It Must Go Somewhere
Destinations are places where you put your data. Stream also integrates with a LOT of destinations. This allows you to do as much as you want with your data because you can put it multiple places regardless of where it's coming from.
After you connect to your Sources, a good next step is to configure where the data will end up: Destinations.
Select the Data
submenu below the top nav and click Destinations
NOTE: If the capture window is still open from the Data > Sources
page, you must close it before you can navigate to Data > Destinations
.
Just as with Sources, Stream leaves you spoiled for choice; there are a cornucopia of Destination types available.
Also, the Sources and Destinations are separated from each other, said a different way – they aren't tied to each other. This means you aren't locked into a vendor, stuck in an echo chamber. If you already have one vendor in place as a source but you need to send to another vendor's Destination, you can.
As an example, note that we could have Elasticsearch
, Syslog
, and Amazon S3
all configured and receiving data from a single Source (like that palo_traffic
Source we just made).
Even within one Destination, we can have multiple Destination configurations that are both receiving concurrent data. For example, the Elastic Elasticsearch can have two (or more) entries: the IT team and the SecOps team. The teams need data from our firewall for different reasons and each has their own SIEM solution. Therefore, we can configure two Destinations in Stream and once the data is enriched (in the way each team needs) it will be sent to their respective SIEM.
Here we'll configure a generic_SIEM
Destination so that we can route data to it later on.
- Click into the
Webhook
Destination. - Click
Add Destination
. - For
Input ID
entergeneric_siem
. - Disable
Load Balancing
. - For
Webhook URL
, enterhttp://webhook.cribl.io/genericsiem
. - Click
Save
. Commit & Deploy
Let’s actually go look at how we are Routing this data.