It Must Go Somewhere

TL;DR

Destinations are places where you put your data. Stream also integrates with a LOT of destinations. This allows you to do as much as you want with your data because you can put it multiple places regardless of where it's coming from.

After you connect to your Sources, a good next step is to configure where the data will end up: Destinations.

important

Select the Data submenu below the top nav and click Destinations

• NOTE: If the capture window is still open from the Data > Sources page, you must close it before you can navigate to Data > Destinations.*

Just as with Sources, Stream leaves you spoiled for choice; there are a cornucopia of Destination types available.

Also, the Sources and Destinations are separated from each other, said a different way – they aren't tied to each other. This means you aren't locked into a vendor, stuck in an echo chamber. If you already have one vendor in place as a source but you need to send to another vendor's Destination, you can.

As an example, note that we have Splunk Single Instance, Syslog, and Amazon S3 all configured. In the next section we’ll see that they are all receiving data from our main source (syslog:paloalto).

important

Click Splunk Single Instance

Even within one Destination, we can have multiple entries that are both receiving concurrent data. In our example, the Splunk Single Instance has two entries: the IT team and the SecOps team. The teams need data from our firewall for different reasons and each has their own SIEM solution. Therefore, we configured two Destinations in Stream and once the data is enriched it will be sent to their respective SIEM.

Let’s actually go look at how we are Routing this data.