It Must Go Somewhere
Destinations are places where you put your data. Stream also integrates with a LOT of destinations. This allows you to do as much as you want with your data because you can put it multiple places regardless of where it's coming from.
After you connect to your Sources, a good next step is to configure where the data will end up: Destinations.
Select the Data submenu below the top nav and click Destinations
NOTE: If the capture window is still open from the Data > Sources page, you must close it before you can navigate to Data > Destinations.
Just as with Sources, Stream leaves you spoiled for choice; there are a cornucopia of Destination types available.
Also, the Sources and Destinations are separated from each other, said a different way – they aren't tied to each other. This means you aren't locked into a vendor, stuck in an echo chamber. If you already have one vendor in place as a source but you need to send to another vendor's Destination, you can.
As an example, note that we have Elasticsearch, Syslog, and Amazon S3 all configured. In the next section we’ll see that they are all receiving data from our main source (syslog:paloalto).
Click Elastic Elasticsearch
Even within one Destination, we can have multiple entries that are both receiving concurrent data. In our example, the Elastic Elasticsearch has two entries: the IT team and the SecOps team. The teams need data from our firewall for different reasons and each has their own SIEM solution. Therefore, we configured two Destinations in Stream and once the data is enriched it will be sent to their respective SIEM.
Let’s actually go look at how we are Routing this data.