit log will not be processed or delivered even if the ingestion status is enabled. To fix an app authorization failure, see [Step 2. Authorize applications](#getting-started-2-authorize-application).

1. Possible ingestion and ingestion destination statuses are shown in the following table, with troubleshooting steps that you can take to fix any error status.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/getting-started-security.html)

## Step 4: Use the user access tool
<a name="getting-started-4-user-access-tool"></a>

Using the AppFabric for security user access tool, security and IT Admin teams can quickly see who has access to specific applications by running a simple search using the employee’s corporate email address. This approach can be helpful in reducing time spent on tasks like user deprovisioning that might require manually checking or auditing a user’s access across SaaS applications. If a user is found, AppFabric for security provides the user’s name in the application and their in-app user status (for example, Active) if provided by the application. AppFabric for security searches all authorized applications in an app bundle to return a list of applications that the user has access to.

1. On the **Getting Started** page, for **Step 4. Use the user access tool**, choose **Look up user**.

1. In the **Email address** field, type a user’s email address, and choose **Search**.

1. In the **Search results** section, you see a list of all authorized applications that the user has access to. To show the user’s name in the application and their status (if available), select a search result.

1. A message of **User found** in the search results column means that the user can access the app listed. The following table shows the possible search results, errors, and the actions that you can take to address the errors.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/getting-started-security.html)

## Step 5: Connect AppFabric for security data in security tools and other destinations
<a name="getting-started-5-connect-appfabric-to-security-tools"></a>

Normalized (or raw) application data from AppFabric is compatible with any tool that supports data ingestion from Amazon S3 and integration with Firehose, including security tools like Barracuda XDR, Dynatrace, Logz.io, Netskope, NetWitness, Rapid7, and Splunk, or your proprietary security solution. To get normalized (or raw) application data from AppFabric, follow the previous steps 1 through 3. For more details on how to set up specific security tools and services, see [Compatible security tools and services](security-tools.md).

# Supported applications in AppFabric for security
<a name="supported-applications"></a>

AWS AppFabric for security supports integration with the following applications. Choose the name of an application for more information about how to set up AppFabric for security to connect to it.

**Topics**
+ [Configure 1Password for AppFabric](1password.md)
+ [Configure Asana for AppFabric](asana.md)
+ [Configure Azure Monitor for AppFabric](azure-monitor.md)
+ [Configure Atlassian Confluence for AppFabric](confluence.md)
+ [Configure Atlassian Jira suite for AppFabric](jira.md)
+ [Configure Box for AppFabric](box.md)
+ [Configure Cisco Duo for AppFabric](cisco-duo.md)
+ [Configure Dropbox for AppFabric](dropbox.md)
+ [Configure Genesys Cloud for AppFabric](genesys.md)
+ [Configure GitHub for AppFabric](github.md)
+ [Configure Google Analytics for AppFabric](google-analytics.md)
+ [Configure Google Workspace for AppFabric](google-workspace.md)
+ [Configure HubSpot for AppFabric](hubspot.md)
+ [Configure IBM Security® Verify for AppFabric](ibm-security.md)
+ [Configure JumpCloud for AppFabric](jumpcloud.md)
+ [Configure Microsoft 365 for AppFabric](microsoft-365.md)
+ [Configure Miro for AppFabric](miro.md)
+ [Configure Okta for AppFabric](okta.md)
+ [Configure OneLogin by One Identity for AppFabric](onelogin.md)
+ [Configure PagerDuty for AppFabric](pagerduty.md)
+ [Configure Ping Identity for AppFabric](pingidentity.md)
+ [Configure Salesforce for AppFabric](salesforce.md)
+ [Configure ServiceNow for AppFabric](servicenow.md)
+ [Configure Singularity Cloud for AppFabric](singularity-cloud.md)
+ [Configure Slack for AppFabric](slack.md)
+ [Configure Smartsheet for AppFabric](smartsheet.md)
+ [Configure Terraform Cloud for AppFabric](terraform.md)
+ [Configure Webex by Cisco for AppFabric](webex.md)
+ [Configure Zendesk for AppFabric](zendesk.md)
+ [Configure Zoom for AppFabric](zoom.md)

# Configure 1Password for AppFabric
<a name="1password"></a>

1Password is a password manager that helps you create, store, and use strong passwords for all your online accounts. It also protects your data with encryption, alerts you about breaches, and lets you share passwords.

You can use AWS AppFabric for security to audit logs and user data from 1Password, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for 1Password](#1password-appfabric-support)
+ [Connecting AppFabric to your 1Password account](#1password-appfabric-connecting)

## AppFabric support for 1Password
<a name="1password-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from 1Password.

### Prerequisites
<a name="1password-prerequisites"></a>

To use AppFabric to transfer audit logs from 1Password to supported destinations, you must meet the following requirements:
+ You must have an active paid 1Password Business or Enterprise subscription plan. For more information, see [1Password Enterprise](https://1password.com/business-pricing) on the 1Password website.
+ You must have an administrator role or team owner in the 1Password account. For more information, see [Groups](https://support.1password.com/groups/) in the 1Password support website.

### Rate limit considerations
<a name="1password-rate-limits"></a>

The 1Password AuditLog Events API limits requests to 600 per minute and up to 30,000 per hour. Exceeding these limits returns an error. For more information, see [1Password API Rate limits](https://developer.1password.com/docs/events-api/reference/#rate-limits) in the *1Password Events API reference*.

### Data delay considerations
<a name="1password-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your 1Password account
<a name="1password-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with 1Password. To find the information required to authorize 1Password with AppFabric, use the following steps.

### Create a personal 1Password access token
<a name="1password-appfabric-access-token"></a>

1Password supports personal access tokens for public clients. Complete the following steps to generate a personal access token.

1. Sign in to your 1Password account.

1. Choose **Integrations** in the navigation pane.

1. If existing integrations are present, choose **Directory**. Otherwise, continue to the next step.

1. Choose **Other** under **Events Reporting Integration**.

1. On the **Add integration** page, enter your security information and event management (SIEM) system name (e.g., AppFabric Secure)

1. Choose **Add Integration**, then complete the following steps in the **Set up token** page.

   1. Provide the token name to be used in the AppFabric secure environment.

   1. We recommend that you choose **Never** in the **Expires After** drop-down list. If any other value is selected then 1Password revokes the token after the expiration time elapses.

   1. In the **Events to Report** section, choose **Sign-in attempts**, **Item usage events**, and **Audit events**.

1. Choose **Issue Token** to create the token.

1. Choose **Save in 1Password** and complete the following steps.

   1. The title will be auto-populated based on your system and token names.

   1. Choose **Private** under **Select A Vault**.

   1. Choose **Save**.

For more information, see [Get started with 1Password Events Reporting](https://support.1password.com/events-reporting/) on the 1Password website.

### App authorizations
<a name="1password-app-authorizations"></a>

#### Tenant ID
<a name="1password-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric will be your 1Password sign-in address. Complete the following steps to find your tenant ID.

1. Sign in to your 1Password account.

1. Choose **Settings** in the navigation pane.

1. Your 1Password sign-in is listed on the page. For example, **example-account.1password.com**.

#### Tenant name
<a name="1password-tenant-name"></a>

Enter a name that identifies this unique 1Password organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service account token
<a name="1password-service-account-token"></a>

You must have a service account token from an 1Password service account to enter into the AppFabric 1Password app authorization. If you don't have a service account token, use the following instructions:

AppFabric will request a service account token. The service account token in AppFabric is the personal access token you created. Complete the following steps in the **1Password** portal to find the personal access token.

1. Choose **Dashboard**.

1. Choose **People**.

1. Choose **Account Owner Name**.

1. Choose **Private**.

1. Choose **View Vault**.

1. Choose **Token Name**.

#### Client Authorization
<a name="1password-client-authorization"></a>

Create an app authorization in AppFabric using the tenant ID, tenant name and service account token. Then choose **Connect** to activate the authorization.

# Configure Asana for AppFabric
<a name="asana"></a>

Asana is a work management platform that helps individuals, teams, and organizations orchestrate work, from daily tasks to cross-functional strategic initiatives. It provides a living system of clarity where everyone can communicate, collaborate, and coordinate work. With Asana, teams integrate critical business tools into one place so work moves forward no matter where it happens.

You can use AWS AppFabric for security to audit logs and user data from Asana, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Asana](#asana-appfabric-support)
+ [Connecting AppFabric to your Asana account](#asana-appfabric-connecting)

## AppFabric support for Asana
<a name="asana-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Asana.

### Prerequisites
<a name="asana-prerequisites"></a>

To use AppFabric to transfer audit logs from Asana to supported destinations, you must meet the following requirements:
+ You must have an **Enterprise account** with Asana. For more information about creating or upgrading to an Asana Enterprise account, see [Asana Enterprise](https://asana.com/enterprise) on the Asana website.
+ You must have a user with the **Super Admin** role in your Asana account. For more information about roles, see [Admin and super admin roles in Asana](https://help.asana.com/hc/en-us/articles/14141552580635-Admin-and-super-admin-roles-in-Asana) on the Asana website.

### Rate limit considerations
<a name="asana-rate-limits"></a>

Asana imposes rate limits on the Asana API. For more information about the Asana API rate limits, see [Rate limits](https://developers.asana.com/docs/rate-limits) on the *Asana Developers Guide* website. If the combination of AppFabric and your existing Asana applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="asana-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Asana account
<a name="asana-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Asana. To find the information required to authorize Asana with AppFabric, use the following steps.

### App authorizations
<a name="asana-app-authorizations"></a>

#### Tenant ID
<a name="asana-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is called the domain ID in Asana. To find the domain ID, use the following instructions from the Asana home screen:

1. Choose your account profile picture and select **Admin Console**.

1. Then select **Settings**.

1. Scroll to **Domain Settings**.

1. Enter the domain ID from this section into the AppFabric Tenant ID configuration.

#### Tenant name
<a name="asana-tenant-name"></a>

Enter a name that identifies this unique Asana organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service account token
<a name="asana-service-account-token"></a>

You must have a service account token from an Asana service account to enter into the AppFabric Asana app authorization. If you don't have a service account token, use the following instructions:

1. To create a service account, follow the instructions in [Service Accounts](https://help.asana.com/hc/en-us/articles/14217496838427-Service-Accounts) on the *Asana Guide* website.

1. Copy and save the token from the bottom of the **Add service account** page the first time you view the **Add service account** page.

1. If you close the **Add service account** page before saving the token, you must edit your service account, generate a new token, and save it.

# Configure Azure Monitor for AppFabric
<a name="azure-monitor"></a>

Azure Monitor is a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from your cloud and on-premises environments. You can use Azure Monitor to maximize the availability and performance of your applications and services. It helps you understand how your applications are performing and allows you to manually and programmatically respond to system events.

Azure Monitor collects and aggregates the data from every layer and component of your system across multiple Azure and non-Azure subscriptions and tenants. It stores it in a common data platform for consumption by a common set of tools that can correlate, analyze, visualize, and/or respond to the data. You can also integrate other Microsoft and non-Microsoft tools. The Azure Monitor activity log is a platform log that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. 

You can use AWS AppFabric for security to audit logs and user data from Azure Monitor, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Azure Monitor](#azure-monitor-appfabric-support)
+ [Connecting AppFabric to your Azure Monitor account](#azure-monitor-appfabric-connecting)

## AppFabric support for Azure Monitor
<a name="azure-monitor-appfabric-support"></a>

AppFabric is capable of receiving user information and audit logs from the following Azure Monitor services:
+ Azure Monitor
+ API Management
+ Microsoft Sentinel
+ Security Center

### Prerequisites
<a name="azure-monitor-prerequisites"></a>

To use AppFabric to transfer audit logs from Azure Monitor to supported destinations, you must meet the following requirements:
+ You need to have a Microsoft Azure account with either a free trial or pay-as-you-go subscription.
+ At least one subscription is required to fetch the events within that subscription.

### Rate limit considerations
<a name="azure-monitor-rate-limits"></a>

Azure Monitor imposes rate limits to the security principal (user or application) making the requests and the subscription ID or tenant ID. For more information about the Azure Monitor API rate limits, see [Understand how Azure Resource Manager throttles requests](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/request-limits-and-throttling) on the *Azure Monitor Developer website*.

### Data delay considerations
<a name="azure-monitor-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Azure Monitor account
<a name="azure-monitor-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Azure Monitor. To find the information required to authorize Azure Monitor with AppFabric, use the following steps.

### Create an OAuth application
<a name="azure-monitor-create-oauth-application"></a>

AppFabric integrates with Azure Monitor using OAuth2. Complete the following steps to create an OAuth2 application in Azure Monitor:

1. Navigate to the [Microsoft Azure Portal](https://portal.azure.com) and sign in.

1. Navigate to **Microsoft Entra ID**.

1. Choose **App Registrations**.

1. Choose on **New Registration**.

1. Enter a name for the client such as Azure Monitor OAuth Client. This will be the name of the registered application.

1. Verify the **Supported account types** is set to **Single Tenant**.

1. For the **Redirect URI**, select **Web** as the platform and add a redirect URI. Use the following format for the redirect URI:

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In that address, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

   The authentication response will be sent to the provided URI after successfully authenticating the user. Providing this now is optional and it can be changed later, but a value is required for most authentication scenarios.

1. Choose **Register**.

1. In the registered app, choose on **Certificates & secrets** and then **New client secret**.

1. Add a description for the secret.

1. Select the secret expiration duration. You can select any preset duration from the drop-down or set a custom duration.

1. Choose **Add**. Client secret values can only be viewed immediately after creation. Be sure to save the secret somewhere safe before leaving the page.

### Required permissions
<a name="azure-monitor-required-permissions"></a>

You must add the following permissions to your OAuth application. To add permissions, follow the instructions in the [Add permissions to access your web API](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api) section of the *Microsoft Entra Developer Guide*.
+ Microsoft Graph User Access API > User.Read.All (Select Delegated Type)
+ Microsoft Graph User Access API > offline\$1access (Select Delegated Type)
+ Azure Service Management Audit Log API > user\$1impersonation (Select Delegated Type)

After you’ve added the permissions, to grant admin consent for the permissions, follow the instructions in the [Admin consent button](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis#admin-consent-button) section of the *Microsoft Entra Developer Guide*.

### App authorizations
<a name="azure-monitor-app-authorizations"></a>

AppFabric supports receiving user information and audit logs from your Azure Monitor account. To receive both audit logs and user data from Azure Monitor, you must create two app authorizations, one that is named **Azure Monitor** in the app authorization drop-down list, and another that is named **Azure Monitor Audit Logs** in the app authorization drop-down list. You can use the same tenant ID, client ID and client secret for both app authorizations. To receive audit logs from Azure Monitor you need both the **Azure Monitor** and **Azure Monitor Audit Logs** app authorizations. To use the user access tool alone, only the **Azure Monitor** app authorization is required.

#### Tenant ID
<a name="azure-monitor-tenant-id"></a>

AppFabric will request your tenant ID. Complete the following steps to find your client ID in **Azure Monitor**:

1. Navigate to the [Microsoft Azure Portal](https://portal.azure.com/).

1. Navigate to **Azure Active Directory**.

1. In the **App Registrations** section, choose the app that was previously created.

1. In the **Overview** section, copy the tenant ID from the **Directory (tenant) ID** field.

#### Tenant name
<a name="azure-monitor-tenant-name"></a>

Enter a name that identifies this unique Azure Monitor subscription. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

**Note**  
The tenant name should be maximum 2,048 characters consisting of numbers, lower/upper case letters, and the following special characters: period (.), underscore (\$1), dash (-) and empty space.

#### Client ID
<a name="azure-monitor-client-id"></a>

AppFabric will request a client ID. Complete the following procedure to find your client ID in Azure Monitor:

1. Navigate to the [Microsoft Azure Portal](https://portal.azure.com/).

1. Navigate to **Azure Active Directory**.

1. In the **App Registrations** section, choose the app that was previously created.

1. In the **Overview** section, copy the client ID from the **Application (client) ID** field.

#### Client secret
<a name="azure-monitor-client-secret"></a>

AppFabric will request a client secret. Client secret for the registered OAuth app is what you generated in Step 11 of the OAuth App creation section. If you misplace the client secret generated during the OAuth app creation, repeat the steps 8-11 in the OAuth App creation section to regenerate a new one.

#### App authorization
<a name="azure-monitor-app-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Microsoft Azure to approve the authorization. Sign in to your account from the window and approve the AppFabric authorization by choosing **Allow**.

# Configure Atlassian Confluence for AppFabric
<a name="confluence"></a>

Create, collaborate, and organize all your work in one place. Confluence is a team workspace where knowledge and collaboration meet. Dynamic pages give your team a place to create, capture, and collaborate on any project or idea. Spaces help your team structure, organize, and share work, so every team member has visibility into institutional knowledge and access to the information they need to do their best work.

You can use AWS AppFabric for security to receive audit logs and user data from Confluence, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Atlassian Confluence](#confluence-appfabric-support)
+ [Connecting AppFabric to your Atlassian Confluence account](#confluence-appfabric-connecting)

## AppFabric support for Atlassian Confluence
<a name="confluence-appfabric-support"></a>

AppFabric supports receiving audit logs from Atlassian Confluence.

### Prerequisites
<a name="confluence-prerequisites"></a>

To use AppFabric to transfer audit logs from Atlassian Confluence to supported destinations, you must meet the following requirements:
+ To access the Audit logs, you need to have an standard, premium, or enterprise account. For more information about creating or upgrading to the applicable Confluence plan type, see [Confluence Pricing](https://www.atlassian.com/software/confluence/pricing.html) on the Atlassian website.
+ To access the Audit logs, you need to have Administrator permissions for your account. For more information about roles, see [Give users admin permissions](https://support.atlassian.com/user-management/docs/give-users-admin-permissions/) on the Atlassian Support website.

### Rate limit considerations
<a name="confluence-rate-limit"></a>

Confluence imposes rate limits on the Atlassian Confluence API. If the combination of AppFabric and your existing Atlassian Confluence API applications exceed Atlassian Confluence's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="confluence-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Atlassian Confluence account
<a name="confluence-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Atlassian Confluence. To find the information required to authorize Atlassian Confluence with AppFabric, use the following steps.

### Create an OAuth application
<a name="confluence-create-oauth-application"></a>

AppFabric integrates with Atlassian Confluence using OAuth. To create an OAuth application in Atlassian Confluence, use the following steps.

1. Navigate to the [Atlassian Developer Console](https://developer.atlassian.com/console/).

1. Choose your profile icon in the top-right and choose **Developer console**.

1. Next to **My apps**, choose **Create**, **OAuth 2.0 integration**.

1. Choose **Permissions** in the left navigation pane and choose **Add** next to Confluence API.

1. Under **Classic scopes**, select **Read user** (`read:confluence-user`).

1. Under **Granular scopes**, select **View audit records** (`read:audit-log:confluence`).

1. Choose **Authorization** in the left navigation pane and choose **Add** next to **OAuth 2.0 (3LO)**.

1. Use a redirect URL with the following format in the **Callback URL** text box and choose **Save changes**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### Required scopes
<a name="confluence-required-scopes"></a>

You must add one of the following scopes to your Atlassian Confluence OAuth application. For more information about scopes, see [Scopes for OAuth 2.0 (3LO) and Forge apps](https://developer.atlassian.com/cloud/confluence/scopes-for-oauth-2-3LO-and-forge-apps/) on the Atlassian Developer website. Use the classic scope where available.
+ Classic Scopes:
  + `read:confluence-user`
+ Granular Scopes:
  + `read:audit-log:confluence`

### App authorizations
<a name="confluence-app-authorizations"></a>

#### Tenant ID
<a name="confluence-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your **Atlassian Confluence instance subdomain**. You can find your **Atlassian Confluence instance subdomain** in your browser’s address bar between **https://** and **.atlassian.net**.

#### Tenant name
<a name="confluence-tenant-name"></a>

Enter a name that identifies this unique Atlassian Confluence organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="confluence-client-id"></a>

AppFabric will request a client ID. To find your client ID in Atlassian Confluence, use the following steps:

1. Navigate to the [Atlassian Developer Console](https://developer.atlassian.com/console/).

1. Choose your profile icon in the top-right and choose **Developer console**, **My Apps**.

1. Select the OAuth application that you use to connect AppFabric.

1. Enter the client ID from the **Settings** page into the client ID field in AppFabric.

#### Client secret
<a name="confluence-client-secret"></a>

AppFabric will request a client secret. To find your client secret in Atlassian Confluence, use the following steps:

1. Navigate to the [Atlassian Developer Console](https://developer.atlassian.com/console/).

1. Choose your profile icon in the top-right and choose **Developer console**, **My Apps**.

1. Select the OAuth application that you use to connect AppFabric.

1. Enter the secret from the **Settings** page into the **Client Secret** field in AppFabric.

#### Approve authorization
<a name="confluence-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Atlassian Confluence to approve the authorization. To approve the AppFabric authorization, choose **allow**.

# Configure Atlassian Jira suite for AppFabric
<a name="jira"></a>

Atlassian unleashes the potential of every team. Their agile and DevOps, IT service management and work management software helps teams organize, discuss, and complete shared work. The majority of the Fortune 500 and over 240,000 companies of all sizes worldwide - including NASA, Kiva, Deutsche Bank, and Salesforce - rely on Atlassian solutions to help their teams work better together and deliver quality results on time. Learn more about Atlassian products, including Jira Software, Confluence, Jira Service Management, Trello, Bitbucket, and Jira Align at [https://www.atlassian.com/](https://www.atlassian.com/). 

You can use AWS AppFabric for security to audit logs and user data from the Jira suite (other than Jira Align), normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for the Jira suite](#jira-appfabric-support)
+ [Connecting AppFabric to your Jira account](#jira-appfabric-connecting)

## AppFabric support for the Jira suite
<a name="jira-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from the Jira suite, with the exception of Jira Align.

### Prerequisites
<a name="jira-prerequisites"></a>

To use AppFabric to transfer audit logs from the Jira suite to supported destinations, you must meet the following requirements:
+ You must have a Jira Standard Plan or higher. For more information about the capabilities of the Jira plans, see [Jira Software](https://www.atlassian.com/software/jira/pricing), [Jira Service Management](https://www.atlassian.com/software/jira/service-management/pricing), [Jira Work Management](https://www.atlassian.com/software/jira/work-management/pricing), and [Jira Product Discovery](https://www.atlassian.com/software/jira/product-discovery/pricing) pricing pages.
+ You must have a user with the **Organization admin** role in your Jira account. For more information about roles, see [Give users admin permissions](https://support.atlassian.com/user-management/docs/give-users-admin-permissions/) on the Atlassian Support website. 

### Rate limit considerations
<a name="jira-rate-limits"></a>

The Jira suite imposes rate limits on the Jira API. For more information about the Jira suite API rate limits, see [Rate limiting](https://developer.atlassian.com/cloud/jira/platform/rate-limiting/) on the *Atlassian Developers Guide* website. If the combination of AppFabric and your existing Jira API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="jira-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Jira account
<a name="jira-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Jira. To find the information required to authorize Jira with AppFabric, use the following steps.

### Create an OAuth application
<a name="jira-create-oauth-application"></a>

AppFabric integrates with the Jira suite using OAuth. To create an OAuth application in Jira, use the following steps:

1. Navigate to the [Atlassian Developer Console](https://developer.atlassian.com/console/).

1. Next to **My apps**, choose **Create**, **OAuth 2.0 integration**.

1. Give your app a name and choose **Create**.

1. Navigate to the **Authorization** section and choose **Add** next to OAuth 2.0.

1. Use a URL with the following format in the **Callback URL** field and choose **Save** changes.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Navigate to the **Settings** section, copy your client ID and client secret, and save it to use for the AppFabric app authorization.

### Required scopes
<a name="jira-required-scopes"></a>

You must add the following scopes to your Jira OAuth application’s **Permissions** page:
+ Under Classic Scopes:
  + Jira API > `read:jira-user`
+ Under Granular Scopes:
  + Jira API > `read:audit-log:jira`
  + Jira API > `read:user:jira`

### App authorizations
<a name="jira-app-authorizations"></a>

#### Tenant ID
<a name="jira-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your **Jira instance subdomain**. You can find your **Jira instance subdomain** in your browser’s address bar between **https://** and **.atlassian.net**.

#### Tenant name
<a name="jira-tenant-name"></a>

Enter a name that identifies this unique Jira server. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="jira-client-id"></a>

AppFabric will request your client ID. To find your client ID in Jira, use the following steps:

1. Navigate to the [Atlassian Developer Console](https://developer.atlassian.com/console/).

1. Select the OAuth application that you use to connect AppFabric.

1. Enter the client ID from the **Settings** page into the client ID field in AppFabric.

#### Client secret
<a name="jira-client-secret"></a>

AppFabric will request your client secret. The **Client secret** in AppFabric is the **Secret** in Jira. To find your **Secret** in Jira, use the following steps:

1. Navigate to the [Atlassian Developer Console](https://developer.atlassian.com/console/).

1. Select the OAuth application that you use to connect AppFabric.

1. Enter the secret from the **Settings** page into the **Client Secret** field in AppFabric.

#### Approve authorization
<a name="jira-approve-authorization"></a>

After creating the app authorization in AppFabric you will receive a pop-up window from Jira to approve the authorization. To approve the AppFabric authorization, choose **Allow**.

