Integration Catalog
Administrator | Analyst15 min
What it's for
Each log source you connect expands what your team can see, detect, and investigate. Reference of available integrations and their SOC/IR value.
Tips
- Start with CloudTrail + Login (Google) + GuardDuty and expand as your SOC matures.
- See Create Integration for the step-by-step wizard.
Domain summary
- AWS — Cloud infrastructure core: who did what, network traffic, GuardDuty findings.
- Google Workspace — Identity, collaboration, SaaS data: account compromise, exfiltration.
- GitHub — Software supply chain: exposed secrets, unauthorized code access.
- Azure — Microsoft cloud workloads: database and resource audit in hybrid environments.
Integration table
- | Wizard name | Mode | Domain |
- | CloudTrail | S3 | AWS |
- | VPC Flow | S3 | AWS |
- | WAF | S3 | AWS |
- | ALB | S3 | AWS |
- | MongoDB audit | S3 | AWS |
- | GuardDuty (S3 export) | S3 | AWS |
- | Workspace Alert Center | S3 | Google |
- | Custom S3 source | S3 | Any |
- | GuardDuty | API | AWS |
- | RDS audit (CloudWatch API) | API | AWS |
- | Organization audit logs | API | GitHub |
- | Enterprise audit logs | API | GitHub |
- | Admin, Drive, Token, Alerts, Login | API | Google |
- | Log Analytics query | API | Azure |
Correlation scenarios
- Compromised Google account — `Login` + `Drive` + `Token` + `Admin`: when did they enter? what was stolen? OAuth persistence?
- Compromised AWS instance — `GuardDuty` + `CloudTrail` + `VPC Flow`: finding, API calls, outbound traffic.
- Web attack — `WAF` + `ALB` + `CloudTrail`: attempts, backend impact, infra changes.
- Code leak — GitHub org/ent + `CloudTrail`: repo access, credential use in AWS.
- Database exfiltration — `RDS audit` or `MongoDB audit` + `VPC Flow`: queries and network transfer.