# Configure Box for AppFabric
<a name="box"></a>

Box is the leading Content Cloud, a single platform that empowers organizations to manage the entire content lifecycle, work securely from anywhere, and integrate across best-of-breed apps.

You can use AWS AppFabric to receive audit logs and user data from Box, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for the Box](#box-appfabric-support)
+ [Connecting AppFabric to your Box account](#box-appfabric-connecting)

## AppFabric support for the Box
<a name="box-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Box.

### Prerequisites
<a name="box-prerequisites"></a>

To use AppFabric to transfer audit logs from Box to supported destinations, you must meet the following requirements:
+ To access the audit logs, you need to have an active paid subscription to [Business, Business Plus, Enterprise, or Enterprise Plus](https://www.box.com/pricing) plans.
+ You must have a user with the [Admin Privileges](https://developer.box.com/guides/events/enterprise-events/for-enterprise/).
+ You must have [2-factor authentication](https://support.box.com/hc/en-us/articles/360043697154-Two-Factor-Authentication-Set-Up-for-Your-Account) enabled on your Box account for viewing and copying the application's client secret from the configuration tab.

### Rate limit considerations
<a name="box-rate-limits"></a>

Box imposes rate limits on the Box API. For more information about the Box API [rate limits](https://developer.box.com/guides/api-calls/permissions-and-errors/rate-limits/#per-api-rate-limits), see Rate limits on the Box Developers Guide website. If the combination of AppFabric and your existing Box applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="box-data-delay"></a>

You may see up to 30-minute delay in an audit event to get delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this may be customizable on an account level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Box account
<a name="box-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you need to authorize AppFabric with Box. To find the information required to authorize Box with AppFabric, use the following steps.

### Create an OAuth application
<a name="box-create-oauth-application"></a>

AppFabric integrates with the Box using OAuth. Use the following steps to create an OAuth application in Box, For more information, see [Creating an OAuth App](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/) on the Box website.

1. Log in to Box and go to the the [Developer Console](https://app.box.com/developers/console).

1. Choose **Create New App**.

1. Choose **Custom App** from the list of application types. A modal will appear to prompt a selection for the next step.

1. Enter an app name and description.

1. Choose **Integration** from the **Purpose** dropdown list.

   1. Choose **Security & Compliance** from the **Categories** dropdown list.

   1. Enter **AWS AppFabric Secure** in the **Which external system are you integrating with?** text box.

1. Choose **Server Authentication (Client Credentials Grant)** if you would like to verify application identity with a client ID and client secret.

1. Choose **Create App**.

1. Choose the **Configuration** tab.

1. In the **App Access Level** section of the page, choose **App \$1 Enterprise Access**.

1. In the **Application Scopes** section of the page, Choose the **Manage users** and **Manage enterprise properties**.

1. Choose **Save Changes**.

   A Box Admin needs to authorize the application within the Box Admin Console before the application can be used. Complete the following steps to request an authorization.

   1. Choose the **Authorization** tab for your application within the [Developer Console](https://app.box.com/developers/console).

   1. Choose **Review and Submit** to send an email to your Box enterprise Admin for approval. For more information, see [Authorization](https://developer.box.com/guides/authorization/) in the *Box guide*.
**Note**  
You must re-submit your app if any changes are made after submission.

### Required scopes
<a name="box-required-scopes"></a>

The following application scopes are required. For more information about scopes, see [Scopes](https://developer.box.com/guides/api-calls/permissions-and-errors/scopes/) on the *Box documentation website*.
+ Manage enterprise properties (`manage_enterprise_properties`)
+ Manage users (`manage_managed_users`)

### App authorizations
<a name="box-app-authorizations"></a>

#### Tenant ID
<a name="box-tenant-id"></a>

AppFabric will request a tenant ID. The tenant ID in AppFabric is the Box Enterprise ID. The Box Enterprise ID can be found in the admin console under **Account & Billing** > **Account Information** > **Enterprise ID**. For more information, see [Enterprise ID](https://developer.box.com/platform/appendix/locating-values/#as-an-admin) on the *Box documentation website*.

#### Tenant name
<a name="box-tenant-name"></a>

Enter a name that identifies this unique Box organization. AppFabric uses the tenant name to label the app authorizations and any ingestion created from the app authorization.

#### Client ID and client secret
<a name="box-client-id-client-secret"></a>

1. Log in to Box and go to the [Developer Console](https://app.box.com/developers/console).

1. Choose **My Apps** in the navigation menu.

1. Choose the OAuth application that you use to connect AppFabric.

1. Choose the **Configuration** tab.

1. Scroll to the **Oauth 2.0 Credentials** section of the page.

1. Enter the client ID from your OAuth **Client Id** into the **Client ID** field in AppFabric.

1. Choose **Fetch Client Secret**.

1. Enter the client secret from your OAuth Client Secret into the **Client Secret** field in AppFabric.

# Configure Cisco Duo for AppFabric
<a name="cisco-duo"></a>

Cisco Duo protects against breaches with a leading access management suite that provides strong multi-layered defenses and innovative capabilities that allow legitimate users in and keep bad actors out. For any organization concerned about being breached and needs a solution fast, Cisco Duo quickly enables strong security while also improving user productivity.

You can use AWS AppFabric for security to receive audit logs and user data from Cisco Duo, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Cisco Duo](#cisco-duo-appfabric-support)
+ [Connect AppFabric to your Cisco Duo account](#cisco-duo-appfabric-connecting)

## AppFabric support for Cisco Duo
<a name="cisco-duo-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Cisco Duo.

### Prerequisites
<a name="cisco-duo-prerequisites"></a>

To use AppFabric to transfer audit logs from Cisco Duo to supported destinations, you must meet the following requirements:
+ To access the audit logs, you need to have an active subscription to a Duo Essentials, Duo Advantage, or Duo Premier edition. Alternatively, new customers with an Advantage or Premier trial can also access. For more information about Cisco Duo editions, see [Editions & Pricing](https://duo.com/editions-and-pricing).
+ You need to be an Administrator with Owner role to create or modify Admin API.
+ You need to add Grant read log resource” permissions to access audit logs in the admin API.

### Rate limit considerations
<a name="cisco-duo-rate-limit"></a>

Cisco Duo imposes rate limits on the Cisco Duo API. For more information about the Cisco Duo API rate limits, see the rate limits under [Authentication Logs](https://duo.com/docs/adminapi#authentication-logs). If the combination of AppFabric and your existing Cisco Duo API applications exceed Cisco Duo's limits, audit logs appearing in AppFabric might be delayed. Contact Cisco Duo if you need a rate limit increase.

### Data delay considerations
<a name="cisco-duo-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connect AppFabric to your Cisco Duo account
<a name="cisco-duo-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Cisco Duo. To find the information required to authorize Cisco Duo with AppFabric, use the following steps.

### Create a Cisco Duo Admin API application
<a name="cisco-duo-create-application"></a>

AppFabric integrates with Cisco Duo using an API service token. To create an application in Cisco Duo, use the following steps.
+ To create a Cisco Duo Admin API application, follow the instructions in [First steps](https://duo.com/docs/adminapi#first-steps) in the *Cisco Duo Admin API*.

### Required permissions
<a name="cisco-duo-required-scopes"></a>

You must add the following scopes to your Cisco Duo application:
+ Grant read log
+ Grant read resource

### App authorizations
<a name="cisco-duo-app-authorizations"></a>

#### Tenant ID
<a name="cisco-duo-tenant-id"></a>

AppFabric will request a tenant ID. You can find the tenant ID in the Cisco Duo hostname. To find the hostname in Cisco Duo, follow these steps.

1. Navigate to the [Cisco Duo Admin Login](https://admin.duosecurity.com/login?next=%2F) page and sign in.

1. Navigate to **Applications** and then choose **Protect an Application**.

1. Locate the entry for **Admin API** in the applications list, and then choose **Protect** to the far-right to configure your application and get your API hostname.

1. The API hostname is formatted as `api-<tenant-id>.duosecurity.com`, in which `<tenant-id>` is the Tenant ID.

#### Tenant name
<a name="cisco-duo-tenant-name"></a>

Enter a name that identifies this unique Cisco Duo organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service token
<a name="cisco-duo-service-token"></a>

AppFabric will request a service token. The service token is a colon-separated integration key and secret key with the following format.

```
integrationkey:secretkey
```

To find your integration key and secret key in Cisco Duo, use the following steps.

1. Navigate to the [Cisco Duo Admin Login](https://admin.duosecurity.com/login?next=%2F) page and sign in.

1. Navigate to **Applications** and then choose **Protect an Application**.

1. "Click **Protect an Application** and locate the entry for **Admin API** in the applications list. Click **Protect** at the far-right to configure the application. Scroll down to the scopes section and add **Grant read log** and **Grant read resource**.

# Configure Dropbox for AppFabric
<a name="dropbox"></a>

Dropbox helps your organization get better work done faster by bringing your people together - no matter what they’re working on, where they’re working, or what kind of tools they happen to be using. It enables users to accelerate innovation and efficiency by providing a simple, secure way to share content. Dropbox is one place to keep life organized and keep work moving. With more than 700 million registered users across 180 countries, Dropbox is on a mission to design a more enlightened way of working.

You can use AWS AppFabric for security to audit logs and user data from Dropbox, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Dropbox](#dropbox-appfabric-support)
+ [Connecting AppFabric to your Dropbox account](#dropbox-appfabric-connecting)

## AppFabric support for Dropbox
<a name="dropbox-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Dropbox.

### Prerequisites
<a name="dropbox-prerequisites"></a>

To use AppFabric to transfer audit logs from Dropbox to supported destinations, you must meet the following requirements:
+ You must have a Dropbox Business account. For more information about creating or upgrading to a Dropbox Business account, see [Dropbox Business](https://www.dropbox.com/business) on the Dropbox website.
+ You must have a user with the Team Admin role in your Dropbox account. For more information about roles, see [How to change admin rights for your Dropbox team](https://help.dropbox.com/security/change-admin-rights) on the *Dropbox Help Center* website.

### Rate limit considerations
<a name="dropbox-rate-limits"></a>

Dropbox imposes rate limits on the Dropbox API. For more information about the Dropbox API rate limits, see [Rate limits](https://developers.dropbox.com/dbx-performance-guide#api-rate-limits) on the *Dropbox Performance Guide* website. If the combination of AppFabric and your existing Dropbox API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="dropbox-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Dropbox account
<a name="dropbox-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Dropbox. To find the information required to authorize Dropbox with AppFabric, use the following steps.

### Create an OAuth application
<a name="dropbox-create-oauth-application"></a>

AppFabric integrates with Dropbox using OAuth. To create an OAuth application in Dropbox, use the following steps:

1. Choose **Create app** in the Dropbox App Console at [https://www.dropbox.com/developers/apps](https://www.dropbox.com/developers/apps).

1. On the new application configuration page, choose **Scoped access** for the API. 

1. Next, select **Full Dropbox** for the type of access.

1. Name your OAuth application, and then chose **Create app** to complete the initial OAuth application setup.

1. On the application info page, add a redirect URL with the following format in the OAuth2 redirect URIs field.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Choose **Add**.

1. Copy and save your app key and app secret for use in the AppFabric app authorization.

1. You can leave all other fields on the **Settings** tab with their default values.

### Required scopes
<a name="dropbox-required-scopes"></a>

You must add the following scopes to your Dropbox app using the **Permissions** tab on the app info screen:
+ `account_info.read`
+ `team_data.member`
+ `events.read`
+ `members.read`
+ `team_info.read`

Choose **Submit** after you are done.

### App authorizations
<a name="dropbox-app-authorizations"></a>

#### Tenant ID
<a name="dropbox-tenant-id"></a>

AppFabric will request your tenant ID. Enter any value that uniquely identifies your Dropbox account, such as team name.

#### Tenant name
<a name="dropbox-tenant-name"></a>

Enter a name that identifies this unique Dropbox account. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="dropbox-client-id"></a>

AppFabric will request a client ID. The client ID in AppFabric is your Dropbox app key. To find your Dropbox app key, use the following steps:

1. Navigate to the Dropbox App Console at [https://www.dropbox.com/developers/apps](https://www.dropbox.com/developers/apps).

1. Find the app that you use to connect AppFabric.

1. Find the app key in the **Status** section of the app’s info page.

1. Enter the app key for your Dropbox app into the **Client ID** field in AppFabric.

#### Client secret
<a name="dropbox-client-secret"></a>

AppFabric will request a client secret. The client secret in AppFabric is your Dropbox app secret. To find your Dropbox app secret, use the following steps:

1. Navigate to the Dropbox App Console at [https://www.dropbox.com/developers/apps](https://www.dropbox.com/developers/apps).

1. Find the app that you use to connect AppFabric.

1. Find the app secret in the **Status** section of the app’s info page.

1. Enter the app secret for your Dropbox app into the **Client Secret** field in AppFabric.

#### Approve authorization
<a name="dropbox-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Dropbox to approve the authorization. To approve the AppFabric authorization, choose **Allow**.

# Configure Genesys Cloud for AppFabric
<a name="genesys"></a>

Genesys Cloud creates fluid conversations across digital and voice channels in an easy, all-in-one interface. This positions companies to provide exceptional experiences for employees and customers and reap the benefits of speedy deployments, reduced complexity and simple administration.

You can use AWS AppFabric for security to receive audit logs and user data from Genesys Cloud, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Genesys Cloud](#genesys-appfabric-support)
+ [Connecting AppFabric to your Genesys Cloud account](#genesys-appfabric-connecting)

## AppFabric support for Genesys Cloud
<a name="genesys-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Genesys Cloud.

### Prerequisites
<a name="genesys-prerequisites"></a>

To use AppFabric to transfer audit logs from Genesys Cloud to supported destinations, you must meet the following requirements:
+ You must have a Genesys Cloud account.
+ You must have a user with the Administrator role in your Genesys Cloud account.

### Rate limit considerations
<a name="genesys-rate-limit"></a>

Genesys Cloud imposes rate limits on the Genesys Cloud API. For more information about the Genesys Cloud API rate limits, see [Rate limits](https://developer.genesys.cloud/platform/api/rate-limits) on the Genesys Cloud Developer website.

### Data delay considerations
<a name="genesys-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Genesys Cloud account
<a name="genesys-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Genesys Cloud. To find the information required to authorize Genesys Cloud with AppFabric, use the following steps.

### Create an OAuth application
<a name="genesys-create-oauth-application"></a>

AppFabric integrates with Genesys Cloud using OAuth. To create an OAuth application in Genesys Cloud, use the following steps:

1. Follow the instructions in [Create an OAuth Client](https://help.mypurecloud.com/articles/create-an-oauth-client/) on the *Genesys Cloud Resource Center* website.

   For **Grant types**, choose **Code Authorization**.

1. Use a redirect URL with the following format as the **Authorized redirect URIs**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Select the **Scope** box to display a list of scopes available to your app. Select scope `audits:readonly` and `users:readonly`. For information about scopes, see [OAuth Scopes](https://developer.genesys.cloud/api/rest/authorization/scopes.html) in the Genesys Cloud Developer Center.

1. Choose **Save**. Genesys Cloud creates a Client ID and a Client Secret (token).

### Required scopes
<a name="genesys-required-scopes"></a>

You must add the following scopes to your Genesys Cloud OAuth application:
+ `audits:readonly`
+ `users:readonly`

### App authorizations
<a name="genesys-app-authorizations"></a>

#### Tenant ID
<a name="genesys-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Genesys Cloud instance name. You can find your tenant ID in the address bar of your browser. For example, `usw2.pure.cloud` is the tenant ID in the following URL `https://login.usw2.pure.cloud`.

#### Tenant name
<a name="genesys-tenant-name"></a>

Enter a name that identifies this unique Genesys Cloud organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="genesys-client-id"></a>

AppFabric will request a client ID. To find your client ID in Genesys Cloud, use the following steps:

1. Choose **Admin**.

1. Under **Integrations**, choose **OAuth**.

1. Choose the OAuth client to get the Client ID.

#### Client secret
<a name="genesys-client-secret"></a>

AppFabric will request a client secret. To find your client secret in Genesys Cloud, use the following steps:

1. Choose **Admin**.

1. Under **Integrations**, choose **OAuth**.

1. Choose the OAuth client to get the Client Secret.

# Configure GitHub for AppFabric
<a name="github"></a>

GitHub is a platform and cloud-based service for software development and version control using Git, allowing developers to store and manage their code. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project.

You can use AWS AppFabric for security to receive audit logs and user data from GitHub, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for GitHub](#github-appfabric-support)
+ [Connecting AppFabric to your GitHub account](#github-appfabric-connecting)

## AppFabric support for GitHub
<a name="github-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from GitHub.

### Prerequisites
<a name="github-prerequisites"></a>

To use AppFabric to transfer audit logs from GitHub to supported destinations, you must meet the following requirements:
+ To access the Audit logs you need to have an enterprise account.
+ To access the Enterprise audit logs you need to have Administrator role for your enterprise account.
+ To get audit logs from organization, you need to be Organization owner.

### Rate limit considerations
<a name="github-rate-limits"></a>

GitHub imposes rate limits on the GitHub API. For more information about the GitHub API rate limits, see [API Request Limits and Allocations](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/rate-limits-for-github-apps) on the *GitHub website*. If the combination of AppFabric and your existing GitHub API applications exceed GitHub’s limits, audit logs appearing in AppFabric may be delayed.

### Data delay considerations
<a name="github-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your GitHub account
<a name="github-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with GitHub. To find the information required to authorize GitHub with AppFabric, use the following steps.

### Create an OAuth application
<a name="github-create-oauth"></a>

AppFabric integrates with the GitHub using OAuth. Use the following steps to create an OAuth application in GitHub. For more information, see [Creating GitHubs Apps](https://docs.github.com/en/apps/creating-github-apps) on the *GitHub website*.

1. Choose your profile photo located in the top-right corner of the page, and then choose **Settings**.

1. Choose **Developer settings** in the left navigation pane.

1. Choose **OAuth apps** in the left navigation pane.

1. Choose **New OAuth App**.
**Note**  
This button will be labeled **Register a new application** if you haven't previously created an OAuth app.

1. Enter the name of your app in the **Application name** text box.

1. Enter the full application instance URL in the **Homepage URL** text box.

1. (Optional) Enter a description for your app in the **Application description** text box. Users will see this description.

1. Enter a URL with the following format in the **Authorization callback URL** text box.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Choose **Enable Device Flow** if your OAuth app will use device flow to identify and authorize users. For more information about device flow, see [Authorizing OAuth apps](https://docs.github.com/en/enterprise-cloud@latest/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow) on the *GitHub website*.

1. Choose **Register application**.

### App authorizations
<a name="github-app-authorizations"></a>

#### Tenant ID
<a name="github-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID should be provided in either of the following formats:

**Enterprise audit log:**

Use the enterprise's audit log if you want to know aggregated actions from all of the organizations owned by your enterprise account.

To use the enterprise audit log, the tenant ID is your account's enterprise ID. You can find your enterprise ID in the address bar of your browser. For example, `exampleenterprise` is the enterprise ID in the following URL `https://github.com/settings/enterprises/examplenterprise`.

When you specify the tenant ID for enterprise audit log, you must prefix it with `enterprise:`. Therefore, specify the previous example as `enterprise:examplenterprise`.

**Organization audit log:**

Use the organization’s audit log as an organization admin if you want to know the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.

To use organization audit log, the tenant ID is your organization ID. You can find your organization ID in the address bar of your browser. For example, `exampleorganization` is the organization ID in the following URL `https://github.com/settings/organizations/exampleorganization`.

When you specify the tenant ID for organization audit log, you must prefix it with `organization:`. Therefore, specify the previous example as `organization:exampleorganization`.

#### Tenant name
<a name="github-tenant-name"></a>

Enter a name that identifies this unique GitHub enterprise or organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="github-client-id"></a>

AppFabric will request a client ID. Use the following steps to find your client ID in GitHub,

1. Choose your profile photo located in the top-right corner of the page, and then choose **Settings**.

1. Choose **Developer settings** in the left navigation pane.

1. Choose **OAuth apps** in the left navigation pane.

1. Choose the specific OAuth app, and then look for the **Client ID** value.

#### Client secret
<a name="github-client-secret"></a>

AppFabric will request a client secret. Use the following steps to find your client secret in GitHub.

1. Choose your profile photo located in the top-right corner of the page, and then choose **Settings**.

1. Choose **Developer settings** in the left navigation pane.

1. Choose **OAuth apps** in the left navigation pane.

1. Choose the specific OAuth app, and then look for the **Client Secret** value. If you are unable to find an existing client secret, then you might need to generate a new one.

#### Approve authorization
<a name="github-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from GitHub to approve the authorization. To approve the AppFabric authorization, choose **Allow**.

Make sure that your organizations have [granted access](https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization) to the OAuth app, if [OAuth App access restrictions](https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions) are enabled.

# Configure Google Analytics for AppFabric
<a name="google-analytics"></a>

Google Analytics is a web analytics service that provides statistics and basic analytical tools for search engine optimization (SEO) and marketing purposes. Google Analytics is used to track website performance and collect visitor insights. It can help organizations determine top sources of user traffic, gauge the success of their marketing activities and campaigns, track goal completions (such as purchases, adding products to carts), discover patterns and trends in user engagement and obtain other visitor information such as demographics. Small and medium-sized retail websites often use Google Analytics to obtain and analyze various customer behavior analytics, which can be used to improve marketing campaigns, drive website traffic and better retain visitors.

You can use AWS AppFabric for security to audit logs and user data from Azure Monitor, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Google Analytics](#google-analytics-appfabric-support)
+ [Connecting AppFabric to your Google Analytics account](#google-analytics-appfabric-connecting)

## AppFabric support for Google Analytics
<a name="google-analytics-appfabric-support"></a>

AppFabric supports receiving audit logs from Google Analytics.

### Prerequisites
<a name="google-analytics-prerequisites"></a>

To use AppFabric to transfer audit logs from Google Analytics to supported destinations, you must meet the following requirements:
+ You must be Administrator of the Google Analytics account.
+ For AppFabric to deliver logs, you need to enable the [Google Analytics Admin API](https://console.cloud.google.com/flows/enableapi?apiid=analyticsadmin.googleapis.com) on your Google Cloud project. Be sure to use a new project when setting up the Google Analytics OAuth application.

### Rate limit considerations
<a name="google-analytics-rate-limits"></a>

Google Analytics imposes rate limits on the Google Analytics API. For more information about Google Analytics API rate limits, see [Limits and Quotas](https://developers.google.com/analytics/devguides/config/admin/v1/quotas) on the *Google Analytics website*. If the combination of AppFabric and your existing *Google Analytics* API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="google-analytics-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Google Analytics account
<a name="google-analytics-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Google Analytics. Use the following steps to find the information required to authorize Google Analytics with AppFabric.

### Create an OAuth application
<a name="google-analytics-create-oauth-application"></a>

AppFabric integrates with the Google Analytics using OAuth. Complete the following steps to create an OAuth application in Google Analytics:

1. To configure your OAuth consent screen, follow the instructions in Configure the OAuth consent screen in the Google Developer Guide on the Google website.

1. Choose External for the User type

1. To configure OAuth credentials for AppFabric, follow the instructions in the OAuth client ID credentials section of the Create access credentials page in the Google Developer Guide.

1. Use a redirect URL with the following format.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In that address, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### Required scopes
<a name="google-analytics-required-scopes"></a>

You must add the following scope to your Google Analytics OAuth application:

```
https://www.googleapis.com/auth/analytics.edit
```

### App authorizations
<a name="google-analytics-app-authorizations"></a>

#### Tenant ID
<a name="google-analytics-tenant-id"></a>

AppFabric will request a tenant ID. The tenant ID in AppFabric is your Google Analytics account ID.

1. Go to the [Google Analytics home page](https://analytics.google.com/analytics/web/).

1. Choose **Admin** in the navigation pane.

1. You will find your account ID under **Account** > **Account Settings** > **Account details** > **Account ID**.

#### Tenant name
<a name="google-analytics-tenant-name"></a>

Enter a name that identifies this unique Google Analytics organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="google-analytics-client-id"></a>

AppFabric will request a client ID. Use the following steps to find your client ID in Google Analytics:

1. Go to the [Credentials page](https://console.developers.google.com/apis/credentials).

1. In the **OAuth 2.0 Client IDs** section, choose the client ID you created.

1. The client ID is listed in the **Additional information** section of the page.

#### Client secret
<a name="google-analytics-client-secret"></a>

AppFabric will request a client secret. Use the following steps to find your client secret in Google Analytics:

1. Go to the [Credentials page](https://console.developers.google.com/apis/credentials).

1. In the **OAuth 2.0 Client IDs** section, choose the client name.

1. The client secret is listed in the **Client secrets** section of the page.

#### App authorization
<a name="google-analytics-app-authorizing"></a>

After creating the app authorization in AppFabric you will receive a pop-up window from Google Analytics to approve the authorization. To approve the AppFabric authorization by choosing **Allow**.

# Configure Google Workspace for AppFabric
<a name="google-workspace"></a>

Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.

You can use AWS AppFabric for security to audit logs and user data from Google Workspace, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support forGoogle Workspace](#google-workspace-appfabric-support)
+ [Connecting AppFabric to your Google Workspace account](#google-workspace-appfabric-connecting)

## AppFabric support forGoogle Workspace
<a name="google-workspace-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Google Workspace.

### Prerequisites
<a name="google-workspace-prerequisites"></a>

To use AppFabric to transfer audit logs from Google Workspace to supported destinations, you must meet the following requirements:
+ You must subscribe to the Google Workspace Enterprise Standard plan. For more information about creating or upgrading to the Google Workspace Enterprise Standard plan, see the [Google Workspace Plans](https://workspace.google.com/pricing.html) website.
+ You must have a user with the **Administrator** role in your Google Workspace.
+ For AppFabric to deliver logs, you need to enable [Google Admin SDK API](https://console.cloud.google.com/flows/enableapi?apiid=admin.googleapis.com) on your Google Cloud project. For more information, see [Enable Google Workspace APIs](https://developers.google.com/workspace/guides/enable-apis) in the *Google Workspace Developer Guide*.

### Rate limit considerations
<a name="google-workspace-rate-limits"></a>

Google Workspace imposes rate limits on the Google Workspace API. For more information about Google Workspace API rate limits, see [Limits and Quotas](https://developers.google.com/admin-sdk/reports/v1/limits) on the *Google Workspace Admin Guide* on the Google Workspace website. If the combination of AppFabric and your existing Google Workspace API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="google-workspace-data-delay"></a>

You might see up to 30-minute delay for most of audit events and up to 4-hours delay for certain audit events to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. For more information, see [ Data retention and lag times](https://support.google.com/a/answer/7061566?hl=en) in the *Google WorkSpace Admin Help website*. However, this might be customizable at an account-level. For assistance contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Google Workspace account
<a name="google-workspace-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Google Workspace. To find the information required to authorize Google Workspace with AppFabric, use the following steps.

### Create an OAuth application
<a name="google-workspace-create-oauth-application"></a>

AppFabric integrates with Google Workspace using OAuth. To create an OAuth application in Google Workspace, use the following steps:

1. To configure your OAuth consent screen, follow the instructions in [Configure the OAuth consent screen](https://developers.google.com/workspace/guides/configure-oauth-consent) in the *Google Workspace Developer Guide* on the Google Workspace website.

   Choose **Internal** for the **User type**.

1. To configure OAuth credentials for AppFabric, follow the instructions in the [OAuth client ID credentials](https://developers.google.com/workspace/guides/create-credentials#oauth-client-id) section of the *Create access credentials* page in the *Google Workspace Developer Guide*.

1. Use a redirect URL with the following format.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### Required scopes
<a name="google-workspace-required-scopes"></a>

You must add the following scopes to your Google Workspace OAuth application:
+ `https://www.googleapis.com/auth/admin.reports.audit.readonly`
+ `https://www.googleapis.com/auth/admin.directory.user`

If you don't see these scopes, add the **Admin SDK API** to your Google Cloud API library.

### App authorizations
<a name="google-workspace-app-authorizations"></a>

#### Tenant ID
<a name="google-workspace-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Google Workspace project ID. To find your project ID, see [Locate the project ID](https://support.google.com/googleapi/answer/7014113?hl=en) on the Google API Console Help website.

#### Tenant name
<a name="google-workspace-tenant-name"></a>

Enter a name that identifies this unique Google Workspace. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="google-workspace-client-id"></a>

AppFabric will request your client ID. To find your client ID, use the following steps:

1. Find your client ID using the information in the [View Credentials](https://developers.google.com/workspace/guides/manage-credentials#view_credentials) section of the *Manage Credentials* page in the *Google Workspace Developer Guide*.

1. Enter the client ID for your OAuth client into the **Client ID** field in AppFabric.

#### Client secret
<a name="google-workspace-client-secret"></a>

AppFabric will request your client secret. To find your client secret, use the following steps:

1. Find your client secret using the information in the [View Credentials](https://developers.google.com/workspace/guides/manage-credentials#view_credentials) section of the *Manage Credentials* page on the *Google Workspace Developer Guide*.

1. If you need to reset your client secret, use the instructions in the [Reset Client Secret](https://developers.google.com/workspace/guides/manage-credentials#reset_client_secret) section of the *Manage Credentials* page on the *Google Workspace Developer Guide*.

1. Enter the your client secret into the **Client secret** field in AppFabric.

#### Approve authorization
<a name="google-workspace-approve-authorization"></a>

After creating the app authorization in AppFabric you will receive a pop-up window from Google Workspace to approve the authorization. To approve the AppFabric authorization, choose **allow**.

# Configure HubSpot for AppFabric
<a name="hubspot"></a>

HubSpot is a customer platform with all the software, integrations, and resources you need to connect your marketing, sales, content management, and customer service. HubSpot's connected platform enables you to grow your business faster by focusing on what matters most: your customers.

You can use AWS AppFabric for security to receive audit logs and user data from HubSpot, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for HubSpot](#hubspot-appfabric-support)
+ [Connecting AppFabric to your HubSpot account](#hubspot-appfabric-connecting)

## AppFabric support for HubSpot
<a name="hubspot-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from HubSpot.

### Prerequisites
<a name="hubspot-prerequisites"></a>

To use AppFabric to transfer audit logs from HubSpot to supported destinations, you must meet the following requirements:
+ You must have an account with the Enterprise subscription in HubSpot to access access audit logs. For more information about HubSpot subscriptions, see [Manage your HubSpot subscription](https://knowledge.hubspot.com/account/manage-your-hubspot-subscription) on the HubSpot Knowledge Base.
+ You must have a developer account and an app associated with the account.
+ You should be a **super admin** to install apps in your HubSpot account or have App Marketplace Access permission plus the user permissions to accepts the scopes the app is requesting.

### Rate limit considerations
<a name="hubspot-rate-limit"></a>

HubSpot imposes rate limits on the HubSpot API. For more information about the HubSpot API rate limits, including limits for apps using OAuth, see [Rate Limits](https://developers.hubspot.com/docs/api/usage-details#rate-limits) on the HubSpot website. If the combination of AppFabric and your existing HubSpot API applications exceed HubSpot's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="hubspot-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your HubSpot account
<a name="hubspot-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with HubSpot. To find the information required to authorize HubSpot with AppFabric, use the following steps.

### Create an OAuth application
<a name="hubspot-create-oauth-application"></a>

AppFabric integrates with HubSpot using OAuth. To create an OAuth application in HubSpot, use the following steps:

1. Follow the instructions in the [ Create a public app](https://developers.hubspot.com/docs/api/creating-an-app) section in the HubSpot guide on the HubSpot website.

1. From the **Auth** tab, add the three scopes listed in [Required scopes](#hubspot-required-scopes).

1. Use a redirect URL with the following format in **Redirect URL**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Choose **Create app**.

### Required scopes
<a name="hubspot-required-scopes"></a>

You must add the following scopes to your HubSpot OAuth application:
+ `settings.users.read`
+ `crm.objects.owners.read`
+ `account-info.security.read`

### App authorizations
<a name="hubspot-app-authorizations"></a>

#### Tenant ID
<a name="hubspot-tenant-id"></a>

Enter an ID that identifies this unique HubSpot organization. For example, enter your HubSpot account ID.

#### Tenant name
<a name="hubspot-tenant-name"></a>

Enter a name that identifies this unique HubSpot organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="hubspot-client-id"></a>

AppFabric will request a client ID. To find your client ID in HubSpot, use the following steps:

1. Navigate to the [HubSpot log-in page](https://app.hubspot.com/login) and sign in using your developer account credentials.

1. From the **Apps** menu, choose your app.

1. From the **Auth** tab, look for the **Client ID** value.

#### Client secret
<a name="hubspot-client-secret"></a>

AppFabric will request a client secret. To find your client secret in HubSpot, use the following steps:

1. Navigate to the [HubSpot log-in page](https://app.hubspot.com/login) and sign in using your developer account credentials.

1. From the **Apps** menu, choose your app.

1. From the **Auth** tab, look for the **Client secret** value.

#### Approve authorization
<a name="hubspot-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from HubSpot to approve the authorization. Sign in to your account using your enterprise account credentials (not your developer account) to approve the AppFabric authorization. Choose **allow**.

# Configure IBM Security® Verify for AppFabric
<a name="ibm-security"></a>

The IBM Security® Verify family provides automated, cloud-based and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access, and controlling privileged accounts. Whether you need to deploy a cloud or on-premises solution, IBM Security® Verify helps you establish trust and protect against insider threats to both your [workforce](https://www.ibm.com/products/verify-identity/workforce-iam) and [consumers](https://www.ibm.com/products/verify-identity/ciam).

You can use AWS AppFabric for security to receive audit logs and user data from IBM Security® Verify, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for the IBM Security® Verify](#ibm-security-appfabric-support)
+ [Connecting AppFabric to your IBM Security® Verify account](#ibm-security-appfabric-connecting)

## AppFabric support for the IBM Security® Verify
<a name="ibm-security-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from IBM Security® Verify.

### Prerequisites
<a name="ibm-security-prerequisites"></a>

To use AppFabric to transfer audit logs from IBM Security® Verify to supported destinations, you must meet the following requirements:
+ To access the audit logs, you need to have an [IBM Security® Verify SaaS account](https://www.ibm.com/products/verify-identity).
+ To access the audit logs, you need to have an administrator role in your IBM Security® Verify SaaS account.

### Rate limit considerations
<a name="ibm-security-rate-limits"></a>

IBM Security® Verify imposes rate limits on the IBM Security® Verify API. For more information about the IBM Security® Verify API rate limits, see [IBM Terms](https://www.ibm.com/support/customer/csol/terms/?id=i126-7765&lc=en). If the combination of AppFabric and your existing IBM Security® Verify API applications exceed IBM Security® Verify limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="ibm-security-data-delay"></a>

You may see up to 30-minute delay in an audit event to get delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this may be customizable on an account level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your IBM Security® Verify account
<a name="ibm-security-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with IBM Security® Verify. To find the information required to authorize IBM Security® Verify with AppFabric, use the following steps.

### Create an OAuth application
<a name="ibm-security-create-oauth-application"></a>

AppFabric integrates with the IBM Security® Verify using OAuth. To create an OAuth application in IBM Security® Verify, see [Create an API client](https://docs.verify.ibm.com/verify/docs/support-developers-create-api-client) on the *IBM documentation website*.

1. For first-time login, use the login URL and credentials that were sent to your registered email address.

1. Access the administration console at `https://<hostname>.verify.ibm.com/ui/admin/`. For more information, see [Accessing IBM Security® Verify](https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify#taskt_login_admin_ui__steps__1).

1. In the administration console, under **Security** < **API Access** < **API Client**, choose **Add**.

1. Select the following options. These are required for reading audit log and user details.
   + Read reports
   + Read users and groups

1. Keep the **Default** option in the **Client Authentication method**.

   Don't edit the **Custom scopes** field.

1. Choose **Next**.

1. Don't edit the **IP filter** field.

1. Choose **Next**.

1. Don't edit the **Additional properties** field.

1. Choose **Next**.

1. Specify a **Name** and **Description**. The description is optional.

1. Choose **Create API client**.

### App authorizations
<a name="ibm-security-app-authorizations"></a>

#### Tenant ID
<a name="ibm-security-tenant-id"></a>

AppFabric will request your tenant ID. You can locate the tenant ID in the IBM Security® Verify standard URL. For instance, in the `https://hostname.verify.ibm.com/` URL, the tenant ID is the *hostname* that can be found before `.verify.ibm.com` (or before `ice.ibmcloud.com` if you are using a former hostname). If you are using a vanity URL, contact your IBM Security® Verify support team to obtain your standard URL.

#### Tenant name
<a name="ibm-security-tenant-name"></a>

Enter a name that identifies this unique IBM Security® Verify tenant. AppFabric uses the tenant name to label the app authorizations and any ingestion created from the app authorization.

#### Client ID
<a name="ibm-security-client-id"></a>

AppFabric will request a client ID. To find your client ID in IBM Security® Verify, use the following steps:

1. For first-time login, use the login URL and credentials that were sent to your registered email address.

1. Access the administration console at `https://<hostname>.verify.ibm.com/ui/admin/`. For more information, see [Accessing IBM Security® Verify](https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify#taskt_login_admin_ui__steps__1).

1. In the administration console, under **Security** < **API Access** < **API Client**, choose the ellipsis (⋮) next to the specific OAuth app.

1. Choose **Connection details**.

1. Locate **Client ID** under **API credentials**.

#### Client secret
<a name="ibm-security-client-secret"></a>

AppFabric will request a client secret. To find your client secret in IBM Security® Verify, use the following steps:

1. For first-time login, use the login URL and credentials that were sent to your registered email address.

1. Access the administration console at `https://<hostname>.verify.ibm.com/ui/admin/`. For more information, see [Accessing IBM Security® Verify](https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify#taskt_login_admin_ui__steps__1).

1. In the administration console, under **Security** < **API Access** < **API Client**, choose the ellipsis (⋮) next to the specific OAuth app.

1. Choose **Connection details**.

1. Locate **Client secret** under **API credentials**.

# Configure JumpCloud for AppFabric
<a name="jumpcloud"></a>

JumpCloud Inc. is an American enterprise software company that provides a cloud-based directory platform for identity management. It centralizes and simplifies identity management, allowing users to securely access their systems, apps, networks, and file servers with a single set of credentials, regardless of platform, protocol, provider, or location.

You can use AWS AppFabric to receive audit logs and user data from JumpCloud, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for JumpCloud](#jumpcloud-appfabric-support)
+ [Connecting AppFabric to your JumpCloud account](#jumpcloud-appfabric-connecting)

## AppFabric support for JumpCloud
<a name="jumpcloud-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from JumpCloud.

### Prerequisites
<a name="jumpcloud-prerequisites"></a>

To use AppFabric to transfer audit logs from JumpCloud to supported destinations, you must meet the following requirements:
+ You must have an active paid JumpCloud subscription plan. For more information, see [https://jumpcloud.com/pricing](https://jumpcloud.com/pricing) on the JumpCloud website.
+ You must have the "Admins with Billing" role.

### Rate limit considerations
<a name="jumpcloud-rate-limits"></a>

JumpCloud doesn't publish rate limits. You must create a support case or reach out to your JumpCloud Customer team. If the combination of AppFabric and your existing JumpCloud API applications exceed JumpCloud's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="jumpcloud-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delays in audit events made available by the application, and due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your JumpCloud account
<a name="jumpcloud-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with JumpCloud. To find the information required to authorize JumpCloud with AppFabric, follow the steps in the next section.

### Create an Organization token from the JumpCloud account
<a name="jumpcloud-appfabric-access-token"></a>

AppFabric uses an API key to integrate with JumpCloud To create an API key in JumpCloud, follow these steps:.

1. [Sign in to your JumpCloud](https://console.jumpcloud.com/login/admin) account as an administrator.

1. In the Admin Portal, choose your account initials, located n the top-right, and choose **My API Key** from the menu.

1. Choose **Generate New API Key**, or select an existing key.

**Note**  
JumpCloud only allows one active API key. Generating a new API key will revoke access to the current API key. This will render all calls using the previous API key inaccessible. You will have to update any existing integrations that use the previous API key with the new key value.

### App authorizations
<a name="jumpcloud-app-authorizations"></a>

#### Tenant ID
<a name="jumpcloud-tenant-id"></a>

AppFabric will request your tenant ID. Here “Organization Id” will be the Tenant Id. To find the "Organization Id", follow these steps.

1. Sign in to your JumpCloud account.

1. In the navigation pane, choose **Settings**, then **Organization Profile**, then **General**.

1. Choose the "eye" icon to remove the obscured view.

1. Choose the "double-page" icon to copy the ID.

#### Tenant name
<a name="jumpcloud-tenant-name"></a>

Enter a name that identifies this unique JumpCloud organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service account token
<a name="jumpcloud-service-account-token"></a>

AppFabric will request your service account token. In AppFabric, this is the organization API token that you created in [Create an Organization token from the JumpCloud account](#jumpcloud-appfabric-access-token), earlier in this topic.

# Configure Microsoft 365 for AppFabric
<a name="microsoft-365"></a>

Microsoft 365 is a product family of productivity software, collaboration, and cloud-based services owned by Microsoft.

You can use AWS AppFabric for security to audit logs and user data from Microsoft 365, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Microsoft 365](#microsoft-365-appfabric-support)
+ [Connecting AppFabric to your Microsoft 365 account](#microsoft-365-appfabric-connecting)

## AppFabric support for Microsoft 365
<a name="microsoft-365-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Microsoft 365.

### Prerequisites
<a name="microsoft-365-prerequisites"></a>

To use AppFabric to transfer audit logs from Microsoft 365 to supported destinations, you must meet the following requirements:
+ You must subscribe to a Microsoft 365 Enterprise plan. For more information about creating or upgrading to a Microsoft 365 Enterprise plan, see [Microsoft 365 Enterprise Plans](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) on the Microsoft website.
+ You must have a user with **Administrator** permissions in your Microsoft 365 account.
+ You must turn on audit logging for your organization. For more information, see [Turn auditing on or off](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide) on the Microsoft website.

### Rate limit considerations
<a name="microsoft-365-rate-limits"></a>

Microsoft 365 imposes rate limits on the Microsoft 365 API. For more information about Microsoft 365 API rate limits, see [Microsoft Graph service-specific throttling limits](https://learn.microsoft.com/en-us/graph/throttling-limits) in the Microsoft Graph documentation on the Microsoft website. If the combination of AppFabric and your existing Microsoft 365 API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="microsoft-365-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Microsoft 365 account
<a name="microsoft-365-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Microsoft 365. To find the information required to authorize Microsoft 365 with AppFabric, use the following steps.

### Create an OAuth application
<a name="microsoft-365-create-oauth-application"></a>

AppFabric integrates with Microsoft 365 using OAuth. To create an OAuth application in Microsoft 365, use the following steps:

1. Follow the instructions in the [Register an application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) section in the *Azure Active Directory Developer Guide* on the Microsoft website.

   Choose **Accounts in this organizational directory only** in the **Supported Account Types** configuration.

1. Follow the instructions in the [Add a redirect URI](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri) section in the *Azure Active Directory Developer Guide*.

   Choose the **Web platform**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

   You can skip the other input fields for the Web platform.

1. Follow the instructions in the [Add a client secret](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) section of the *Azure Active Directory Developer Guide*.

### Required permissions
<a name="microsoft-365-required-permissions"></a>

You must add the following permissions to your OAuth application. To add permissions, follow the instructions in the [Add permissions to access your web API](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api) section of the *Azure Active Directory Developer Guide*.
+ `Microsoft Graph API` > `User.Read` (automatically added)
+ `Office 365 Management APIs` > `ActivityFeed.Read` (Select Delegated Type)
+ `Office 365 Management APIs` > `ActivityFeed.ReadDlp` (Select Delegated Type)
+ `Office 365 Management APIs` > `ServiceHealth.Read` (Select Delegated Type)

After you’ve added the permissions, to grant admin consent for the permissions, follow the instructions in the [Admin consent button](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#admin-consent-button) section of the *Azure Active Directory Developer Guide*.

### App authorizations
<a name="microsoft-365-app-authorizations"></a>

AppFabric supports receiving user information and audit logs from your Microsoft 365 account. To receive both audit logs and user data from Microsoft 365, you must create two app authorizations, one that is named **Microsoft 365** in the app authorization drop-down list, and another that is named **Microsoft 365 Audit Log** in the app authorization drop-down list. You can use the same tenant ID, client ID and client secret for both app authorizations. To receive audit logs from Microsoft 365, you need both the **Microsoft 365** and **Microsoft 365 Audit Log** app authorizations. To use the user access tool alone, only the **Microsoft 365** app authorization is required.

#### Tenant ID
<a name="microsoft-365-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Azure Active Directory tenant ID. To find your Azure Active Directory tenant ID, see [How to find your Azure Active Directory tenant ID](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-find-tenant) in the *Azure Product Documentation* on the Microsoft website.

#### Tenant name
<a name="microsoft-365-tenant-name"></a>

Enter a name that identifies this unique Microsoft 365 account. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="microsoft-365-client-id"></a>

AppFabric will request your client ID. The client ID in AppFabric is the Microsoft 365 application (client) ID. To find your Microsoft 365 application (client) ID, use the following steps:

1. Open the overview page for the OAuth application that you use with AppFabric.

1. The application (client) ID appears under **Essentials**.

1. Enter the application (client) ID for your OAuth client into the **Client ID** field in AppFabric.

#### Client secret
<a name="microsoft-365-client-secret"></a>

AppFabric will request your client secret. Microsoft 365 provides this value only when you initially create the client secret for your OAuth application. To generate a new client secret if you don't have one, use the following steps:

1. To create a client secret, follow the instructions in the [Add a client secret](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) section of the *Azure Active Directory Developer Guide* .

1. Enter the contents of the **Value** field into the **Client secret** field in AppFabric.

#### Approve authorization
<a name="microsoft-365-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Microsoft 365 to approve the authorization. To approve the AppFabric authorization, choose **allow**.

# Configure Miro for AppFabric
<a name="miro"></a>

Miro is an online workspace for innovation that enables distributed teams of any size to build the next big thing. The platform’s infinite canvas enables teams to lead engaging workshops and meetings, design products, brainstorm ideas, and more. Miro, co-headquartered in San Francisco and Amsterdam, serves more than 50M users worldwide, including 99% of the Fortune 100. Miro was founded in 2011 and currently has more than 1,500 employees in 12 hubs around the world. To learn more, visit [https://miro.com](https://miro.com).

Miro includes a full suite of collaborative capabilities designed for innovation including diagramming, wireframing, real-time data visualization, workshop facilitation, and built-in support for agile practices, workshops, and interactive presentations. Miro recently announced Miro AI which extends Miro’s capabilities, with AI-driven mapping and diagramming, clustering and summarization, and content generation. Miro enables organizations to reduce the number of standalone tools, reducing information fragmentation and cost.

You can use AWS AppFabric for security to audit logs and user data from Miro, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Miro](#miro-appfabric-support)
+ [Connecting AppFabric to your Miro account](#miro-appfabric-connecting)

## AppFabric support for Miro
<a name="miro-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Miro.

### Prerequisites
<a name="miro-prerequisites"></a>

To use AppFabric to transfer audit logs from Miro to supported destinations, you must meet the following requirements:
+ You must have a Miro Enterprise Plan. For more information about the Miro plan types, see the [Miro pricing](https://miro.com/pricing/) page on the Miro website.
+ You must have a user with the Company Admin role in your Miro account. For more information about roles, see the *Company level* section of [Roles in Miro](https://help.miro.com/hc/en-us/articles/360017571194-Roles-in-Miro#Company_level) on the Miro Help Center website.
+ You must have an Enterprise Developer team in your Miro account. For information about creating developer teams, see [Enterprise Developer teams](https://help.miro.com/hc/en-us/articles/4766759572114) on the Miro Help Center website.

### Rate limit considerations
<a name="miro-rate-limit"></a>

Miro imposes rate limits on the Miro API. For more information about the Miro API rate limits, see [Rate Limiting](https://developers.miro.com/docs/rate-limiting) in the *Miro Developers Guide* on the Miro website. If the combination of AppFabric and your existing Miro API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="miro-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Miro account
<a name="miro-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Miro. To find the information required to authorize Miro with AppFabric, use the following steps.

### Create an OAuth application
<a name="miro-create-oauth-application"></a>

AppFabric integrates with Miro using OAuth. To create an OAuth application in Miro, use the following steps:

1. To create an OAuth application, follow the instructions in the [Creating and installing apps](https://help.miro.com/hc/en-us/articles/4766759572114#Creating_and_installing_apps) section of the *Enterprise Developer teams* article on the Miro Help Center website.

1. On the app creation dialog, select the **Expire user authorization token** check box after you select a developer team on the enterprise organization.
**Note**  
You must do this *before* creating the app because you can't change this option after you create the app.

1. On the app page, enter a URL with the following format in the **Redirect URI for OAuth 2.0 section**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Copy and save your client ID and client secret to use in the AppFabric app authorization.

### Required scopes
<a name="miro-required-scopes"></a>

You must add the following scopes on the `Permissions` section of your Miro OAuth app page:
+ `auditlogs:read`
+ `organizations:read`

### App authorizations
<a name="miro-app-authorizations"></a>

#### Tenant ID
<a name="miro-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Miro Team ID. For information about how to find your Miro Team ID, see the *Frequently Asked Questions* section of [I am a new Miro Admin. Where to start?](https://help.miro.com/hc/en-us/articles/360021841280-I-am-a-new-Miro-Admin-Where-to-start-) on the *Miro Help Center* website.

#### Tenant name
<a name="miro-tenant-name"></a>

Enter a name that identifies this unique Miro organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="miro-client-id"></a>

AppFabric will request your client ID. To find your client ID, use the following steps:

1. Navigate to your Miro profile settings.

1. Select the **Your apps** tab.

1. Select the app that you use to connect with AppFabric.

1. Enter the client ID from the **App Credentials** section into the **Client ID** field in AppFabric.

#### Client secret
<a name="miro-client-secret"></a>

AppFabric will request your client secret. To find your client secret, use the following steps:

1. Navigate to your Miro profile settings.

1. Select the **Your apps** tab.

1. Select the app that you use to connect with AppFabric.

1. Enter the client secret from the **App Credentials** section into the **Client secret** field in AppFabric.

#### Approve authorization
<a name="miro-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Miro to approve the authorization. To approve the AppFabric authorization, choose **Allow**.

# Configure Okta for AppFabric
<a name="okta"></a>

Okta is the World’s Identity Company. As the leading independent Identity partner, Okta frees everyone to safely use any technology—anywhere, on any device or app. The most trusted brands trust Okta to enable secure access, authentication, and automation. With flexibility and neutrality at the core of the Okta Workforce Identity and Customer Identity Clouds, business leaders and developers can focus on innovation and accelerate digital transformation, thanks to customizable solutions and more than 7,000 pre-built integrations. Okta is building a world where Identity belongs to you. Learn more at okta.com.

You can use AWS AppFabric for security to audit logs and user data from Okta, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Okta](#okta-appfabric-support)
+ [Connecting AppFabric to your Okta account](#okta-appfabric-connecting)

## AppFabric support for Okta
<a name="okta-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Okta.

### Prerequisites
<a name="okta-prerequisites"></a>

To use AppFabric to transfer audit logs from Okta to supported destinations, you must meet the following requirements:
+ You can use AppFabric with any Okta plan type.
+ You must have a user with the **Super Admin** role in your Okta account.
+ The user approving the app authorization in AppFabric must also have the **Super Admin** role in your Okta account.

### Rate limit considerations
<a name="okta-rate-limit"></a>

Okta imposes rate limits on the Okta API. For more information about the Okta API rate limits, see [Rate limits](https://developer.okta.com/docs/reference/rate-limits/) in the *Okta Developer Guide* on the Okta website. If the combination of AppFabric and your existing Okta API applications exceed Okta's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="okta-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Okta account
<a name="okta-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Okta. To find the information required to authorize Okta with AppFabric, use the following steps.

### Create an OAuth application
<a name="okta-create-oauth-application"></a>

AppFabric integrates with Okta using OAuth. To create an OAuth application to connect with AppFabric, follow the instructions in [Create OIDC app integrations](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm) on the *Okta Help Center* website. Following are configuration considerations for AppFabric:

1. For **Application Type**, choose **Web application**.

1. For **Grant type**, choose **Authorization Code** and **Refresh Token**.

1. Use a redirect URL with the following format as the **Sign-in redirect URI** and **Sign-out redirect URI**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. You can skip the **Trusted Origins** configuration.

1. Grant access to everyone in your Okta organization in the **Controlled access** configuration.
**Note**  
If you skip this step during initial OAuth application creation, you can assign everyone in your organization as a group using the **Assignments** tab on the application configuration page.

1. You can leave all other options with their default values.

### Required scopes
<a name="okta-required-scopes"></a>

You must add the following scopes to your Okta OAuth application:
+ `okta.logs.read`
+ `okta.users.read`

### App authorizations
<a name="okta-app-authorizations"></a>

#### Tenant ID
<a name="okta-tenant-id"></a>

AppFabric will request a tenant ID. The tenant ID in AppFabric is your Okta domain. For more information about finding your Okta domain, see [Find your Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/) in the *Okta Developer Guide* on the Okta website.

#### Tenant name
<a name="okta-tenant-name"></a>

Enter a name that identifies this unique Okta organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="okta-client-id"></a>

AppFabric will request a client ID. To find your client ID in Okta, use the following steps:

1. Navigate to the Okta developer console.

1. Choose the **Applications** tab.

1. Choose your application and then choose the **General** tab.

1. Scroll to the **Client Credentials** section.

1. Enter the client ID from your OAuth client into the **Client ID** field in AppFabric.

#### Client secret
<a name="okta-client-secret"></a>

AppFabric will request a client secret. To find your client secret in Okta, use the following steps:

1. Navigate to the Okta developer console.

1. Choose the **Applications** tab.

1. Choose your application and then choose the **General** tab.

1. Scroll to the **Client Credentials** section.

1. Enter the client secret from your OAuth application into the **Client Secret** field in AppFabric.

#### Approve authorization
<a name="okta-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Okta to approve the authorization. To approve the AppFabric authorization, choose **allow**. The user approving the Okta authorization must have **Super Admin** permission in Okta.

# Configure OneLogin by One Identity for AppFabric
<a name="onelogin"></a>

OneLogin by One Identity is a modern, cloud-based access management solution that seamlessly manages all digital identities for your workforce, customers and partners. OneLogin provides secure single sign-on (SSO), multi-factor authentication (MFA), adaptive authentication, desktop-level MFA, directory integration with AD, LDAP, G Suite and other external directories, identity lifecycle management and much more. With OneLogin, you can protect your organization from the most common attacks, resulting in increased security, frictionless user experiences, and compliance with regulatory requirements.

You can use AWS AppFabric for security to receive audit logs and user data from OneLogin, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for OneLogin by One Identity](#onelogin-appfabric-support)
+ [Connecting AppFabric to your OneLogin by One Identity account](#onelogin-appfabric-connecting)

## AppFabric support for OneLogin by One Identity
<a name="onelogin-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from OneLogin by One Identity.

### Prerequisites
<a name="onelogin-prerequisites"></a>

To use AppFabric to transfer audit logs from OneLogin by One Identity to supported destinations, you must meet the following requirements:
+ You must have a OneLogin Advanced or Professional account.
+ You must have a user with the Admin/Delegated Admin Privileges.

### Rate limit considerations
<a name="onelogin-rate-limit"></a>

OneLogin by One Identity imposes rate limits on the OneLogin API. For more information about the OneLogin API rate limits, see [Get Rate Limit](https://developers.onelogin.com/api-docs/1/oauth20-tokens/get-rate-limit) in the *OneLogin API Reference*. If the combination of AppFabric and your existing OneLogin API applications exceed OneLogin's limits, audit logs appearing in AppFabric might be delayed. However, the OneLogin rate limit can be increased. For assistance, contact your OneLogin by One Identity Account Manager or contact [https://partners.amazonaws.com/contactpartner?partnerId=001E000000UfZycIAF&partnerName=One%20Identity](https://partners.amazonaws.com/contactpartner?partnerId=001E000000UfZycIAF&partnerName=One%20Identity).

### Data delay considerations
<a name="onelogin-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your OneLogin by One Identity account
<a name="onelogin-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with OneLogin by One Identity. To find the information required to authorize OneLogin with AppFabric, use the following steps.

### Create an OAuth application
<a name="onelogin-create-oauth-application"></a>

AppFabric integrates with OneLogin by One Identity using OAuth. To create an OAuth application in OneLogin, use the following steps:

1. Navigate to the [OneLogin log-in page](https://app.onelogin.com/login) and sign in.

1. From the **Developers** menu, choose **API Credentials**.

1. Choose **New Credentials**, enter a name for your new credential, and then choose **Read all**.

1. Choose **Save**. OneLogin creates a client ID and a client secret.

### Required scopes
<a name="onelogin-required-scopes"></a>

You must add the following scopes to your OneLogin by One Identity OAuth application:
+ Read all. For more information about scopes and client credentials, see [Working with API Credentials](https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials) in the *OneLogin API Reference*.

### App authorizations
<a name="onelogin-app-authorizations"></a>

#### Tenant ID
<a name="onelogin-tenant-id"></a>

AppFabric will request a tenant ID. The tenant ID in AppFabric is your instance subdomain. You can find your tenant ID in the address bar of your browser. For example, `subdomain` is the tenant ID in the following URL `https://subdomain.onelogin.com`.

#### Tenant name
<a name="onelogin-tenant-name"></a>

Enter a name that identifies this unique OneLogin by One Identity organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="onelogin-client-id"></a>

AppFabric will request a client ID. To find your client ID in OneLogin by One Identity, use the following steps:

1. Navigate to the [OneLogin log-in page](https://app.onelogin.com/login) and sign in.

1. From the **Developers** menu, choose **API Credentials**.

1. Choose the API credential to get the Client ID.

#### Client secret
<a name="onelogin-client-secret"></a>

AppFabric will request a client secret. To find your client secret in OneLogin by One Identity, use the following steps:

1. Navigate to the [OneLogin log-in page](https://app.onelogin.com/login) and sign in.

1. From the **Developers** menu, choose **API Credentials**.

1. Choose the API credential to get the Client Secret.

#### Client app authorization
<a name="onelogin-approve-authorization"></a>

In AppFabric, create an app authorization using your tenant ID and name, and your client ID and name. Choose connect to activate the authorization.

# Configure PagerDuty for AppFabric
<a name="pagerduty"></a>

PagerDuty is a Digital Operations Management Platform that helps teams mitigate customer-impacting issues by turning any signal into action so you can resolve issues faster and operate more efficiently. Integrates with CloudWatch, GuardDuty, CloudTrail, and Personal Health Dashboard.

You can use AWS AppFabric for security to receive audit logs and user data from PagerDuty, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for PagerDuty](#pagerduty-appfabric-support)
+ [Connecting AppFabric to your PagerDuty account](#pagerduty-appfabric-connecting)

## AppFabric support for PagerDuty
<a name="pagerduty-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from PagerDuty.

### Prerequisites
<a name="pagerduty-prerequisites"></a>

To use AppFabric to transfer audit logs from PagerDuty to supported destinations, you must meet the following requirements:
+ To access the audit logs, you must have a PagerDuty **Business** or **Digital Operations** plan.
+ You should be a Global Admin or account owner of the PagerDuty account.

### Rate limit considerations
<a name="pagerduty-rate-limit"></a>

PagerDuty imposes rate limits on the PagerDuty API. For more information about the PagerDuty API rate limits, see [REST API Rate Limits](https://developer.pagerduty.com/docs/72d3b724589e3-rest-api-rate-limits) on the PagerDuty Developer Platform. If the combination of AppFabric and your existing PagerDuty API applications exceed PagerDuty's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="pagerduty-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your PagerDuty account
<a name="pagerduty-appfabric-connecting"></a>

The PagerDuty platform supports API access keys. To generate an API access key, use the following steps.

### Create an API Access Key
<a name="pagerduty-create-api-key"></a>

AppFabric integrates with PagerDuty using an API Access key for public clients. To create an API access key in PagerDuty, use the following steps:

1. Navigate to the [PagerDuty log-in page](https://identity.pagerduty.com/global/authn/authentication/PagerDutyGlobalLogin/enter_email) and sign in.

1. Choose **Integrations**, **API Access Keys**.

1. Choose **Create New API Key**.

1. Enter a description and then select **Read-only API Key**.

1. Choose **Create Key**.

1. Copy and save the API key. You'll need this later in AppFabric. If you close the page before saving the API key you must generate a new API key and save it. This key should be dedicated to AppFabric to avoid sharing the PagerDuty API rate limit with your other integrations.

### App authorizations
<a name="pagerduty-app-authorizations"></a>

#### Tenant ID
<a name="pagerduty-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID for your PagerDuty account is the base URL of your account. You can find this by logging in to PagerDuty and copying from the address bar of your web browser. The tenant ID should follow one of the following formats:
+ For US accounts, `subdomain.pagerduty.com`
+ For EU accounts, `subdomain.eu.pagerduty.com`

#### Tenant name
<a name="pagerduty-tenant-name"></a>

Enter a name that identifies this unique PagerDuty organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service account token
<a name="pagerduty-service-token"></a>

AppFabric will request your service account token. The service account token in AppFabric is the API access key you created in [Create an API Access Key](#pagerduty-create-api-key).

# Configure Ping Identity for AppFabric
<a name="pingidentity"></a>

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That's why more than half of the Fortune 100 choose Ping Identity to protect digital interactions for their users while making experiences frictionless. On August 23, 2023, Ping Identity and ForgeRock joined together to deliver more choice, deeper expertise, and a more complete identity solution for customers and partners.

You can use AWS AppFabric for security to receive audit logs and user data from Ping Identity, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Ping Identity](#pingidentity-appfabric-support)
+ [Connecting AppFabric to your Ping Identity account](#pingidentity-appfabric-connecting)

## AppFabric support for Ping Identity
<a name="pingidentity-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Ping Identity.

### Prerequisites
<a name="pingidentity-prerequisites"></a>

To use AppFabric to transfer audit logs from Ping Identity to supported destinations, you must meet the following requirements:
+ You must have an Essential, Plus, or Premium Ping Identity account. For more information about creating or upgrading to the applicable Ping Identity plan type, see [Ping Identity pricing for all features](https://www.pingidentity.com/en/platform/pricing.html) on the Ping Identity website.
+ You must have **Identity Data Read Only** role in your Ping Identity account. You can add roles to your account by granting roles for your application. For more information about roles, see [Roles](https://docs.pingidentity.com/r/en-us/pingone/p1_c_roles) on the Ping Identity Support website.

### Rate limit considerations
<a name="pingidentity-rate-limit"></a>

Ping Identity doesn't publish rate limits. You must create a support case or reach out to your Ping Identity Customer Success team. If the combination of AppFabric and your existing Ping Identity API applications exceed Ping Identity's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="pingidentity-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Ping Identity account
<a name="pingidentity-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Ping Identity. To find the information required to authorize Ping Identity with AppFabric, use the following steps.

### Create an OAuth application
<a name="pingidentity-create-oauth-application"></a>

AppFabric integrates with Ping Identity using OAuth. To create an OAuth application in Ping Identity, use the following steps:

1. Follow the instructions in the [ Create an application connection](https://apidocs.pingidentity.com/pingone/main/v1/api/#create-an-application-connection) section in the *PingOne for Developers* guide on the Ping Identity website.

1. After you create the application, customize the grant types.

   1. When signed in to the application, choose the **Configuration** tab and click the pencil icon to make changes in the existing configuration.

   1. Under **Grant Type**, select **Authorization Code**. Keep **PKCE Enforcement** as **OPTIONAL**.

   1. Select **Refresh Token** and choose your refresh durations.

1. Use a redirect URL with the following format in **Redirect URL/callback URL**.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### App authorizations
<a name="pingidentity-app-authorizations"></a>

#### Tenant ID
<a name="pingidentity-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Ping Identity instance name. You can find your tenant ID in the address bar of your browser. For example, `API_PATH/v1/environments/environmentID`. Where `API_PATH` represents the regional domain for the PingOne server, such as `api.pingone.com`, and `environmentID` represents your environment ID indicated in your application environment properties. For more information about environment properties, see [Environment Properties](https://docs.pingidentity.com/r/en-us/pingone/p1_c_environments) on the Ping Identity website.

#### Tenant name
<a name="pingidentity-tenant-name"></a>

Enter a name that identifies this unique Ping Identity organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="pingidentity-client-id"></a>

AppFabric will request a client ID. To find your client ID in Ping Identity, use the following steps:

1. Sign in to PingOne admin console and choose **Applications**.

1. Choose the application from the list.

1. Choose the **Overview** tab, and then look for the **Client ID** value.

#### Client secret
<a name="pingidentity-client-secret"></a>

AppFabric will request a client secret. To find your client secret in Ping Identity, use the following steps:

1. Sign in to PingOne admin console and choose **Applications**.

1. Choose the application from the list.

1. Choose the **Overview** tab, and then look for the **Client Secret** value.

#### Approve authorization
<a name="pingidentity-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Ping Identity to approve the authorization. To approve the AppFabric authorization, choose **allow**.

# Configure Salesforce for AppFabric
<a name="salesforce"></a>

Salesforce makes cloud-based software designed to help businesses find more prospects, close more deals, and wow customers with amazing service. Salesforce’s Customer 360 offers a complete suite of products, unites sales, service, marketing, commerce, and IT teams with a single, shared view of customer information, helping organizations grow relationships with customers and employees alike.

You can use AWS AppFabric to receive audit logs and user data from Salesforce, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Salesforce](#salesforce-appfabric-support)
+ [Connecting AppFabric to your Salesforce account](#salesforce-appfabric-connecting)

## AppFabric support for Salesforce
<a name="salesforce-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Salesforce.

### Prerequisites
<a name="salesforce-prerequisites"></a>

To use AppFabric to transfer audit logs from Salesforce to supported destinations, you must meet the following requirements:
+ You must have a [Performance, Enterprise, or Unlimited edition](https://help.salesforce.com/s/articleView?id=sf.overview_edition.htm&type=5) of Salesforce. Contact Salesforce to upgrade to one of these editions.
+ If you are seeking to have AppFabric transfer hourly event log files with [full set of log events](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_supportedeventtypes.htm) from Salesforce, you must subscribe to Event Monitoring as part of the [Shield Features](https://www.salesforce.com/editions-pricing/platform/shield/) of Salesforce. Otherwise, AppFabric will transfer limited events (i.e. Login, Logout, InsecureExternalAssets, API Total Usage, CORS Violation, and HostnameRedirects ELF Events) from Salesforce’s standard daily log file. You can check if your Salesforce account is already subscribed to Shield Features by going to **Setup** > **Event Manager**. If you see 19 or more events listed, your account is subscribed to the Event Monitoring. If you do not have Event Monitoring, you can purchase a subscription to this add-on by contacting Salesforce.
+ You need to [opt-in for Event Log File generation](https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em_generate_event_log_files.htm&release=244&type=5) in the Salesforce settings.
+ You should use the System Administrator Profile to create an OAuth application and log in with the same credentials for AppFabric.

**Note**  
The API Total Usage, CORS Violation Record, Hostname Redirects, Insecure External Assets, Login, and Logout events are available at no additional cost in supported editions of Salesforce. Contact Salesforce to purchase the remaining event types. For more information about Salesforce event types, see [EventLogFile Supported Event Types](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_supportedeventtypes.htm) on the Salesforce website.  
AppFabric can support up to 100,000 events per event type per log file instance (daily or hourly, depending on Event Monitoring add-on subscription). A log file exceeding the threshold might cause the entire log file to be excluded from ingestion.

### Rate limit considerations
<a name="salesforce-rate-limits"></a>

Salesforce imposes rate limits on the Salesforce API. For more information about the Salesforce API rate limits, see [API Request Limits and Allocations](https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm) on the Salesforce website. If the combination of AppFabric and your existing Salesforce API applications exceed Salesforce’s limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="salesforce-data-delay"></a>

You might see up to 6 hours delay on daily log file or up to 29 hours delay on hourly log file for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Salesforce account
<a name="salesforce-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Salesforce. To find the information required to authorize Salesforce with AppFabric, use the following steps.

### Create an OAuth application
<a name="salesforce-create-oauth"></a>

AppFabric integrates with the Salesforce using OAuth. To create an OAuth application in Salesforce, use the following steps:

1. [Login to your Salesforce account.](https://login.salesforce.com)

1. Go to the **Setup page** as described in the [Salesforce documentation](https://help.salesforce.com/s/articleView?id=sf.basics_nav_setup.htm&type=5).

1. Search for **App Manager** in the quick find.

1. Choose **New Connected App**.

1. Enter the required information into the form fields.

1. Choose **Enable OAuth settings**.

1. Be sure to **turn off** the following options:
   + Require Proof Key for Code Exchange (PKCE) Extension For Supported Authorization Flows
   + Require secret for Web Server Flow
   + Require secret for Refresh Token Flow
   + Enable Refresh Token Rotation

1. Enter a URL with the following format in the **Callback URL** text box, and choose **Save** changes.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Fill in the scopes as needed (described in the following [Required scopes](#salesforce-required-scopes) section). All other fields can be left with their default values.

1. Choose **Save**.

1. Complete the following steps to verify the refresh token policy for the new OAuth app:

   1. On the **Setup page**, enter **Connected Apps** into the Quick Find text box, and then choose **Manage Connected Apps**.

   1. Choose **Edit** next to the newly created app.

   1. Make sure that the **Refresh token is valid until revoked** option is selected.

   1. Save your changes.

1. Complete the following steps to verify that audit logs are being generated:

   1. On the **Setup page**, enter **Event Log File** into the Quick Find text box, and then choose **Event Log File Browser**.

   1. Confirm that event logs are listed in the **Event Log File Browser**.

1. Navigate to the created app, and choose **View** from the drop-down.

1. Choose **Manage Consumer Details**.

   You will be redirected to a new tab where you will need to verify your identity. On that tab, make a note of the **Consumer Key** and **Consumer Secret** values. You will need these later to sign in.

### Required scopes
<a name="salesforce-required-scopes"></a>

You must add the following scopes to your Salesforce OAuth application:
+ Manage user data via APIs (`API`).
+ Perform request at anytime (`refresh_token` and `offline_access`).

### App authorizations
<a name="salesforce-app-authorizations"></a>

#### Tenant ID
<a name="salesforce-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is the subdomain of your Salesforce **My Domain**. You can find your **My Domain** subdomain in your browser's address bar between `https://` and `.my.salesforce.com`.

To find your Salesforce **My Domain**, use the following instructions from the Salesforce home screen.

1. Go to the **Setup page** as described in the [Salesforce documentation](https://help.salesforce.com/s/articleView?id=sf.basics_nav_setup.htm&type=5).

1. Search for **Company Settings** in the quick find, and choose **My Domain** in the results.

#### Tenant name
<a name="salesforce-tenant-name"></a>

Enter a name that identifies this unique Salesforce organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="salesforce-client-id"></a>

AppFabric will request a client ID. To find your client ID in Salesforce, use the following steps:

1. Navigate to the **Setup** page.

1. Choose **Setup**, and then choose **App Manager**.

1. Choose the created app, and choose **View** from drop-down menu.

1. Choose **Manage Consumer Details**. You will be redirected to a new tab.

1. Verify your identity, and then look for the **Consumer Key** value.

1. Enter the **Consumer Key** into the client ID field in AppFabric.

#### Client secret
<a name="salesforce-client-secret"></a>

AppFabric will request your client secret. The **Client secret** in AppFabric is the **Consumer Secret** in Salesforce. To find your Secret in Salesforce, use the following steps:

1. Navigate to the **Setup** page.

1. Choose **Setup**, and then choose **App Manager**.

1. Choose the created app, and choose **View** from drop-down menu.

1. Choose **Manage Consumer Details**. You will be redirected to a new tab.

1. Verify your identity, and then look for the **Consumer Secret** value.

1. Enter the **Consumer Secret** into the client secret field in AppFabric.

#### Approve authorization
<a name="salesforce-approve-authorization"></a>

 After creating the app authorization in AppFabric, you will receive a pop-up window from Salesforce to approve the authorization. At the approval page, make sure to use the Salesforce System Administrator Role or a Salesforce user that have View Event Log Files and API Enabled user permissions while authorizing. Choose **Allow** to approve the AppFabric authorization.

# Configure ServiceNow for AppFabric
<a name="servicenow"></a>

ServiceNow is a leading provider of cloud-based services that automate enterprise IT operations. ServiceNow’s ITOM gives enterprises complete visibility and control of their entire IT environment – including virtualized and cloud infrastructure. It simplifies service mapping, delivery and assurance, consolidating IT service and infrastructure data into a single system of record. It also automates and streamlines key processes — including event, incident, problem, configuration and change management.

You can use AWS AppFabric for security to receive audit logs and user data from ServiceNow, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for ServiceNow](#servicenow-appfabric-support)
+ [Data delay considerations](#servicenow-data-delay)
+ [Connecting AppFabric to your ServiceNow account](#servicenow-appfabric-connecting)

## AppFabric support for ServiceNow
<a name="servicenow-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from ServiceNow.

### Prerequisites
<a name="servicenow-prerequisites"></a>

To use AppFabric to transfer audit logs from ServiceNow to supported destinations, you must meet the following requirements:
+ You can use AppFabric with any ServiceNow plan type.
+ You must have a user with the Administrator role in your ServiceNow account.
+ You must have a ServiceNow instance.

### Rate limit considerations
<a name="servicenow-rate-limits"></a>

ServiceNow imposes rate limits on the ServiceNow API. For more information about the ServiceNow API rate limits, see [Inbound REST API rate limiting](https://docs.servicenow.com/bundle/tokyo-api-reference/page/integrate/inbound-rest/concept/inbound-REST-API-rate-limiting.html) on the ServiceNow website. If the combination of AppFabric and your existing ServiceNow API applications exceed the limits, audit logs appearing in AppFabric may be delayed.

## Data delay considerations
<a name="servicenow-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your ServiceNow account
<a name="servicenow-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with ServiceNow. Use the following steps to find the information required to authorize ServiceNow with AppFabric.

### Create an OAuth application
<a name="servicenow-create-oauth"></a>

The Now Platform supports OAuth 2.0 - Authorization Grant type for public clients to generate an access token.

1. Register your OAuth application. This requires the following three steps. For more information on completing these steps, see the [Register your application with ServiceNow](https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0725643) on the *ServiceNow website*.

   1. Register the app and make sure the **Auth Scope** has access to the **Table API**, with a **REST API PATH** of **now/table**, and an **HTTP Method** of **GET** as shown in the following example.  
![\[OAuth app configuration in ServiceNow.\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/images/servicenow-oauth-config.png)

   1. Generate an authorization code.

   1. Generate a bearer token using the authorization code.

1. Use a redirect URL with the following format.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, *<region>* is the code for the AWS Region in which you configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### App authorizations
<a name="servicenow-app-authorizations"></a>

#### Tenant ID
<a name="servicenow-tenant-id"></a>

AppFabric will request a tenant ID. The tenant ID in AppFabric is your instance name. You can find your tenant ID in the address bar of your browser. For example, `example` is the tenant ID in the following URL `https://example.service-now.com`.

#### Tenant name
<a name="servicenow-tenant-name"></a>

Enter a name that identifies this unique ServiceNow organization. AppFabric uses the tenant’s name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="servicenow-client-id"></a>

AppFabric will request a client ID. Use the following steps to find your client ID in ServiceNow.

1. Navigate to the ServiceNow console.

1. Choose **System OAuth**, and then choose the **Application Registry** tab.

1. Choose your application.

1. Enter the client ID from your OAuth client into the **Client ID** field in AppFabric.

#### Client secret
<a name="servicenow-client-secret"></a>

AppFabric will request a client secret. Use the following steps to find your client secret in ServiceNow.

1. Navigate to the ServiceNow console.

1. Choose **System OAuth**, and then choose the **Application Registry** tab.

1. Choose your application.

1. Enter the client secret from your OAuth application into the **Client Secret** field in AppFabric.

#### Approve authorization
<a name="servicenow-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from ServiceNow to approve the authorization. Choose **Allow** to approve the AppFabric authorization.

# Configure Singularity Cloud for AppFabric
<a name="singularity-cloud"></a>

The Singularity Cloud platform protects your enterprise from threats of all categories, at all stages. Its patented artificial intelligence extends security from known signatures and patterns to the most sophisticated attacks, such as zero-day and ransomware.

You can use AWS AppFabric to receive audit logs and user data from Singularity Cloud, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Note**  
Singularity Cloud documentation can be access only after you sign in to your Singularity Cloud account. Therefore, we cannot link directly to the Singularity Cloud documentation from this document.

**Topics**
+ [AppFabric support for Singularity Cloud](#singularity-cloud-appfabric-support)
+ [Connecting AppFabric to your Singularity Cloud account](#singularity-cloud-appfabric-connecting)

## AppFabric support for Singularity Cloud
<a name="singularity-cloud-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Singularity Cloud.

### Prerequisites
<a name="singularity-cloud-prerequisites"></a>

To use AppFabric to transfer audit logs from Singularity Cloud to supported destinations, you must have an administrator role in your Singularity Cloud account. For more information about the Singularity Cloud API rate limits, sign in to your Singularity Cloud account, browse the documentation section, and search for **roles**.

### Rate limit considerations
<a name="singularity-cloud-rate-limits"></a>

Singularity Cloud imposes rate limits on the Singularity Cloud API. For more information about the Singularity Cloud API rate limits, sign in to your Singularity Cloud account, browse the documentation section, and search for **API rate limits**.

### Data delay considerations
<a name="singularity-cloud-data-delay"></a>

You might see up to a 30 minute delay an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Singularity Cloud account
<a name="singularity-cloud-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Singularity Cloud. To find the information required to authorize Singularity Cloud with AppFabric, use the following steps.

### Create an API token for Singularity Cloud
<a name="singularity-cloud-api-token"></a>

Complete the following procedure to create an API token that is associated to a service user. The API token will not be linked to a specific console user or email address.

**Note**  
Create a new user or copy the service user to get a new API token before or after a service user API token expires.

1. Sign in to your Singularity Cloud account.

1. In the **Settings** toolbar, choose **Users**, and then choose **Service Users**.

1. Choose **Actions**, and then select **Create New Service User**.

1. In **Create New Service User** page, enter a name, description, and expiration date for the service user.

1. Choose **Next**.

1. In the **Select Scope of Access** section, select the scope.
   + Select **Account** for the access level.
   + Select the account for which you want to get audit logs.

1. Choose **Create User**.

   The API token is generated. A window opens and shows the token string with a message indicating this is the last time you can view the token.

1. (Optional) Choose **Copy API Token** and store it in a safe location.

1. Choose **Close**.

### App authorizations
<a name="singularity-cloud-app-authorizations"></a>

#### Tenant ID
<a name="singularity-cloud-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric will be the subdomain of the Sentinel One website address where you sign in to the service. For example, if you sign in to your Singularity Cloud account at the `example-company-1.sentinelone.net` address, your tenant ID is `example-company-1`.

#### Tenant name
<a name="singularity-cloud-tenant-name"></a>

Enter a name that identifies this unique Singularity Cloud organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service account token
<a name="singularity-cloud-service-account-token"></a>

Use the token that you generated using the steps in the [Create an API token for Singularity Cloud](#singularity-cloud-api-token) section of this guide. If you misplace or are unable to locate the token, you can generate a new one by following the same steps again.

**Note**  
If a new API token is generated in the **Singularity Cloud** console while AppFabric is ingesting the audit logs, the ingestions will stop. If this happens you will need to update the app authorization with a new API token to resume audit log ingestion.

# Configure Slack for AppFabric
<a name="slack"></a>

Slack is on a mission to make people’s working lives simpler, more pleasant, and more productive. It is the productivity platform for customer companies that improves performance by empowering everyone with no-code automation, making search and knowledge sharing seamless, and keeping teams connected and engaged as they move work forward together. As part of Salesforce, Slack is deeply integrated into the Salesforce Customer 360, supercharging productivity across sales, service and marketing teams. To learn more and get started with Slack for free, visit [slack.com](https://www.slack.com).

You can use AWS AppFabric for security to audit logs and user data from Slack, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Slack](#slack-appfabric-support)
+ [Connecting AppFabric to your Slack account](#slack-appfabric-connecting)

## AppFabric support for Slack
<a name="slack-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Slack.

### Prerequisites
<a name="slack-prerequisites"></a>

To use AppFabric to transfer audit logs from Slack to supported destinations, you must meet the following requirements:
+ You must have an Enterprise Grid plan with Slack. For more information, see [An introduction to Slack Enterprise Grid](https://slack.com/resources/why-use-slack/slack-enterprise-grid) on the Slack website.
+ You must have a user with the **Org Owner** role in your Slack account. For more information about roles, see [Types of roles in Slack](https://slack.com/help/articles/360018112273-Types-of-roles-in-Slack) in the *Slack Help Center* on the Slack website.

### Rate limit considerations
<a name="slack-rate-limits"></a>

Slack imposes rate limits on the Slack API. For more information about Slack API rate limits, see [Rate limits](https://api.slack.com/docs/rate-limits) in the *Slack API Usage Guide* on the Slack website. If the combination of AppFabric and your existing Slack API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="slack-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Slack account
<a name="slack-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Slack. To find the information required to authorize Slack with AppFabric, use the following steps.

### Create an OAuth application
<a name="slack-create-oauth-application"></a>

AppFabric integrates with Slack using OAuth. There are two ways to create an OAuth app: **Using an app manifest** or **From scratch**. To create an OAuth application in Slack, use the following steps.

------
#### [ Using an app manifest ]

1. Navigate to the [Slack App Management UI](https://api.slack.com/apps) in your browser.

1. Choose **Create New App**.

1. Choose **From an app manifest**.

1. Choose the workspace for which you want to authorize AppFabric.

1. In the **Enter app manifest below** box, choose **JSON** and replace the existing JSON with the following. Replace *<region>* with the appropriate AWS Region (for example, *`us-east-1`*).

   ```
   {
       "display_information": {
           "name": "AppFabric"
       },
       "oauth_config": {
           "redirect_urls": [
               "https://<region>.console.aws.amazon.com/appfabric/oauth2"
           ],
           "scopes": {
               "user": [
                   "auditlogs:read",
                   "users:read.email",
                   "users:read"
               ]
           }
       },
       "settings": {
           "org_deploy_enabled": false,
           "socket_mode_enabled": false,
           "token_rotation_enabled": true
       }
   }
   ```

1. Copy and save the client ID and client secret from the **Basic Information** page.

1. For the `auditLogs:read` scope, you must enable public distribution of your app. For more information, see [Enabling public distribution](https://api.slack.com/start/distributing/public#enabling) on the Slack website.

------
#### [ From scratch ]

1. Choose **From scratch** on the **Create an app** screen.

1. Name your app and choose a workspace.

1. Copy and save the client ID and client secret from the **Basic Information** page.

1. On the **OAuth & Permissions** page, opt in to the **Advanced token security via token rotation** option.

1. Add a URL with the following format in the **Redirect URLs** section of the **OAuth & Permissions** page.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. For the `auditLogs:read` scope, you must enable public distribution of your app. For more information, see [Enabling public distribution](https://api.slack.com/start/distributing/public#enabling) on the Slack website.

------

### Required scopes
<a name="slack-required-scopes"></a>

**Note**  
This section is only applicable if you chose to create the OAuth app from scratch. Skip this section if you chose to use app manifest to create an application authorization.

You must add the following user token scopes on the **OAuth & Permissions** page of your Slack OAuth application:
+ `auditlogs:read`
+ `users:read.email`
+ `users:read`

### App authorizations
<a name="slack-app-authorizations"></a>

#### Tenant ID
<a name="slack-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Slack workspace ID. To get your tenant ID, following the instructions in [Locate your Slack URL](https://slack.com/help/articles/221769328-Locate-your-Slack-URL) in the *Slack Help Center* on the Slack website. Your Slack workspace URL has a format similar to `examplecorp.slack.com` or `examplecorp.enterprise.slack.com`. The tenant ID you need is `examplecorp` without `.slack.com` or `.enterprise.slack.com`.

#### Tenant name
<a name="slack-tenant-name"></a>

Enter a name that identifies your Slack workspace ID. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization

#### Client ID
<a name="slack-client-id"></a>

AppFabric will request the client ID from your Slack OAuth application. To find the client ID, use the following steps:

1. Navigate to the [Slack App Management UI](https://api.slack.com/apps) in your browser.

1. Choose the OAuth application that you use with AppFabric.

1. Enter the client ID from the **Basic Information** page into the **Client ID** field in AppFabric.

#### Client secret
<a name="slack-client-secret"></a>

AppFabric will request the client secret from your Slack OAuth application. To find the client secret, use the following steps:

1. Navigate to the [Slack App Management UI](https://api.slack.com/apps) in your browser.

1. Choose your the OAuth application that you use with AppFabric.

1. Enter the client secret from the **Basic Information** page into the **Client secret** field in AppFabric.

#### Approve authorization
<a name="slack-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Slack to approve the authorization. To approve the AppFabric authorization, choose **allow**.

# Configure Smartsheet for AppFabric
<a name="smartsheet"></a>

Smartsheet is a work management platform that helps you align work, people, and technology across your enterprise. Smartsheet offers a robust set of enterprise-grade capabilities to empower everyone to manage projects, automate workflows, and rapidly build solutions at scale, creating an environment for innovation while maintaining security and compliance.

You can use AWS AppFabric for security to audit logs and user data from Smartsheet, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Smartsheet](#smartsheet-appfabric-support)
+ [Connecting AppFabric to your Smartsheet account](#smartsheet-appfabric-connecting)

## AppFabric support for Smartsheet
<a name="smartsheet-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Smartsheet.

### Prerequisites
<a name="smartsheet-prerequisites"></a>

To use AppFabric to transfer audit logs from Smartsheet to supported destinations, you must meet the following requirements:
+ You must have a Smartsheet Business, Enterprise, or Advance account. For more information about creating or upgrading your Smartsheet account, see either [Smartsheet pricing](https://www.smartsheet.com/pricing) or [Smartsheet Advance](https://www.smartsheet.com/pricing/smartsheet-advance) on the Smartsheet website.
+ You must complete the [Smartsheet developer registration](https://developers.smartsheet.com/register/) process.

### Rate limit considerations
<a name="smartsheet-rate-limits"></a>

Smartsheet imposes rate limits on the Smartsheet API. For more information about the Smartsheet API rate limits, see [Rate limiting](https://smartsheet.redoc.ly/#section/Work-at-Scale/Rate-Limiting) in the *Smartsheet API Reference on the Smartsheet website*.

### Data delay considerations
<a name="smartsheet-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Smartsheet account
<a name="smartsheet-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Smartsheet. To find the information required to authorize Smartsheet with AppFabric, use the following steps.

### Create an OAuth application
<a name="smartsheet-create-oauth-application"></a>

AppFabric integrates with Smartsheet using OAuth. To create an OAuth application in Smartsheet, use the following steps:

1. Navigate to the developer tools in your Smartsheet account.

1. Choose **Create New App** from the developer tools screen.

1. Complete all of the input fields on the **Create New App** screen.

1. Use any unique value for **App URL** and **App Contact/support**.

1. Use a redirect URL with the following format as the App redirect URL.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

1. Choose **Save**.

1. Copy and save the app client ID and app secret.

### Required scopes
<a name="smartsheet-required-scopes"></a>

Smartsheet does not require you to explicitly add scopes to your OAuth configuration. AppFabric will request the following scopes in the authorization request to your Smartsheet account:
+ `READ_EVENTS`
+ `READ_USERS`

### App authorizations
<a name="smartsheet-app-authorizations"></a>

#### Tenant ID
<a name="smartsheet-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Smartsheet account ID.

#### Tenant name
<a name="smartsheet-tenant-name"></a>

AppFabric will request your tenant ID. Enter any value that uniquely identifies your Smartsheet account.

#### Client ID
<a name="smartsheet-client-id"></a>

AppFabric will request your client ID. The client ID in AppFabric is your Smartsheet app client ID. To find your app client ID in Smartsheet, use the following steps:

1. Navigate to the developer tools in your Smartsheet account.

1. Select the OAuth application that you use to connect with AppFabric.

1. Enter the app client ID from the **App Profile** screen into the **Client ID** field in AppFabric.

#### Client secret
<a name="smartsheet-client-secret"></a>

AppFabric will request your client secret. The client secret in AppFabric is your Smartsheet app secret. To find your app secret in Smartsheet, use the following steps:

1. Navigate to the developer tools in your Smartsheet account.

1. Select the OAuth application that you use to connect with AppFabric.

1. Enter the app secret from the **App Profile** screen into **Client Secret** field in AppFabric.

#### Approve authorization
<a name="smartsheet-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Smartsheet to approve the authorization. To approve the AppFabric authorization, choose **Allow**.

# Configure Terraform Cloud for AppFabric
<a name="terraform"></a>

HashiCorp Terraform Cloud is the world’s most widely used multi-cloud provisioning product. The Terraform ecosystem has more than 3,000 providers, 14,000 modules, and 250 million downloads. Terraform Cloud is the fastest way to adopt Terraform, providing everything practitioners, teams, and global businesses need to create and collaborate on infrastructure and manage risks for security, compliance, and operational constraints.

You can use AWS AppFabric for security to receive audit logs and user data from Terraform Cloud, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Terraform Cloud](#terraform-appfabric-support)
+ [Connecting AppFabric to your Terraform Cloud account](#terraform-appfabric-connecting)

## AppFabric support for Terraform Cloud
<a name="terraform-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Terraform Cloud.

### Prerequisites
<a name="terraform-prerequisites"></a>

To use AppFabric to transfer audit logs from Terraform Cloud to supported destinations, you must meet the following requirements:
+ To access the audit logs, you must have a Terraform Cloud Plus Edition plan and be the owner of the organization. For more information about Terraform Cloud plans, see [Terraform pricing](https://www.hashicorp.com/products/terraform/pricing?ajs_aid=33c212cb-664b-45d6-aee8-d3791e90a893&product_intent=terraform) on the HashiCorp Terraform website.
+  TBD Audit logs are available for organizations that can be created from the Terraform Cloud account.

### Rate limit considerations
<a name="terraform-rate-limit"></a>

Terraform Cloud imposes rate limits on the Terraform Cloud API. For more information about the Terraform Cloud API rate limits, see [ API Rate Limiting](https://developer.hashicorp.com/terraform/enterprise/application-administration/general#api-rate-limiting) in the Terraform Cloud Developer administration general setting on the Terraform Cloud website. If the combination of AppFabric and your existing Terraform Cloud API applications exceed Terraform Cloud's limits, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="terraform-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Terraform Cloud account
<a name="terraform-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Terraform Cloud. To find the information required to authorize Terraform Cloud with AppFabric, use the following steps.

### Create an organization API token
<a name="terraform-create-org-token"></a>

AppFabric integrates with Terraform Cloud using an organization API token. For more information about the Terraform Cloud organization API tokens, see [ Organization API Tokens](https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/api-tokens). To create an organization, follow the instructions in [Creating Organizations](https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/organizations#creating-organizations). To create an organization API token in Terraform Cloud, use the following steps.

1. Navigate to the [Terraform Cloud sign in](https://app.terraform.io/session) page and sign in.

1. Choose **Organization**, **Settings** on the left-side panel, and then choose **API tokens**.

1. Under **Organization Tokens**, choose **Create an organization token** and then choose **Generate token**.

1. (Optional) Enter the token's expiration date or time, or create a token that never expires.

1. Copy and save the token. You'll need this later in AppFabric. If you close the page before saving the token you must revoke the old token and create a new one.

### App authorizations
<a name="terraform-app-authorizations"></a>

#### Tenant ID
<a name="terraform-tenant-id"></a>

AppFabric will request a tenant ID. The tenant ID for your Terraform Cloud account is the current organization URL of your account. You can find this by logging in to your Terraform Cloud organization and copying the current organization URL. The tenant ID should follow one of the following formats:

```
https://app.terraform.io/app/organization_URL
```

#### Tenant name
<a name="terraform-tenant-name"></a>

Enter a name that identifies this unique Terraform Cloud organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Service account token
<a name="terraform-service-token"></a>

AppFabric will request your service account token. The service account token in AppFabric is the organization API token you created in [Create an organization API token](#terraform-create-org-token).

# Configure Webex by Cisco for AppFabric
<a name="webex"></a>

Cisco is a worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future.

**About Webex by Cisco**

Webex is a leading provider of cloud-based collaboration solutions which includes video meetings, calling, messaging, events, customer experience solutions like contact center and purpose-built collaboration devices. Webex’s focus on delivering inclusive collaboration experiences fuels innovation, which leverages AI and Machine Learning, to remove the barriers of geography, language, personality, and familiarity with technology. Its solutions are underpinned with security and privacy by design. Webex works with the world’s leading business and productivity apps – delivered through a single application and interface. Learn more at [https://webex.com](https://webex.com).

You can use AWS AppFabric for security to audit logs and user data from Webex, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Webex](#webex-appfabric-support)
+ [Connecting AppFabric to your Webex account](#webex-appfabric-connecting)

## AppFabric support for Webex
<a name="webex-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Webex.

### Prerequisites
<a name="webex-prerequisites"></a>

To use AppFabric to transfer audit logs from Webex to supported destinations, you must meet the following requirements:
+ You must have a Collaboration Flex plan, Meet Plan, Call Plan, or higher. For more information about creating or upgrading to the applicable Webex plan type, see [Webex pricing for all features](https://pricing.webex.com/us/en/hybrid-work/meetings/all-features/) on the Webex website.
+ Your account must have the [Pro Pack](https://help.webex.com/en-us/article/np3c1rm/Pro-Pack-For-Control-Hub) license to access Security Audit Events provided by one of the Cisco AuditLog APIs.
+ You must have a user with the **Organizational Administrator** > **Full Administrator** role.
+ The **Administrator Roles** configuration for your **Full Administrator** must have the **Compliance Officer** option enabled.

### Rate limit considerations
<a name="webex-rate-limits"></a>

Webex imposes rate limits on the Webex API. For more information about the Webex API rate limits, see [Rate limits](https://developer.webex.com/docs/basics#upper-limits-for-api-requests) in the *Webex Developers Guide* on the Webex website. If the combination of AppFabric and your existing Webex API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="webex-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Webex account
<a name="webex-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Webex. To find the information required to authorize Webex with AppFabric, use the following steps.

### Create an OAuth application
<a name="webex-create-oauth-application"></a>

AppFabric integrates with Webex using OAuth. To create an OAuth application in Webex, use the following steps:

1. Follow the instructions in the [Registering your Integration](https://developer.webex.com/docs/integrations#registering-your-integration) section in the **Integrations & Authorization** page of the *Webex Developers Guide*.

1. Use a redirect URL with the following format.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### Required scopes
<a name="webex-required-scopes"></a>

You must add the following scopes to your Webex OAuth application:
+ `spark-compliance:events_read`
+ `audit:events_read`
+ `spark-admin:people_read`

### App authorizations
<a name="webex-app-authorizations"></a>

#### Tenant ID
<a name="webex-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is your Webex organization ID. For information about how to find your Webex organization ID, see [Look Up Your Organization ID in CiscoWebex Control Hub](https://help.webex.com/en-us/article/k5pal8/Look-Up-Your-Organization-ID-in-Cisco-Webex-Control-Hub) on the Webex Help Center website.

#### Tenant name
<a name="webex-temant-names"></a>

Enter a name that identifies this unique Webex instance. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="webex-client-id"></a>

AppFabric will request your Webex client ID. To find your Webex client ID, use the following steps:

1. Sign into your Webex account at [https://developer.webex.com](https://developer.webex.com).

1. Choose your avatar at the top right.

1. Choose **My Webex Apps**.

1. Choose the OAuth2 application that you use for AppFabric.

1. Enter the client ID on this page into the **Client ID** field in AppFabric.

#### Client secret
<a name="webex-client-secret"></a>

AppFabric will request your Webex client secret. Webex only presents your client secret once when you initially create your OAuth application. To generate a new client secret if you didn't save the initial client secret, use the following steps:

1. Sign into your Webex account at [https://developer.webex.com](https://developer.webex.com).

1. Choose your avatar at the top right.

1. Choose **My Webex Apps**.

1. Choose the OAuth2 application that you use for AppFabric.

1. On this page, generate a new client secret.

1. Enter the new client secret into the **Client secret** field in AppFabric.

#### Approve authorization
<a name="webex-approve-authorization"></a>

After creating the app authorization in AppFabric you will receive a pop-up window from Webex to approve the authorization. To approve the AppFabric authorization, choose **accept**.

# Configure Zendesk for AppFabric
<a name="zendesk"></a>

Zendesk started the customer experience revolution in 2007 by enabling any business around the world to take their customer service online. Today, Zendesk is the champion of great service everywhere for everyone, and powers billions of conversations, connecting more than 100,000 brands with hundreds of millions of customers over telephony, chat, email, messaging, social channels, communities, review sites, and help centers. Zendesk products are built with love to be loved. The company was conceived in Copenhagen, Denmark, built and grown in California, and today employs more than 6,000 people across the world.

You can use AWS AppFabric for security to audit logs and user data from Zendesk, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Zendesk](#zendesk-appfabric-support)
+ [Connecting AppFabric to your Zendesk account](#zendesk-appfabric-connecting)

## AppFabric support for Zendesk
<a name="zendesk-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Zendesk.

### Prerequisites
<a name="zendesk-prerequisites"></a>

To use AppFabric to transfer audit logs from Zendesk to supported destinations, you must meet these requirements:
+ You must have a Zendesk Suite Enterprise or Enterprise Plus account or a Zendesk Support Enterprise account. For more information about creating or upgrading to a Zendesk  Enterprise account, see [Checking your plan type Zendesk](https://support.zendesk.com/hc/en-us/articles/5411234991258-plan) on the Zendesk website.
+ You must have a user with the **Administrator** role in your Zendesk account. For more information about roles, see [Understanding Zendesk Support user roles](https://support.zendesk.com/hc/en-us/articles/4408883763866-Understanding-Zendesk-Support-user-roles) on the Zendesk website.

### Rate limit considerations
<a name="zendesk-rate-limits"></a>

Zendesk imposes rate limits on the Zendesk API. For more information about the Zendesk API rate limits, see [Rate limits](https://developer.zendesk.com/api-reference/introduction/rate-limits/) in the *Zendesk Developers Guide* on the Zendesk website. If the combination of AppFabric and your existing Zendesk API applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="zendesk-data-delay"></a>

You might see up to a 30-minute delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss. However, this might be customizable at an account-level. For assistance, contact [Support](https://aws.amazon.com/contact-us/).

## Connecting AppFabric to your Zendesk account
<a name="zendesk-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, you must authorize AppFabric with Zendesk. To find the information required to authorize Zendesk with AppFabric, use the following steps.

### Create an OAuth application
<a name="zendesk-create-oauth-application"></a>

AppFabric integrates with Zendesk using OAuth. In Zendesk, you must create an OAuth application with the following settings:

1. Follow the instructions in the [Registering your application with Zendesk](https://support.zendesk.com/hc/en-us/articles/4408845965210#topic_s21_lfs_qk) section of the *Using OAuth authentication with your application* article on the Zendesk Support website.

1. Use a redirect URL with the following format.

   ```
   https://<region>.console.aws.amazon.com/appfabric/oauth2
   ```

   In this URL, `<region>` is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the redirect URL is `https://us-east-1.console.aws.amazon.com/appfabric/oauth2`.

### App authorizations
<a name="zendesk-app-authorizations"></a>

#### Tenant ID
<a name="zendesk-tenant-id"></a>

AppFabric will request your Tenant ID. The Tenant ID in AppFabric is your Zendesk subdomain. For more information about finding your Zendesk subdomain, see [Where can I find my Zendesk subdomain](https://support.zendesk.com/hc/en-us/articles/4409381383578-Where-can-I-find-my-Zendesk-subdomain-) on the Zendesk Support website.

#### Tenant name
<a name="zendesk-tenant-name"></a>

Enter a name that identifies this unique Zendesk organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="zendesk-client-id"></a>

AppFabric will request a client ID. The client ID in AppFabric is your Zendesk API unique identifier. To find your Zendesk unique identifier, use the following steps:

1. Navigate to the [Admin Center](https://support.zendesk.com/hc/en-us/articles/4408838272410) in your Zendesk account.

1. Choose **Apps and integrations**.

1. Choose **APIs**, **Zendesk APIs**.

1. Choose the **OAuth Clients** tab.

1. Choose the OAuth application that you created for AppFabric.

1. Enter the unique identifier for your OAuth client into the **Client ID** field in AppFabric.

#### Client secret
<a name="zendesk-client-secret"></a>

AppFabric will request a client secret. The client secret in AppFabric is your Zendesk secret token. Zendesk presents your secret token only once when you first create your Zendesk OAuth application. To generate a new secret token if you didn't save the initial secret token, use the following steps:

1. Navigate to the [Admin Center](https://support.zendesk.com/hc/en-us/articles/4408838272410) in your Zendesk account.

1. Choose **Apps and integrations**.

1. Choose **APIs**, **Zendesk APIs**.

1. Choose the **OAuth Clients** tab.

1. Choose the OAuth application that you created for AppFabric.

1. Choose the **Regenerate** button next to the **Secret token** field.

1. Enter the new secret token into the **Client secret** field in AppFabric.

#### Approve authorization
<a name="zendesk-approve-authorization"></a>

After creating the app authorization in AppFabric, you will receive a pop-up window from Zendesk to approve the authorization. To approve the AppFabric authorization, choose **Allow**.

# Configure Zoom for AppFabric
<a name="zoom"></a>

Zoom is an all-in-one intelligent collaboration platform that makes connecting easier, more immersive, and more dynamic for businesses and individuals. Zoom technology puts people at the center, enabling meaningful connections, facilitating modern collaboration, and driving human innovation through solutions like team chat, phone, meetings, omnichannel cloud contact center, smart recordings, whiteboard, and more, in one offering.

You can use AWS AppFabric for security to audit logs and user data from Zoom, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.

**Topics**
+ [AppFabric support for Zoom](#zoom-appfabric-support)
+ [Connecting AppFabric to your Zoom account](#zoom-appfabric-connecting)

## AppFabric support for Zoom
<a name="zoom-appfabric-support"></a>

AppFabric supports receiving user information and audit logs from Zoom.

### Prerequisites
<a name="zoom-prerequisites"></a>

To use AppFabric to transfer audit logs from Zoom to supported destinations, you must meet the following requirements:
+ You must have a Zoom Pro, Business, Education, or Enterprise plan.
+ Your Zoom **Admin** role must have permission to create server-to-server OAuth applications. For information about enabling server-to-server OAuth applications, see the [Enable permissions](https://developers.zoom.us/docs/internal-apps/s2s-oauth/#enable-permissions) section of the *Server-to-Server OAuth* page in the *Zoom Developers Guide* on the Zoom website.
+ Your Zoom **Admin** role must have permission to view admin activity logs and sign in/sign out audit activity. For more information about enabling permission to view audit activity, see [Using role management](https://support.zoom.us/hc/en-us/articles/115001078646) and [Using Admin Activity Logs](https://support.zoom.us/hc/en-us/articles/360032748331-Using-Admin-Activity-Logs) on the Zoom Support website.

### Rate limit considerations
<a name="zoom-rate-limits"></a>

Zoom imposes rate limits on the Zoom API. For more information about Zoom API rate limits, see [Rate limits](https://developers.zoom.us/docs/api/rest/rate-limits/) in the *Zoom Developers Guide*. If the combination of AppFabric and your existing Zoom applications exceed the limit, audit logs appearing in AppFabric might be delayed.

### Data delay considerations
<a name="zoom-data-delay"></a>

You might see an approximately 24-hour delay for an audit event to be delivered to your destination. This is due to delay in audit events made available by the application as well as due to precautions taken to reduce data loss.

## Connecting AppFabric to your Zoom account
<a name="zoom-appfabric-connecting"></a>

After you create your app bundle within the AppFabric service, then you must authorize AppFabric with Zoom. To find the information required to authorize Zoom with AppFabric, use the following steps.

### Create a server-to-server OAuth application
<a name="zoom-create-oauth-application"></a>

AppFabric uses server-to-server OAuth with app credentials to integrate with Zoom. To create a server-to-server OAuth application in Zoom, follow the instructions in [Create a Server-to-Server OAuth app](https://developers.zoom.us/docs/internal-apps/create/) in the *Zoom Developers Guide*. AppFabric does not support Zoom webhooks, and you can skip the section for adding webhook subscriptions.

### Required scopes
<a name="zoom-required-scopes"></a>

 Zoom offers two types of scopes: granular scopes (for newly created applications) and classic scopes (for previously-created applications). 

You must add the following granular scopes to your Zoom server-to-server OAuth application:
+ `report:read:user_activities:admin`
+ `report:read:operation_logs:admin`
+ `user:read:email:admin`
+ `user:read:user:admin`

If you are using a previously-created application, you need to add the following classic scopes:
+ `report:read:admin`
+ `user:read:admin`

### App authorizations
<a name="zoom-app-authorizations"></a>

#### Tenant ID
<a name="zoom-tenant-id"></a>

AppFabric will request your tenant ID. The tenant ID in AppFabric is the Zoom account ID. To find your Zoom account ID, use the following steps:

1. Navigate to the Zoom marketplace.

1. Choose **Manage**.

1. Choose the server-to-server OAuth application that you use for AppFabric.

1. Enter the account ID from the **App Credentials** page into the **Tenant ID** field in AppFabric.

#### Tenant name
<a name="zoom-tenant-name"></a>

Enter a name that identifies this unique Zoom organization. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.

#### Client ID
<a name="zoom-client-id"></a>

AppFabric will request your client ID. To find your Zoom client ID, use the following steps:

1. Navigate to the Zoom marketplace.

1. Choose **Manage**.

1. Choose the server-to-server OAuth application that you use for AppFabric.

1. Enter the client ID from the **App Credentials** page into the **Client ID** field in AppFabric.

#### Client secret
<a name="zoom-client-secret"></a>

AppFabric will request your client secret. To find your Zoom client secret, use the following steps:

1. Navigate to the Zoom marketplace.

1. Choose **Manage**.

1. Choose the server-to-server OAuth application that you use for AppFabric.

1. Enter the client secret from the **App Credentials** page into the **Client secret** field in AppFabric.

#### Audit log delivery
<a name="zoom-audit-log-delivery"></a>

Zoom makes audit logs available by accessing the API every 24 hours. When viewing audit logs with AppFabric, the data that you see for Zoom is for the previous day’s activities.

# Compatible security tools and services in AppFabric for security
<a name="security-tools"></a>

AWS AppFabric for security supports integration with the following security tools and services. Choose the name of a service for more information about how to set up AppFabric for security to connect to it.

**Topics**
+ [Barracuda XDR](barracuda.md)
+ [Dynatrace](dynatrace.md)
+ [Logz.io](logz-io.md)
+ [Netskope](netskope.md)
+ [NetWitness](netwitness.md)
+ [Amazon Quick](quicksight.md)
+ [Rapid7](rapid7.md)
+ [Amazon Security Lake](security-lake.md)
+ [Singularity Cloud](singularity-cloud-security.md)
+ [Splunk](splunk.md)

# Barracuda XDR
<a name="barracuda"></a>

Barracuda Networks is a trusted partner and leading provider of cloud-first security solutions, protecting email, networks, data, and applications with innovative solutions that grow and adapt with businesses’ journey. Barracuda XDR is an open extended detection and response solution that combines sophisticated technologies with a team of security analysts in our security operations center (SOC). The Barracuda XDR platform analyzes billions of raw events daily from 40\$1 integrated data sources, and together with extensive threat detection rules that map to the MITRE ATT&CK® framework, it can detect threats faster and reduce response time.

## AWS AppFabric audit log ingestion considerations
<a name="barracuda-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with Barracuda XDR.

### Schema and format
<a name="barracuda-schema-format"></a>

Barracuda XDR supports the following AppFabric output schema and formats:
+ OCSF - JSON: AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="barracuda-output-locations"></a>

Barracuda XDR supports receiving Audit Logs from Amazon Security Lake. To send data from AppFabric to Barracuda XDR, following the instructions below:

1. Send data to Amazon Security Lake: Configure AppFabric to send data to Amazon Security Lake through a Amazon Data Firehose. For more information, see [Amazon Security Lake](security-lake.md).

1. Send data to Barracuda XDR: Configure Barracuda XDR to receive audit logs from Amazon Security Lake. For more information, see [Setting Up and Using Amazon Security Lake](https://campus.barracuda.com/product/xdr/doc/104366130/setting-up-and-using-amazon-web-services-security-lake/).

# Dynatrace
<a name="dynatrace"></a>

The Dynatrace® Platform combines broad and deep observability and continuous runtime application security with advanced AIOps to provide answers and intelligent automation from data. This enables innovators to modernize and automate cloud operations, deliver software faster and more securely, and ensure flawless digital experiences.

## AWS AppFabric audit log ingestion considerations
<a name="dynatrace-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with the Dynatrace Platform.

### Schema and format
<a name="dynatrace-schema-format"></a>

The Dynatrace Platform supports the following AppFabric output schema and formats:
+ OCSF - JSON: AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="dynatrace-output-locations"></a>

The Dynatrace Platform supports receiving Audit Logs from following AppFabric Output locations.
+ Amazon Simple Storage Service (Amazon S3)
  + To configure the Dynatrace Platform to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in [Dynatrace’s S3 Log Forwarder project](https://github.com/dynatrace-oss/dynatrace-aws-s3-log-forwarder) on GitHub.

# Logz.io
<a name="logz-io"></a>

Logz.io helps cloud native businesses monitor and secure their environments via the [http://logz.io/](http://logz.io/) Open 360 Platform – transforming observability and security from a high-cost, low-value burden into a high-value, cost-efficient enabler of better business outcomes.

Logz.io Cloud SIEM directly addresses today’s leading security challenges – from data overload to the omnipresent cyber skills gap – via fast querying, multidimensional detection and deep customizable security content to help monitor and investigate across the full-expanse of your cloud environment – with no performance degradation, regardless of data volumes.

The Logz.io solution was purpose-built to deliver advanced threat analysis and investigation with less complexity and cost. Customers are backed by dedicated security analysts, threat content as a service and AI-backed capabilities purpose-built to help reduce noisy data and focus on the information that enables your team to rapidly prioritize real world threats.

## AWS AppFabric audit log ingestion considerations
<a name="logz-io-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with Logz.io.

### Schema and format
<a name="logz-io-schema-format"></a>

Logz.io supports the following AppFabric output schema and formats:
+ Raw - JSON
  + AppFabric outputs data in the original schema used by the source application in the JSON format.
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="logz-io-output-locations"></a>

Logz.io supports the following AppFabric output locations:
+ Amazon Data Firehose
  + To configure your Firehose delivery stream so that it sends data to Logz.io, follow the instructions in [Choose Logz.io for Your Destination](https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html#create-destination-logz) in the *Amazon Data Firehose Developer Guide*.
+ Amazon Simple Storage Service (Amazon S3)
  + To configure Logz.io to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in [Configure an Amazon S3 bucket](https://docs.logz.io/shipping/log-sources/s3-bucket.html) on the Logz.io website.

# Netskope
<a name="netskope"></a>

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and zero trust security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit [netskope.com](https://www.netskope.com/).

## AWS AppFabric audit log ingestion considerations
<a name="netskope-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with Netskope.

### Schema and format
<a name="netskope-schema-format"></a>

Netskope supports the following AppFabric output schema and formats:
+ Raw - JSON
  + AppFabric outputs data in the original schema used by the source application in the JSON format.
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="netskope-output-locations"></a>

Netskope supports the following AppFabric output location:
+ Amazon Simple Storage Service (Amazon S3)
  + To configure Netskope to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in [Data Protection for Amazon Web Services S3](https://docs.netskope.com/en/data-protection-for-amazon-web-services-s3.html) on the Netskope website.

# NetWitness
<a name="netwitness"></a>

NetWitness is a leading developer of extended detection and response (XDR) software. Their global base of highly security-conscious customers relies on NetWitness XDR to defend against sophisticated and aggressive adversaries. With the industry’s most complete, integrated, and mature platform to detect, investigate, and respond to digital attacks, NetWitness XDR is the unifying foundation of a modern and effective SOC.

Due to its highly modular architecture, NetWitness XDR detects threats wherever they occur — in the cloud, on-premises, with mobile and remote workers, or anywhere in between. The NetWitness Platform XDR delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect threats, prioritize activities, investigate, and automate response. All this empowers security analysts with better, faster efficiency to keep security operations well ahead of business-impacting threats.

## AWS AppFabric audit log ingestion considerations
<a name="netwitness-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with NetWitness.

### Schema and format
<a name="netwitness-schema-format"></a>

NetWitness supports the following AppFabric output schema and formats:
+ Raw - JSON
  + AppFabric outputs data in the original schema used by the source application in the JSON format.
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="netwitness-output-locations"></a>

NetWitness supports the following AppFabric output location:
+ Amazon Simple Storage Service (Amazon S3)
  + To configure NetWitness to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in [S3 Universal Connector Event Source Log Configuration Guide](https://community.netwitness.com/t5/netwitness-platform-integrations/s3-universal-connector-event-source-log-configuration-guide/ta-p/595235) on the *NetWitness Platform Integrations* page on the NetWitness website.

# Amazon Quick
<a name="quicksight"></a>

Amazon Quick powers data-driven organizations with unified business intelligence (BI) at hyperscale. With Quick, all users can meet varying analytic needs from the same source of truth through modern interactive dashboards, paginated reports, embedded analytics, and natural language queries. You can analyze AWS AppFabric audit log data in Quick, by choosing your Amazon Simple Storage Service (Amazon S3) bucket where your AppFabric for security logs are stored as your source.

## AppFabric audit log ingestion considerations
<a name="quicksight-audit-log-ingestion"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with Quick.

### Schema and formats
<a name="quicksight-schema-format"></a>

Quick supports the following AppFabric output schema and formats:
+ Raw - JSON
  + AppFabric outputs data in the original schema used by the source application in the JSON format.
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format. 

### Output locations
<a name="quicksight-output-locations"></a>

Quick supports the following AppFabric output locations:
+ Amazon S3
  + You can ingest data from Amazon S3 directly into Quick by [Creating a dataset using Amazon S3 files](https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-set-s3.html). To verify that your target file set doesn't exceed Quick data source quotas, see [Data source quotas](https://docs.aws.amazon.com/quicksight/latest/user/data-source-limits.html) in the *Quick User Guide*.
  + If your file set exceeds Quick quotas for an Amazon S3 data source, you can ingest your data in Amazon S3 using Amazon Athena and AWS Glue tables. Using Athena in your Quick dataset will incur additional costs. For more information about Athena pricing, see the [Athena pricing page](https://aws.amazon.com/athena/pricing/).

    To use Athena:

    1. Follow the instructions in [Using AWS Glue to connect to data sources in Amazon S3](https://docs.aws.amazon.com/athena/latest/ug/data-sources-glue.html) in the *Athena User Guide*.

    1. Follow the instructions in [Creating a dataset using Athena data](https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-set-athena.html) in the *Quick User Guide*.

# Rapid7
<a name="rapid7"></a>

Rapid7, Inc. is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. Rapid7 empowers security professionals to manage a modern attack surface through best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision.

## AWS AppFabric audit log ingestion considerations
<a name="rapid7-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output format, and output destinations to use with Rapid7.

### Schema and format
<a name="rapid7-schema-and-format"></a>

Rapid7 supports the following AppFabric output schema and formats:
+ Raw - JSON
  + AppFabric outputs data in the original schema used by the source application in the JSON format.
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="rapid7-output-locations"></a>

Rapid7 supports the following AppFabric output location:
+ Amazon Simple Storage Service (Amazon S3)
  + To configure Rapid7 to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in the [How to Monitor Your Amazon S3 Activity with InsightIDR](https://www.rapid7.com/blog/post/2019/08/07/how-to-monitor-your-aws-s3-activity-with-insightidr/) blog post on the Rapid7 Blog website.

# Amazon Security Lake
<a name="security-lake"></a>

Amazon Security Lake automatically centralizes security data from AWS environments, software as a service (SaaS) providers, on premises and cloud sources into a purpose-built data lake stored in your AWS account. With Security Lake, you can get a more complete understanding of your security data across your entire organization. Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open source security event schema. With OCSF support, the service normalizes and combines security data from AWS and a broad range of enterprise security data sources.

## AppFabric audit log ingestion considerations
<a name="security-lake-audit-log-ingestion"></a>

You can get your SaaS audit logs into Amazon Security Lake in your AWS account by adding a custom source to Security Lake. The following sections describe the AppFabric output schema, output format, and output destinations to use with Security Lake.

### Schema and format
<a name="security-lake-schema-format"></a>

Security Lake supports the following AppFabric output schema and format:
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in JSON format.

### Output locations
<a name="security-lake-output-locations"></a>

Security Lake supports AppFabric as a custom source using an Amazon Data Firehose delivery stream as the AppFabric ingestion output location. To configure the AWS Glue table and Firehose delivery stream, and to set up a custom source in Security Lake, use the following procedures.

### Create an AWS Glue table
<a name="security-lake-create-glue-table"></a>

1. Navigate to Amazon Simple Storage Service (Amazon S3) and create a bucket with a name of your choice.

1. Navigate to the AWS Glue console.

1. For **Data Catalog**, go to the **Tables** section, and choose **Add Table**.

1. Enter a name of your choice for this table.

1. Select the Amazon S3 bucket that you created in step 1.

1. For the data format, select **JSON**, and choose **Next**.

1. On the **Choose or define schema** page, choose **Edit schema as JSON**.

1. Enter the following schema, and complete the AWS Glue table creation process.

   ```
   [
       {
           "Name": "message",
           "Type": "string"
       },
       {
           "Name": "process",
           "Type": "struct<name:string,pid:int,user:struct<name:string,type:string,domain:string,uid:string,type_id:int,full_name:string,risk_level:string,risk_score:int>,group:struct<name:string,uid:string>,tid:int,cmd_line:string,container:struct<name:string,size:int,tag:string,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,parent_process:struct<name:string,pid:int,file:struct<name:string,owner:struct<name:string,type:string,uid:string,type_id:int,email_addr:string,risk_level:string,risk_level_id:int,risk_score:int>,type:string,version:string,path:string,uid:string,type_id:int,mime_type:string,parent_folder:string,data_classification:struct<confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,is_system:boolean,modified_time:bigint,xattributes:string>,user:struct<name:string,type:string,uid:string,org:struct<uid:string,ou_name:string>,type_id:int,uid_alt:string>,group:struct<name:string,uid:string,privileges:array<string>>,tid:int,uid:string,cmd_line:string,container:struct<name:string,uid:string,image:struct<name:string,path:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string,pod_uuid:string>,created_time:bigint,namespace_pid:int,auid:int,euid:int,egid:int>>"
       },
       {
           "Name": "status",
           "Type": "string"
       },
       {
           "Name": "time",
           "Type": "bigint"
       },
       {
           "Name": "device",
           "Type": "struct<name:string,owner:struct<name:string,type:string,uid:string,type_id:int,risk_level:string,risk_level_id:int>,type:string,ip:string,hostname:string,mac:string,image:struct<name:string,tag:string,uid:string>,type_id:int,container:struct<name:string,runtime:string,size:bigint,tag:string,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,network_interfaces:array<struct<name:string,type:string,hostname:string,mac:string,type_id:int>>,region:string,risk_score:int,modified_time_dt:string>"
       },
       {
           "Name": "metadata",
           "Type": "struct<version:string,product:struct<name:string,version:string,uid:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,url_string:string,vendor_name:string>,data_classification:struct<confidentiality:string,confidentiality_id:int>,event_code:string,log_name:string,log_provider:string,original_time:string,tenant_uid:string,processed_time_dt:string>"
       },
       {
           "Name": "severity",
           "Type": "string"
       },
       {
           "Name": "duration",
           "Type": "int"
       },
       {
           "Name": "type_name",
           "Type": "string"
       },
       {
           "Name": "activity_id",
           "Type": "int"
       },
       {
           "Name": "type_uid",
           "Type": "int"
       },
       {
           "Name": "observables",
           "Type": "array<struct<name:string,type:string,type_id:int,value:string>>"
       },
       {
           "Name": "category_name",
           "Type": "string"
       },
       {
           "Name": "class_uid",
           "Type": "int"
       },
       {
           "Name": "category_uid",
           "Type": "int"
       },
       {
           "Name": "class_name",
           "Type": "string"
       },
       {
           "Name": "timezone_offset",
           "Type": "int"
       },
       {
           "Name": "end_time",
           "Type": "bigint"
       },
       {
           "Name": "activity_name",
           "Type": "string"
       },
       {
           "Name": "cloud",
           "Type": "struct<account:struct<name:string,type:string,uid:string,type_id:int>,project_uid:string,provider:string,region:string>"
       },
       {
           "Name": "query_info",
           "Type": "struct<name:string,uid:string,query_string:string>"
       },
       {
           "Name": "query_result",
           "Type": "string"
       },
       {
           "Name": "query_result_id",
           "Type": "int"
       },
       {
           "Name": "severity_id",
           "Type": "int"
       },
       {
           "Name": "status_code",
           "Type": "string"
       },
       {
           "Name": "status_detail",
           "Type": "string"
       },
       {
           "Name": "status_id",
           "Type": "int"
       },
       {
           "Name": "network_interfaces",
           "Type": "array<struct<name:string,type:string,hostname:string,mac:string,type_id:int,ip:string>>"
       },
       {
           "Name": "file",
           "Type": "struct<attributes:int,name:string,type:string,path:string,type_id:int,accessor:struct<name:string,type:string,uid:string,groups:array<struct<name:string,domain:string,uid:string>>,type_id:int,email_addr:string>,creator:struct<name:string,type:string,uid:string,type_id:int,risk_level:string,risk_level_id:int>,parent_folder:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,accessed_time_dt:string,modified_time_dt:string>"
       },
       {
           "Name": "actor",
           "Type": "struct<process:struct<pid:int,file:struct<name:string,size:bigint,type:string,version:string,path:string,type_id:int,parent_folder:string,accessed_time:bigint,confidentiality:string,data_classification:struct<category:string,category_id:int>,is_system:boolean,xattributes:string,modified_time_dt:string>,user:struct<name:string,type:string,uid:string,type_id:int,risk_score:int>,group:struct<name:string>,loaded_modules:array<string>,cmd_line:string,container:struct<name:string,size:int,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,type:string,version:string,path:string,type_id:int,parent_folder:string,confidentiality:string,confidentiality_id:int,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int,policy:struct<name:string,version:string,uid:string>>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>>,user:struct<name:string,type:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,type_id:int,risk_level:string,uid_alt:string>,group:struct<name:string>,uid:string,cmd_line:string,container:struct<name:string,runtime:string,size:int,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string>,created_time:bigint,integrity:string,namespace_pid:int,parent_process:struct<name:string,file:struct<name:string,type:string,desc:string,modifier:struct<name:string,type:string,uid:string,type_id:int,email_addr:string>,type_id:int,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,xattributes:string,created_time_dt:string>,group:struct<name:string,uid:string>,uid:string,loaded_modules:array<string>,cmd_line:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,sandbox:string,egid:int,created_time_dt:string>,created_time_dt:string>,terminated_time:bigint,auid:int>,user:struct<name:string,type:string,uid:string,type_id:int,credential_uid:string,risk_level:string>,app_name:string,idp:struct<name:string,uid:string>,invoked_by:string>"
       },
       {
           "Name": "dst_endpoint",
           "Type": "struct<owner:struct<name:string,type:string,uid:string,type_id:int,full_name:string,risk_level:string,risk_level_id:int,uid_alt:string>,port:int,type:string,ip:string,location:struct<desc:string,city:string,country:string,coordinates:array<double>,continent:string>,hostname:string,uid:string,type_id:int,autonomous_system:struct<name:string,number:int>,container:struct<name:string,size:int,uid:string,image:struct<name:string,tag:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,orchestrator:string>,hw_info:struct<bios_date:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string>"
       },
       {
           "Name": "src_endpoint",
           "Type": "struct<name:string,owner:struct<name:string,type:string,domain:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,groups:array<struct<uid:string>>,type_id:int,credential_uid:string,email_addr:string,ldap_person:struct<deleted_time:bigint,hire_time:bigint,surname:string,last_login_time_dt:string,hire_time_dt:string,leave_time_dt:string>>,port:int,type:string,ip:string,location:struct<desc:string,city:string,country:string,coordinates:array<double>,continent:string>,hostname:string,uid:string,type_id:int,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,intermediate_ips:array<string>,namespace_pid:int,svc_name:string,vpc_uid:string>"
       },
       {
           "Name": "user",
           "Type": "struct<name:string,type:string,groups:array<struct<name:string,uid:string>>,type_id:int>"
       },
       {
           "Name": "resource",
           "Type": "struct<version:string,uid:string,agent_list:array<struct<name:string,type:string,uid:string,type_id:int,policies:array<struct<name:string,version:string,uid:string>>>>,cloud_partition:string,data_classification:struct<category:string,category_id:int>>"
       },
       {
           "Name": "privileges",
           "Type": "array<string>"
       },
       {
           "Name": "action",
           "Type": "string"
       },
       {
           "Name": "action_id",
           "Type": "int"
       },
       {
           "Name": "protocol_ver",
           "Type": "string"
       },
       {
           "Name": "proxy",
           "Type": "struct<name:string,port:int,type:string,ip:string,hostname:string,uid:string,type_id:int,agent_list:array<struct<name:string,type:string,version:string,uid:string,type_id:int>>,autonomous_system:struct<name:string,number:int>,container:struct<name:string,runtime:string,size:int,uid:string,hash:struct<value:string,algorithm:string,algorithm_id:int>>,instance_uid:string,interface_name:string,interface_uid:string,intermediate_ips:array<string>,namespace_pid:int,proxy_endpoint:struct<name:string,port:int,type:string,ip:string,hostname:string,uid:string,type_id:int,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string,labels:array<string>>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,proxy_endpoint:struct<name:string,port:int,type:string,ip:string,hostname:string,uid:string,type_id:int,autonomous_system:struct<name:string,number:int>,container:struct<name:string,runtime:string,size:bigint,uid:string,image:struct<name:string,tag:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,intermediate_ips:array<string>,namespace_pid:int,svc_name:string>,subnet_uid:string,svc_name:string,zone:string>,svc_name:string>"
       },
       {
           "Name": "client_hassh",
           "Type": "struct<algorithm:string,fingerprint:struct<value:string,algorithm:string,algorithm_id:int>>"
       },
       {
           "Name": "authorizations",
           "Type": "array<string>"
       },
       {
           "Name": "proxy_tls",
           "Type": "struct<version:string,certificate:struct<version:string,uid:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,expiration_time:bigint,serial_number:string>,cipher:string,sni:string,certificate_chain:array<string>,client_ciphers:array<string>,ja3_hash:struct<value:string,algorithm:string,algorithm_id:int>,ja3s_hash:struct<value:string,algorithm:string,algorithm_id:int>>"
       },
       {
           "Name": "load_balancer",
           "Type": "struct<name:string,classification:string,dst_endpoint:struct<owner:struct<type:string,domain:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,credential_uid:string,ldap_person:struct<manager:struct<name:string,type:string,domain:string,uid:string,org:struct<name:string,uid:string,ou_uid:string>,type_id:int>,given_name:string,ldap_dn:string,leave_time:bigint,modified_time:bigint,surname:string>>,port:int,type:string,os:struct<name:string,type:string,type_id:int,edition:string>,ip:string,hostname:string,uid:string,type_id:int,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string>,endpoint_connections:array<struct<code:int,network_endpoint:struct<name:string,owner:struct<name:string,type:string,uid:string,type_id:int,ldap_person:struct<labels:array<string>,created_time:bigint,hire_time:bigint,ldap_dn:string,surname:string,modified_time_dt:string,deleted_time_dt:string>,groups:array<struct<name:string,desc:string,uid:string,type:string>>,full_name:string,email_addr:string,risk_level:string,risk_level_id:int>,port:int,type:string,ip:string,hostname:string,type_id:int,container:struct<name:string,size:int,tag:string,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string>,instance_uid:string,interface_name:string,namespace_pid:int,proxy_endpoint:struct<name:string,owner:struct<name:string,type:string,uid:string,groups:array<struct<name:string,uid:string>>,type_id:int,full_name:string,email_addr:string,risk_score:int,uid_alt:string>,port:int,type:string,hostname:string,uid:string,type_id:int,autonomous_system:struct<name:string,number:int>,container:struct<name:string,size:bigint,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,orchestrator:string,pod_uuid:string>,hw_info:struct<cpu_count:int,cpu_speed:int,keyboard_info:struct<function_keys:int,keyboard_subtype:int>>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string>,subnet_uid:string,svc_name:string,uid:string,interface_uid:string,intermediate_ips:array<string>>>>,metrics:array<struct<name:string,value:string>>>"
       },
       {
           "Name": "disposition_id",
           "Type": "int"
       },
       {
           "Name": "disposition",
           "Type": "string"
       },
       {
           "Name": "proxy_traffic",
           "Type": "struct<bytes:bigint,packets:int>"
       },
       {
           "Name": "auth_type_id",
           "Type": "int"
       },
       {
           "Name": "proxy_http_response",
           "Type": "struct<code:int,message:string,status:string,length:int>"
       },
       {
           "Name": "server_hassh",
           "Type": "struct<algorithm:string,fingerprint:struct<value:string,algorithm:string,algorithm_id:int>>"
       },
       {
           "Name": "auth_type",
           "Type": "string"
       },
       {
           "Name": "firewall_rule",
           "Type": "struct<version:string,uid:string>"
       },
       {
           "Name": "proxy_connection_info",
           "Type": "struct<direction:string,direction_id:int,protocol_num:int,protocol_ver:string>"
       },
       {
           "Name": "connection_info",
           "Type": "struct<direction:string,direction_id:int>"
       },
       {
           "Name": "api",
           "Type": "struct<request:struct<data:string,uid:string>,response:struct<error:string,code:int,message:string,error_message:string>,operation:string>"
       },
       {
           "Name": "attacks",
           "Type": "array<struct<version:string,tactics:array<struct<name:string,uid:string>>,technique:struct<name:string,uid:string>>>"
       },
       {
           "Name": "raw_data",
           "Type": "string"
       },
       {
           "Name": "email_uid",
           "Type": "string"
       },
       {
           "Name": "malware",
           "Type": "array<struct<name:string,path:string,uid:string,classification_ids:array<int>,cves:array<struct<title:string,uid:string,references:array<string>,created_time:bigint,cvss:array<struct<version:string,base_score:double,metrics:array<struct<name:string,value:string>>,overall_score:double,depth:string>>,modified_time_dt:string,created_time_dt:string,type:string>>,provider:string,classifications:array<string>>>"
       },
       {
           "Name": "start_time_dt",
           "Type": "string"
       },
       {
           "Name": "direction",
           "Type": "string"
       },
       {
           "Name": "smtp_hello",
           "Type": "string"
       },
       {
           "Name": "unmapped",
           "Type": "string"
       },
       {
           "Name": "direction_id",
           "Type": "int"
       },
       {
           "Name": "email_auth",
           "Type": "struct<spf:string,dkim:string,dkim_domain:string,dkim_signature:string,dmarc:string,dmarc_override:string,dmarc_policy:string>"
       },
       {
           "Name": "email",
           "Type": "struct<uid:string,from:string,to:array<string>,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,delivered_to:string,message_uid:string,reply_to:string,smtp_from:string>"
       },
       {
           "Name": "impact_id",
           "Type": "int"
       },
       {
           "Name": "resources",
           "Type": "array<struct<owner:struct<name:string,type:string,uid:string,type_id:int,full_name:string,ldap_person:struct<hire_time:bigint,ldap_cn:string,ldap_dn:string,surname:string,leave_time_dt:string>>,version:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,data:string,labels:array<string>,region:string>>"
       },
       {
           "Name": "finding_info",
           "Type": "struct<title:string,uid:string,attacks:array<struct<version:string,tactics:array<struct<name:string,uid:string>>,technique:struct<name:string,uid:string>>>,analytic:struct<name:string,type:string,version:string,desc:string,uid:string,type_id:int>,last_seen_time:bigint,first_seen_time_dt:string>"
       },
       {
           "Name": "evidences",
           "Type": "array<struct<process:struct<name:string,pid:int,file:struct<name:string,type:string,version:string,path:string,type_id:int,company_name:string,parent_folder:string,confidentiality:string,confidentiality_id:int,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,owner:struct<name:string,type:string,uid:string,groups:array<struct<name:string,type:string,domain:string>>,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,credential_uid:string,uid_alt:string>,desc:string,accessor:struct<name:string,type:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,email_addr:string>,creator:struct<name:string,type:string,domain:string,uid:string,org:struct<name:string,uid:string>,type_id:int,full_name:string>,modified_time:bigint,modified_time_dt:string>,user:struct<name:string,type:string,uid:string,type_id:int,risk_score:int,full_name:string>,group:struct<name:string,type:string,uid:string>,uid:string,loaded_modules:array<string>,cmd_line:string,container:struct<name:string,size:int,tag:string,uid:string,image:struct<name:string,path:string,uid:string,labels:array<string>>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,session:struct<uid:string,issuer:string,created_time:bigint,is_remote:boolean,is_vpn:boolean>,file:struct<attributes:int,name:string,size:int,type:string,path:string,modifier:struct<name:string,type:string,uid:string,type_id:int,full_name:string,credential_uid:string,org:struct<name:string,uid:string,ou_name:string>>,product:struct<name:string,version:string,uid:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,vendor_name:string>,type_id:int,company_name:string,mime_type:string,parent_folder:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,modified_time_dt:string,created_time_dt:string,owner:struct<type:string,domain:string,uid:string,org:struct<name:string,uid:string>,groups:array<struct<name:string,type:string,uid:string,desc:string>>,type_id:int,credential_uid:string,email_addr:string,risk_level:string,risk_level_id:int>,accessed_time:bigint,confidentiality:string,confidentiality_id:int,xattributes:string>,user:struct<name:string,type:string,domain:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,org:struct<name:string,uid:string,ou_name:string>,risk_score:int>,group:struct<uid:string,privileges:array<string>,name:string,type:string,desc:string>,uid:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,tag:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,user:struct<name:string,type:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,credential_uid:string,domain:string,risk_level:string>,group:struct<name:string,uid:string,type:string,desc:string>,uid:string,cmd_line:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string,path:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,size:bigint,type:string,version:string,modifier:struct<name:string,type:string,type_id:int,risk_score:int>,type_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,owner:struct<type:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>>,path:string,parent_folder:string,is_system:boolean,security_descriptor:string,accessed_time_dt:string>,user:struct<name:string,org:struct<name:string,uid:string,ou_name:string,ou_uid:string>,type:string,domain:string,uid:string,groups:array<struct<name:string,uid:string>>,type_id:int,account:struct<name:string,type:string,type_id:int>,credential_uid:string,risk_score:int>,uid:string,cmd_line:string,container:struct<name:string,runtime:string,size:bigint,uid:string,image:struct<name:string,tag:string,uid:string,path:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,integrity:string,lineage:array<string>,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,type:string,path:string,uid:string,type_id:int,parent_folder:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,xattributes:string,created_time_dt:string,signature:struct<certificate:struct<version:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,serial_number:string,created_time_dt:string>,algorithm:string,algorithm_id:int>,accessor:struct<name:string,type:string,uid:string,type_id:int,risk_level:string,risk_level_id:int,uid_alt:string>,company_name:string,mime_type:string,accessed_time:bigint,modified_time_dt:string>,user:struct<type:string,uid:string,type_id:int,credential_uid:string,email_addr:string,ldap_person:struct<labels:array<string>,deleted_time:bigint>,groups:array<struct<name:string,uid:string,desc:string>>,account:struct<name:string,type:string,uid:string,type_id:int>,risk_level:string,risk_score:int,uid_alt:string>,group:struct<name:string,uid:string,privileges:array<string>>,uid:string,cmd_line:string,container:struct<name:string,size:int,uid:string,image:struct<name:string,uid:string,labels:array<string>>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,type:string,path:string,uid:string,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,confidentiality_id:int,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,modified_time_dt:string>,user:struct<name:string,type:string,domain:string,uid:string,org:struct<uid:string,ou_name:string>,groups:array<struct<name:string,uid:string>>,type_id:int,email_addr:string,ldap_person:struct<labels:array<string>,manager:struct<name:string,type:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,groups:array<struct<name:string,privileges:array<string>>>,type_id:int,full_name:string,risk_level:string,risk_level_id:int>,last_login_time_dt:string>,uid_alt:string>,group:struct<domain:string,uid:string,privileges:array<string>>,uid:string,loaded_modules:array<string>,cmd_line:string,container:struct<name:string,runtime:string,size:bigint,tag:string,uid:string,image:struct<uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,orchestrator:string>,created_time:bigint,integrity:string,namespace_pid:int,parent_process:struct<name:string,pid:int,session:struct<count:int,uid:string,uuid:string,issuer:string,created_time:bigint,is_remote:boolean,is_vpn:boolean,uid_alt:string>,file:struct<attributes:int,name:string,owner:struct<name:string,type:string,domain:string,uid:string,type_id:int,credential_uid:string,email_addr:string>,type:string,path:string,desc:string,uid:string,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int,policy:struct<name:string,version:string,group:struct<name:string>,uid:string>>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,is_system:boolean>,user:struct<name:string,type:string,uid:string,type_id:int,credential_uid:string,risk_level:string>,group:struct<name:string,desc:string,uid:string,privileges:array<string>>,loaded_modules:array<string>,cmd_line:string,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,session:struct<uid:string,issuer:string,created_time:bigint,is_mfa:boolean,is_remote:boolean,created_time_dt:string>,file:struct<name:string,size:bigint,type:string,version:string,path:string,signature:struct<certificate:struct<version:string,uid:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,expiration_time:bigint,serial_number:string,expiration_time_dt:string>,algorithm:string,algorithm_id:int>,type_id:int,parent_folder:string,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time_dt:string>,user:struct<uid:string,risk_level:string>,group:struct<name:string,domain:string>,uid:string,created_time:bigint,namespace_pid:int,auid:int,euid:int,egid:int>,terminated_time:bigint,xattributes:string,euid:int>>,auid:int,terminated_time_dt:string,created_time_dt:string,lineage:array<string>>,egid:int,group:struct<name:string,uid:string>,tid:int,loaded_modules:array<string>,sandbox:string,terminated_time:bigint,xattributes:string,euid:int>,terminated_time:bigint,xattributes:string,terminated_time_dt:string,created_time_dt:string,pid:int,session:struct<issuer:string,created_time:bigint,expiration_reason:string,is_remote:boolean,expiration_time_dt:string>,file:struct<name:string,type:string,path:string,desc:string,modifier:struct<name:string,type:string,uid:string,type_id:int,email_addr:string>,product:struct<name:string,version:string,uid:string,data_classification:struct<confidentiality:string,confidentiality_id:int>,url_string:string,vendor_name:string>,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int,policy:struct<name:string,version:string,group:struct<type:string,uid:string>,uid:string>>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,modified_time:bigint,accessed_time_dt:string,modified_time_dt:string>,loaded_modules:array<string>,integrity:string,integrity_id:int,lineage:array<string>,egid:int>,terminated_time:bigint,xattributes:string,pid:int,cmd_line:string,auid:int,created_time_dt:string>,xattributes:string,tid:int,integrity:string,euid:int>,file:struct<name:string,type:string,path:string,desc:string,product:struct<name:string,version:string,uid:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,url_string:string,vendor_name:string>,type_id:int,creator:struct<name:string,type:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,credential_uid:string,uid_alt:string>,parent_folder:string,confidentiality:string,confidentiality_id:int,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,accessor:struct<name:string,type:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,risk_level:string,risk_level_id:int>,company_name:string,accessed_time_dt:string,created_time_dt:string>,query:struct<type:string,hostname:string,class:string,opcode_id:int,packet_uid:int>,connection_info:struct<direction:string,direction_id:int,protocol_num:int,boundary:string,boundary_id:int,protocol_ver:string,protocol_ver_id:int,tcp_flags:int>,api:struct<request:struct<flags:array<string>,uid:string>,response:struct<error:string,code:int,flags:array<string>,message:string,error_message:string>,operation:string,version:string>,actor:struct<process:struct<name:string,pid:int,file:struct<name:string,type:string,path:string,type_id:int,creator:struct<name:string,type:string,uid:string,type_id:int,email_addr:string>,parent_folder:string,confidentiality:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,modified_time:bigint,xattributes:string,modified_time_dt:string,created_time_dt:string,version:string,desc:string,security_descriptor:string>,uid:string,cmd_line:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string,tag:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string,runtime:string,network_driver:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,owner:struct<name:string,type:string,uid:string,type_id:int,full_name:string,risk_level:string>,type:string,path:string,desc:string,modifier:struct<name:string,type:string,uid:string,type_id:int>,uid:string,type_id:int,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct<confidentiality:string,confidentiality_id:int,policy:struct<name:string,version:string,desc:string,uid:string>>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time_dt:string,signature:struct<certificate:struct<version:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,expiration_time:bigint,serial_number:string>,algorithm:string,algorithm_id:int,created_time:bigint>,product:struct<name:string,uid:string,feature:struct<name:string,version:string,uid:string>,cpe_name:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,vendor_name:string>,accessed_time_dt:string>,user:struct<name:string,type:string,domain:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,type_id:int,account:struct<name:string,uid:string>,ldap_person:struct<labels:array<string>,job_title:string,office_location:string,hire_time_dt:string>,risk_score:int>,group:struct<domain:string,desc:string,uid:string,name:string,type:string>,cmd_line:string,container:struct<name:string,size:int,uid:string,hash:struct<value:string,algorithm:string,algorithm_id:int>,image:struct<tag:string,uid:string>,network_driver:string>,created_time:bigint,integrity:string,integrity_id:int,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<attributes:int,name:string,type:string,path:string,signature:struct<digest:struct<value:string,algorithm:string,algorithm_id:int>,algorithm:string,algorithm_id:int>,product:struct<name:string,version:string,uid:string,data_classification:struct<category:string,category_id:int>,vendor_name:string>,uid:string,type_id:int,accessor:struct<name:string,type:string,uid:string,type_id:int>,parent_folder:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,is_system:boolean,xattributes:string,accessed_time_dt:string,modified_time_dt:string>,user:struct<name:string,type:string,uid:string,type_id:int,uid_alt:string,credential_uid:string>,group:struct<name:string,uid:string,domain:string,desc:string>,uid:string,cmd_line:string,container:struct<name:string,size:int,tag:string,uid:string,hash:struct<value:string,algorithm:string,algorithm_id:int>,image:struct<name:string,path:string,uid:string>,orchestrator:string>,created_time:bigint,namespace_pid:int,auid:int,terminated_time_dt:string,integrity:string,integrity_id:int,parent_process:struct<name:string,pid:int,file:struct<attributes:int,name:string,owner:struct<type:string,uid:string,type_id:int,ldap_person:struct<labels:array<string>,cost_center:string,deleted_time:bigint,email_addrs:array<string>,ldap_dn:string,leave_time_dt:string>,risk_level:string,risk_score:int>,type:string,path:string,type_id:int,accessor:struct<name:string,type:string,uid:string>,mime_type:string,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,modified_time_dt:string,created_time_dt:string>,user:struct<name:string,type:string,domain:string,uid:string,type_id:int,full_name:string>,loaded_modules:array<string>,cmd_line:string,container:struct<name:string,size:int,uid:string,image:struct<name:string,tag:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,user:struct<name:string,type:string,domain:string,uid:string,type_id:int,account:struct<name:string,type:string,uid:string,labels:array<string>,type_id:int>,risk_level:string,risk_level_id:int>,uid:string,loaded_modules:array<string>,cmd_line:string,container:struct<name:string,runtime:string,size:int,uid:string,image:struct<name:string,uid:string>>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,session:struct<count:int,uid:string,issuer:string,created_time:bigint,is_remote:boolean>,file:struct<name:string,type:string,path:string,desc:string,modifier:struct<name:string,type:string,uid:string,type_id:int,email_addr:string>,type_id:int,creator:struct<name:string,type:string,uid:string,type_id:int,email_addr:string,risk_level:string,risk_level_id:int>,mime_type:string,parent_folder:string,accessed_time:bigint,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,accessed_time_dt:string>,group:struct<name:string,type:string,uid:string>,tid:int,uid:string,cmd_line:string,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,size:bigint,type:string,path:string,signature:struct<algorithm:string,algorithm_id:int>,modifier:struct<name:string,type:string,uid:string,type_id:int,account:struct<name:string,uid:string>,uid_alt:string>,type_id:int,mime_type:string,parent_folder:string,accessed_time:bigint,confidentiality:string,confidentiality_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,is_system:boolean,accessed_time_dt:string>,user:struct<name:string,type:string,domain:string,uid:string,type_id:int>,group:struct<name:string,uid:string,privileges:array<string>>,uid:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,tag:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string,orchestrator:string>,created_time:bigint,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,size:bigint,type:string,path:string,signature:struct<certificate:struct<version:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,expiration_time:bigint,serial_number:string,created_time_dt:string>,algorithm:string,algorithm_id:int>,uid:string,type_id:int,parent_folder:string,accessed_time:bigint,confidentiality:string,confidentiality_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,accessed_time_dt:string,modified_time_dt:string,created_time_dt:string>,user:struct<name:string,type:string,domain:string,uid:string,type_id:int,ldap_person:struct<created_time:bigint,deleted_time:bigint,given_name:string,last_login_time:bigint,ldap_cn:string,surname:string>>,group:struct<type:string,domain:string,uid:string>,cmd_line:string,container:struct<name:string,runtime:string,size:int,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,integrity:string,integrity_id:int,lineage:array<string>,namespace_pid:int,parent_process:struct<name:string,pid:int,session:struct<uid:string,issuer:string,created_time:bigint,is_remote:boolean>,file:struct<name:string,type:string,path:string,type_id:int,company_name:string,parent_folder:string,accessed_time:bigint,data_classification:struct<category:string,category_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,xattributes:string>,user:struct<name:string,type:string,uid:string,type_id:int>,group:struct<name:string,uid:string>,uid:string,cmd_line:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string>,created_time:bigint,lineage:array<string>,namespace_pid:int,parent_process:struct<name:string,pid:int,file:struct<name:string,type:string,path:string,type_id:int,accessor:struct<name:string,type:string,domain:string,uid:string,org:struct<name:string,uid:string>,type_id:int,risk_level:string>,creator:struct<name:string,type:string,domain:string,uid:string,type_id:int,full_name:string,risk_level:string,risk_level_id:int>,parent_folder:string,accessed_time:bigint,confidentiality:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,accessed_time_dt:string>,user:struct<name:string,type:string,uid:string,org:struct<name:string,uid:string,ou_name:string,ou_uid:string>,type_id:int,account:struct<name:string,type:string,uid:string,type_id:int>,credential_uid:string,risk_level:string>,group:struct<name:string,uid:string>,uid:string,cmd_line:string,container:struct<name:string,size:int,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,parent_process:struct<pid:int,file:struct<name:string,type:string,path:string,signature:struct<certificate:struct<version:string,uid:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,expiration_time:bigint,serial_number:string,expiration_time_dt:string>,algorithm:string,algorithm_id:int,created_time_dt:string>,uid:string,type_id:int,accessor:struct<name:string,type:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,type_id:int,credential_uid:string,ldap_person:struct<location:struct<desc:string,city:string,country:string,coordinates:array<double>,continent:string>,deleted_time:bigint,job_title:string,modified_time:bigint,modified_time_dt:string,leave_time_dt:string>,risk_score:int>,parent_folder:string,accessed_time:bigint,data_classification:struct<category:string,confidentiality:string,confidentiality_id:int,policy:struct<name:string,version:string,uid:string>>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,is_system:boolean>,user:struct<name:string,type:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,type_id:int,uid_alt:string>,group:struct<name:string,type:string,desc:string,uid:string,privileges:array<string>>,uid:string,cmd_line:string,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,path:string,uid:string,labels:array<string>>,hash:struct<value:string,algorithm:string,algorithm_id:int>,orchestrator:string,pod_uuid:string>,created_time:bigint,integrity:string,namespace_pid:int,created_time_dt:string>,auid:int>,created_time_dt:string>,sandbox:string>>,terminated_time:bigint,euid:int>,terminated_time:bigint,xattributes:string>>,terminated_time:bigint,egid:int>,auid:int,egid:int,uid:string>,terminated_time_dt:string,user:struct<name:string,uid:string,groups:array<struct<name:string,domain:string,uid:string>>,account:struct<name:string,type:string,uid:string,type_id:int>,email_addr:string,risk_level:string>,group:struct<name:string,uid:string>,integrity:string,integrity_id:int,egid:int>,user:struct<name:string,type:string,uid:string,groups:array<struct<name:string,type:string,privileges:array<string>,desc:string,uid:string>>,type_id:int,risk_level:string,risk_level_id:int,uid_alt:string,full_name:string,credential_uid:string,email_addr:string,ldap_person:struct<last_login_time:bigint,deleted_time_dt:string>>,app_uid:string,authorizations:array<struct<policy:struct<name:string,version:string,uid:string,is_applied:boolean>>>>,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string>,databucket:struct<name:string,type:string,uid:string,type_id:int,created_time:bigint,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,created_time_dt:string>,dst_endpoint:struct<name:string,owner:struct<type:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,type_id:int,full_name:string,account:struct<name:string,type:string,uid:string,labels:array<string>,type_id:int>,credential_uid:string,name:string,groups:array<struct<name:string,type:string,desc:string,uid:string>>,risk_level:string,risk_level_id:int>,port:int,type:string,domain:string,ip:string,hostname:string,uid:string,type_id:int,agent_list:array<struct<name:string,type:string,uid:string,type_id:int,uid_alt:string,version:string,policies:array<struct<name:string,version:string>>>>,autonomous_system:struct<name:string,number:int>,container:struct<name:string,size:bigint,tag:string,uid:string,image:struct<name:string,uid:string,tag:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string,runtime:string,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string,os:struct<name:string,type:string,type_id:int,lang:string,edition:string>,intermediate_ips:array<string>,proxy_endpoint:struct<name:string,owner:struct<name:string,domain:string,uid:string,groups:array<struct<name:string,uid:string,domain:string,privileges:array<string>>>>,port:int,type:string,ip:string,location:struct<desc:string,city:string,country:string,coordinates:array<double>,continent:string>,uid:string,mac:string,type_id:int,container:struct<name:string,uid:string,image:struct<name:string,path:string,uid:string,labels:array<string>>,hash:struct<value:string,algorithm:string,algorithm_id:int>>,instance_uid:string,interface_uid:string,intermediate_ips:array<string>,namespace_pid:int,svc_name:string,zone:string>>,src_endpoint:struct<name:string,owner:struct<type:string,groups:array<struct<name:string,domain:string,desc:string,uid:string,privileges:array<string>>>,type_id:int,full_name:string,email_addr:string,ldap_person:struct<deleted_time:bigint,ldap_dn:string,last_login_time_dt:string,created_time:bigint,modified_time:bigint,office_location:string>,name:string,uid:string,credential_uid:string>,port:int,type:string,os:struct<name:string,type:string,version:string,type_id:int,lang:string,cpu_bits:int>,domain:string,ip:string,hostname:string,type_id:int,agent_list:array<struct<name:string,type:string,version:string,uid:string,type_id:int>>,container:struct<name:string,size:int,uid:string,hash:struct<value:string,algorithm:string,algorithm_id:int>,network_driver:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string,uid:string,autonomous_system:struct<name:string,number:int>>,database:struct<name:string,type:string,uid:string,groups:array<struct<name:string,uid:string,domain:string,privileges:array<string>>>,type_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>>>>"
       },
       {
           "Name": "impact",
           "Type": "string"
       },
       {
           "Name": "count",
           "Type": "int"
       },
       {
           "Name": "confidence_id",
           "Type": "int"
       },
       {
           "Name": "enrichments",
           "Type": "array<struct<data:string,name:string,type:string,value:string,provider:string>>"
       },
       {
           "Name": "rcode",
           "Type": "string"
       },
       {
           "Name": "app_name",
           "Type": "string"
       },
       {
           "Name": "rcode_id",
           "Type": "int"
       },
       {
           "Name": "query",
           "Type": "struct<type:string,hostname:string,class:string,opcode_id:int,packet_uid:int>"
       },
       {
           "Name": "proxy_endpoint",
           "Type": "struct<name:string,owner:struct<name:string,type:string,domain:string,uid:string,groups:array<struct<name:string,desc:string,uid:string,privileges:array<string>>>,type_id:int,credential_uid:string,risk_score:int>,port:int,type:string,ip:string,hostname:string,uid:string,type_id:int,autonomous_system:struct<name:string,number:int>,container:struct<name:string,size:bigint,uid:string,image:struct<name:string,uid:string>,hash:struct<value:string,algorithm:string,algorithm_id:int>,pod_uuid:string>,instance_uid:string,interface_uid:string,namespace_pid:int,subnet_uid:string,svc_name:string>"
       },
       {
           "Name": "response_time",
           "Type": "bigint"
       },
       {
           "Name": "delay",
           "Type": "int"
       },
       {
           "Name": "start_time",
           "Type": "bigint"
       },
       {
           "Name": "proxy_http_request",
           "Type": "struct<version:string,url:struct<port:int,scheme:string,path:string,hostname:string,query_string:string,categories:array<string>,category_ids:array<int>,subdomain:string,url_string:string>,user_agent:string,http_headers:array<struct<name:string,value:string>>,referrer:string>"
       },
       {
           "Name": "version",
           "Type": "string"
       },
       {
           "Name": "stratum",
           "Type": "string"
       },
       {
           "Name": "stratum_id",
           "Type": "int"
       },
       {
           "Name": "dispersion",
           "Type": "int"
       },
       {
           "Name": "traffic",
           "Type": "struct<bytes_out:int,chunks:bigint,bytes:int,packets:int,packets_in:bigint>"
       },
       {
           "Name": "precision",
           "Type": "int"
       },
       {
           "Name": "size",
           "Type": "int"
       },
       {
           "Name": "actual_permissions",
           "Type": "int"
       },
       {
           "Name": "base_address",
           "Type": "string"
       },
       {
           "Name": "requested_permissions",
           "Type": "int"
       },
       {
           "Name": "end_time_dt",
           "Type": "string"
       },
       {
           "Name": "compliance",
           "Type": "struct<control:string,status:string,standards:array<string>,status_id:int>"
       },
       {
           "Name": "remediation",
           "Type": "struct<desc:string>"
       },
       {
           "Name": "kb_article_list",
           "Type": "array<struct<os:struct<name:string,type:string,type_id:int,cpe_name:string,edition:string>,title:string,uid:string,severity:string,classification:string,created_time:bigint,size:int,created_time_dt:string>>"
       },
       {
           "Name": "peripheral_device",
           "Type": "struct<name:string,class:string,uid:string,model:string,serial_number:string,vendor_name:string>"
       },
       {
           "Name": "time_dt",
           "Type": "string"
       },
       {
           "Name": "group",
           "Type": "struct<name:string,type:string,uid:string>"
       },
       {
           "Name": "users",
           "Type": "array<struct<name:string,type:string,uid:string,type_id:int,risk_level:string,risk_level_id:int,groups:array<struct<name:string,uid:string>>,uid_alt:string>>"
       },
       {
           "Name": "confidence_score",
           "Type": "int"
       },
       {
           "Name": "state",
           "Type": "string"
       },
       {
           "Name": "state_id",
           "Type": "int"
       },
       {
           "Name": "evidence",
           "Type": "string"
       },
       {
           "Name": "confidence",
           "Type": "string"
       },
       {
           "Name": "risk_level",
           "Type": "string"
       },
       {
           "Name": "risk_score",
           "Type": "int"
       },
       {
           "Name": "impact_score",
           "Type": "int"
       },
       {
           "Name": "risk_level_id",
           "Type": "int"
       },
       {
           "Name": "finding",
           "Type": "struct<title:string,uid:string,modified_time:bigint,modified_time_dt:string,first_seen_time_dt:string>"
       },
       {
           "Name": "user_result",
           "Type": "struct<name:string,type:string,uid:string,type_id:int,account:struct<name:string,uid:string,labels:array<string>>,risk_level:string>"
       },
       {
           "Name": "codes",
           "Type": "array<int>"
       },
       {
           "Name": "command",
           "Type": "string"
       },
       {
           "Name": "type",
           "Type": "string"
       },
       {
           "Name": "kernel",
           "Type": "struct<name:string,type:string,type_id:int>"
       },
       {
           "Name": "http_response",
           "Type": "struct<code:int,status:string,http_headers:array<struct<name:string,value:string>>>"
       },
       {
           "Name": "http_request",
           "Type": "struct<url:struct<scheme:string,path:string,hostname:string,query_string:string,category_ids:array<int>,resource_type:string,subdomain:string,url_string:string>,user_agent:string,http_headers:array<struct<name:string,value:string>>>"
       },
       {
           "Name": "tls",
           "Type": "struct<version:string,certificate:struct<subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,expiration_time:bigint,serial_number:string>,cipher:string,sni:string,certificate_chain:array<string>,client_ciphers:array<string>,ja3s_hash:struct<value:string,algorithm:string,algorithm_id:int>>"
       },
       {
           "Name": "web_resources",
           "Type": "array<struct<name:string,type:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,url_string:string,data:string>>"
       },
       {
           "Name": "http_cookies",
           "Type": "array<struct<name:string,value:string,is_http_only:boolean,is_secure:boolean,samesite:string,expiration_time_dt:string,path:string>>"
       },
       {
           "Name": "type_id",
           "Type": "int"
       },
       {
           "Name": "databucket",
           "Type": "struct<name:string,type:string,file:struct<attributes:int,name:string,owner:struct<name:string,type:string,uid:string,type_id:int,account:struct<type:string,uid:string,type_id:int>,ldap_person:struct<email_addrs:array<string>,modified_time:bigint,modified_time_dt:string>,risk_score:int>,size:bigint,type:string,path:string,modifier:struct<name:string,type:string,uid:string,groups:array<struct<name:string,domain:string,desc:string,uid:string>>,type_id:int>,type_id:int,parent_folder:string,created_time:bigint,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,accessed_time_dt:string>,uid:string,groups:array<struct<name:string,type:string,uid:string>>,type_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,policy:struct<version:string,uid:string,is_applied:boolean>>,modified_time_dt:string,created_time_dt:string>"
       },
       {
           "Name": "table",
           "Type": "struct<uid:string,created_time_dt:string>"
       },
       {
           "Name": "session",
           "Type": "struct<count:int,uid:string,uuid:string,issuer:string,created_time:bigint,is_remote:boolean,is_vpn:boolean,uid_alt:string>"
       },
       {
           "Name": "certificate",
           "Type": "struct<version:string,uid:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,expiration_time:bigint,serial_number:string>"
       },
       {
           "Name": "is_mfa",
           "Type": "boolean"
       },
       {
           "Name": "logon_type_id",
           "Type": "int"
       },
       {
           "Name": "auth_protocol_id",
           "Type": "int"
       },
       {
           "Name": "logon_type",
           "Type": "string"
       },
       {
           "Name": "is_remote",
           "Type": "boolean"
       },
       {
           "Name": "is_cleartext",
           "Type": "boolean"
       },
       {
           "Name": "auth_protocol",
           "Type": "string"
       },
       {
           "Name": "is_renewal",
           "Type": "boolean"
       },
       {
           "Name": "lease_dur",
           "Type": "int"
       },
       {
           "Name": "relay",
           "Type": "struct<name:string,type:string,ip:string,mac:string,namespace:string,type_id:int>"
       },
       {
           "Name": "transaction_uid",
           "Type": "string"
       },
       {
           "Name": "file_result",
           "Type": "struct<name:string,size:int,type:string,path:string,desc:string,product:struct<name:string,version:string,uid:string,lang:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,vendor_name:string>,type_id:int,creator:struct<name:string,type:string,domain:string,uid:string,org:struct<name:string,uid:string,ou_name:string>,groups:array<struct<name:string,uid:string,desc:string>>,type_id:int,risk_level:string>,parent_folder:string,confidentiality:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,modified_time:bigint>"
       },
       {
           "Name": "file_diff",
           "Type": "string"
       },
       {
           "Name": "create_mask",
           "Type": "string"
       },
       {
           "Name": "web_resources_result",
           "Type": "array<struct<type:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,url_string:string>>"
       },
       {
           "Name": "app",
           "Type": "struct<name:string,version:string,uid:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,url_string:string,vendor_name:string>"
       },
       {
           "Name": "src_url",
           "Type": "string"
       },
       {
           "Name": "priority_id",
           "Type": "int"
       },
       {
           "Name": "verdict",
           "Type": "string"
       },
       {
           "Name": "desc",
           "Type": "string"
       },
       {
           "Name": "verdict_id",
           "Type": "int"
       },
       {
           "Name": "priority",
           "Type": "string"
       },
       {
           "Name": "finding_info_list",
           "Type": "array<struct<title:string,uid:string,attacks:array<struct<version:string,tactics:array<struct<name:string,uid:string>>,technique:struct<name:string,uid:string>>>,analytic:struct<name:string,type:string,uid:string,type_id:int>,created_time:bigint,src_url:string,last_seen_time_dt:string,created_time_dt:string,related_analytics:array<struct<name:string,type:string,uid:string,category:string,type_id:int>>,related_events:array<struct<type:string,uid:string,type_name:string,type_uid:bigint,kill_chain:array<struct<phase:string,phase_id:int>>>>,modified_time_dt:string>>"
       },
       {
           "Name": "expiration_time_dt",
           "Type": "string"
       },
       {
           "Name": "expiration_time",
           "Type": "bigint"
       },
       {
           "Name": "comment",
           "Type": "string"
       },
       {
           "Name": "entity",
           "Type": "struct<data:string,name:string,version:string,uid:string>"
       },
       {
           "Name": "entity_result",
           "Type": "struct<data:string,name:string,type:string,version:string,uid:string>"
       },
       {
           "Name": "module",
           "Type": "struct<type:string,file:struct<name:string,type:string,path:string,desc:string,type_id:int,company_name:string,creator:struct<name:string,type:string,domain:string,groups:array<struct<name:string,uid:string>>,type_id:int,risk_level:string>,parent_folder:string,data_classification:struct<confidentiality:string,confidentiality_id:int>,xattributes:string>,base_address:string,function_name:string,load_type:string,load_type_id:int,start_address:string>"
       },
       {
           "Name": "exit_code",
           "Type": "int"
       },
       {
           "Name": "injection_type",
           "Type": "string"
       },
       {
           "Name": "injection_type_id",
           "Type": "int"
       },
       {
           "Name": "request",
           "Type": "struct<uid:string>"
       },
       {
           "Name": "response",
           "Type": "struct<error:string,code:int,message:string,error_message:string>"
       },
       {
           "Name": "driver",
           "Type": "struct<file:struct<name:string,type:string,version:string,path:string,type_id:int,parent_folder:string,created_time:bigint,data_classification:struct<confidentiality:string,confidentiality_id:int,policy:struct<name:string,version:string,uid:string,is_applied:boolean>>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,created_time_dt:string>>"
       },
       {
           "Name": "prev_security_states",
           "Type": "array<string>"
       },
       {
           "Name": "security_states",
           "Type": "array<string>"
       },
       {
           "Name": "folder",
           "Type": "struct<name:string,type:string,path:string,desc:string,type_id:int,mime_type:string,parent_folder:string,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string,accessed_time_dt:string>"
       },
       {
           "Name": "url",
           "Type": "struct<port:int,scheme:string,path:string,hostname:string,query_string:string,resource_type:string,url_string:string>"
       },
       {
           "Name": "tunnel_type_id",
           "Type": "int"
       },
       {
           "Name": "tunnel_type",
           "Type": "string"
       },
       {
           "Name": "protocol_name",
           "Type": "string"
       },
       {
           "Name": "job",
           "Type": "struct<name:string,file:struct<name:string,type:string,path:string,signature:struct<certificate:struct<version:string,subject:string,issuer:string,fingerprints:array<struct<value:string,algorithm:string,algorithm_id:int>>,created_time:bigint,expiration_time:bigint,serial_number:string>,algorithm:string,algorithm_id:int,developer_uid:string>,type_id:int,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,hashes:array<struct<value:string,algorithm:string,algorithm_id:int>>,security_descriptor:string>,desc:string,cmd_line:string,created_time:bigint,last_run_time:bigint,next_run_time:bigint,run_state:string,run_state_id:int>"
       },
       {
           "Name": "num_trusted_items",
           "Type": "int"
       },
       {
           "Name": "command_uid",
           "Type": "string"
       },
       {
           "Name": "num_registry_items",
           "Type": "int"
       },
       {
           "Name": "num_network_items",
           "Type": "int"
       },
       {
           "Name": "schedule_uid",
           "Type": "string"
       },
       {
           "Name": "num_resolutions",
           "Type": "int"
       },
       {
           "Name": "scan",
           "Type": "struct<name:string,type:string,type_id:int>"
       },
       {
           "Name": "num_detections",
           "Type": "int"
       },
       {
           "Name": "num_processes",
           "Type": "int"
       },
       {
           "Name": "num_files",
           "Type": "int"
       },
       {
           "Name": "total",
           "Type": "int"
       },
       {
           "Name": "num_folders",
           "Type": "int"
       },
       {
           "Name": "dce_rpc",
           "Type": "struct<command:string,flags:array<string>,command_response:string,opnum:int,rpc_interface:struct<version:string,uuid:string,ack_reason:int,ack_result:int>>"
       },
       {
           "Name": "share",
           "Type": "string"
       },
       {
           "Name": "client_dialects",
           "Type": "array<string>"
       },
       {
           "Name": "open_type",
           "Type": "string"
       },
       {
           "Name": "tree_uid",
           "Type": "string"
       },
       {
           "Name": "share_type_id",
           "Type": "int"
       },
       {
           "Name": "share_type",
           "Type": "string"
       },
       {
           "Name": "dialect",
           "Type": "string"
       },
       {
           "Name": "cis_benchmark_result",
           "Type": "struct<name:string>"
       },
       {
           "Name": "vulnerabilities",
           "Type": "array<struct<references:array<string>,severity:string,affected_packages:array<struct<name:string,version:string,architecture:string,path:string,release:string,package_manager:string>>,cve:struct<type:string,uid:string,references:array<string>,created_time:bigint,cvss:array<struct<version:string,depth:string,base_score:double,vector_string:string,severity:string,overall_score:double>>,epss:struct<version:string,created_time:bigint,score:string>,title:string,desc:string,cwe_url:string>,cwe:struct<uid:string,caption:string,src_url:string>,kb_articles:array<string>,kb_article_list:array<struct<os:struct<name:string,type:string,country:string,type_id:int,lang:string,edition:string,sp_name:string,cpe_name:string,build:string,sp_ver:int>,title:string,product:struct<name:string,version:string,feature:struct<name:string,version:string,uid:string>,url_string:string,vendor_name:string>,uid:string,severity:string,created_time:bigint,is_superseded:boolean,classification:string>>,related_vulnerabilities:array<string>,vendor_name:string>>"
       },
       {
           "Name": "service",
           "Type": "struct<name:string,uid:string>"
       },
       {
           "Name": "data_security",
           "Type": "struct<category:string,pattern_match:string,category_id:int,confidentiality:string,confidentiality_id:int,data_lifecycle_state:string,data_lifecycle_state_id:int,detection_system:string,detection_system_id:int,policy:struct<name:string,version:string,group:struct<type:string,uid:string>,desc:string,uid:string>>"
       },
       {
           "Name": "database",
           "Type": "struct<name:string,type:string,uid:string,type_id:int,data_classification:struct<category:string,category_id:int,confidentiality:string,confidentiality_id:int>,modified_time:bigint>"
       }
   ]
   ```

### Create a custom source in Security Lake
<a name="security-lake-create-security-lake-custom-source"></a>

1. Navigate to the Amazon Security Lake console.

1. Select **Custom sources** in the navigation pane.

1. Choose **Create custom source**.

1. Enter a name for your custom source and select an applicable OCSF event class.
**Note**  
AppFabric uses **Account Change**, **Authentication**, **User Access Management**, **Group Management**, **Web Resources Activity**, and **Web Resource Access Activity** event classes.

1. For both **AWS account ID** and **External ID**, enter your AWS account ID. Then, choose **Create**.

1. Save the Amazon S3 location of the custom source. You will use it to set up an Amazon Data Firehose delivery stream.

### Create a delivery stream in Firehose
<a name="security-lake-create-kinesis-data-firehose"></a>

1. Navigate to the Amazon Data Firehose console.

1. Choose **Create a delivery stream**.

1. For **Source**, select **Direct PUT**.

1. For **Destination**, choose **S3**.

1. In the **Transform and convert records** section, choose **Enable record format conversion** and choose **Apache Parquet** as the output format.

1. For **AWS Glue table**, choose the AWS Glue table that you created in the previous procedure, and choose the latest version.

1. For **Destination settings**, choose the Amazon S3 bucket that you created with the Security Lake custom source.

1. For **Dynamic Partitioning**, choose **Enabled**.

1. For **Inline parsing for JSON**, choose **Enabled**.
   + For **Keyname**, enter `eventDayValue`.
   + For **JQ Expression**, enter `(.time/1000)|strftime("%Y%m%d")`.

1. For the **S3 bucket prefix**, enter the following value.

   ```
   ext/<custom source name>/region=<region>/accountId=<account_id>/eventDay=!{partitionKeyFromQuery:eventDayValue}/
   ```

   Replace *<custom source name>*, *<region>* and *<account\$1id>* with your Security Lake custom source name, AWS Region and AWS account ID.

1. For the **S3 bucket error output prefix**, enter the following value.

   ```
   ext/AppFabric/error/
   ```

1. For the **Retry duration**, select **300**.

1. For the **Buffer size**, select **128 MiB**.

1. For the **Buffer interval**, select **60s**.

1. Complete the creation process for the Firehose delivery stream.

### Create AppFabric ingestions
<a name="security-lake-create-appfabric-ingestions"></a>

To send data to Amazon Security Lake, you must create an ingestion in the AppFabric console that uses the Firehose delivery stream that you created earlier as the output location. For more information about configuring AppFabric ingestions to use Firehose as an output location, see the [Create an output location](prerequisites.md#create-output-location).

# Singularity Cloud
<a name="singularity-cloud-security"></a>

The Singularity Cloud platform protects your enterprise from threats of all categories, at all stages. Its patented AI (Artificial Intelligence) extends security from known signatures and patterns to the most sophisticated attacks, such as zero-day and ransomware.

## AWS AppFabric audit log ingestion considerations
<a name="singularity-cloud-security-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with Singularity Cloud.

### Schema and format
<a name="singularity-cloud-security-schema-format"></a>

Singularity Cloud supports the following AppFabric output schema and formats:

OCSF - JSON: AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.

### Output locations
<a name="singularity-cloud-security-output-locations"></a>

Singularity Cloud supports receiving Audit Logs from following AppFabric Output locations.
+ Amazon Simple Storage Service (Amazon S3)
  + To configure Singularity Cloud to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in Singularity Cloud’s documentation.

# Splunk
<a name="splunk"></a>

Splunk helps make organizations more resilient. Leading organizations use Splunk’s unified security and observability platform to keep their digital systems secure and reliable. Organizations trust Splunk to prevent security, infrastructure, and application issues from becoming major incidents, absorb shocks from digital disruptions and accelerate digital transformation.

## AWS AppFabric audit log ingestion considerations
<a name="splunk-ingestion-considerations"></a>

The following sections describe the AppFabric output schema, output formats, and output destinations to use with Splunk.

### Schema and format
<a name="splunk-schema-format"></a>

Splunk supports the following AppFabric output schema and formats:
+ Raw - JSON
  + AppFabric outputs data in the original schema used by the source application in the JSON format.
+ OCSF - JSON
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the JSON format.
+ OCSF - Parquet
  + AppFabric normalizes the data using the Open Cybersecurity Schema Framework (OCSF) and outputs the data in the Apache Parquet format.

### Output locations
<a name="splunk-output-locations"></a>

Splunk supports the following AppFabric output locations:
+ Amazon Data Firehose
  + To configure Splunk to receive audit logs from the Firehose stream that contains your audit logs, follow the instructions in [Splunk Add-on for Amazon Data Firehose](https://docs.splunk.com/Documentation/AddOns/released/Firehose/ConfigureFirehose) on the Splunk website.
+ Amazon Simple Storage Service (Amazon S3)
  + To configure Splunk to receive data from the Amazon S3 bucket that contains your audit logs, follow the instructions in [Configure SQS-based S3 inputs for the Splunk Add-on for AWS](https://docs.splunk.com/Documentation/AddOns/released/AWS/SQS-basedS3) on the Splunk website.

# Delete AWS AppFabric for security resources
<a name="delete-resources"></a>

If you don't want to continue using AWS AppFabric for security, be sure to delete the data in the output locations you created during setup and your AppFabric for security resources to avoid incurring additional charges. To clean up your AppFabric resources, you must delete the resources in the reverse order in which you created them for each software as a service (SaaS) application: **Ingestion destinations** > **Ingestions** > **App authorization** > **App bundles**

After you’ve deleted your final app authorization, you can delete the app bundle.

**Topics**
+ [Delete an ingestion destination](#delete-ingestion-destinations)
+ [Delete an ingestion](#delete-ingestions)
+ [Delete an app authorization](#delete-app-authorizations)
+ [Delete an app bundle](#delete-app-bundles)

## Delete an ingestion destination
<a name="delete-ingestion-destinations"></a>

If you select an output location when you create an ingestion, AppFabric for security creates ingestion destinations on your behalf. To delete an ingestion destination, use the following steps:

1. Open the AppFabric console at [https://console.aws.amazon.com/appfabric/](https://console.aws.amazon.com/appfabric/).

1. From the **Getting started** page, expand the menu on the left.

1. Choose **Ingestions**.

1. Choose an app authorization.

1. Select the option button next to the destination that you want to delete and choose **Delete**.

1. Choose **Delete** on the delete destination dialog box to confirm.

1. Repeat the above steps for all of your destinations.

## Delete an ingestion
<a name="delete-ingestions"></a>

To delete an ingestion, use the following steps:

1. From the **Getting started** page, expand the menu on the left.

1. Choose **Ingestions**.

1. Select the option button that is next to your app authorization.

1. Choose the **Actions** dropdown menu.

1. Choose **Delete**.

1. Choose **Delete** on the delete ingestion dialog box to confirm.

## Delete an app authorization
<a name="delete-app-authorizations"></a>

To delete an app authorization, use the following steps:

1. From the **Getting started** page, expand the menu on the left.

1. Choose **App authorizations**.

1. Select the option button next to the app authorization that you want to delete.

1. Choose the **Actions** dropdown menu.

1. Choose **Delete**.

1. Choose **Delete** on the delete ingestion dialog box to confirm.

## Delete an app bundle
<a name="delete-app-bundles"></a>

To delete your app bundle, use the following steps:

1. From the **Getting started** page, expand the menu on the left.

1. Choose **App bundle**.

1. Choose the **Delete** button.

1. Type `delete` to confirm, and then choose **Delete**.