Overview

Imagine you're the owner of a beautiful estate, and you've invited some dinner guests over. You want to make sure everyone is safe and comfortable, and that no one is misbehaving or, heaven forbid, stealing the silverware. 

To do this, you'd probably keep an eye on your guests' activities, watch out for any strange behavior, and make sure everyone follows the house rules.

Tracking, monitoring, and exposing user activity in your application is pretty much the same thing. Except, when it comes to your application, the benefits are two-fold:

1. Tracking is actually crucial for maintaining robust security measures.
2. By providing your customers' Security Information and Event Management (SIEM) providers with full visibility into your application's audit data, you can strengthen their trust in your product's security and improve your chances of closing larger deals.

Why expose audit logs to customers' SIEM providers?

The primary goal of exposing audit logs is to offer your customers' IT admins and security teams a comprehensive view of their application's activity. Audit logs provide a paper trail of important events, such as user logins, access to sensitive information, and data sharing. 

By integrating with SIEM tools like Datadog, Splunk, and Sumologic, you enable your customers to consolidate and analyze audit logs across all their applications, empowering them to detect potential security threats and unauthorized activities effectively.

But, of course, there are challenges to building these SIEM integrations.

While providing audit logs to customers' SIEM systems is expected from enterprise SaaS vendors, implementing a reliable and timely integration can be complex and resource-intensive. SIEM integrations can be categorized into pull-based and push-based approaches. Pull-based integrations require customers to develop connectors that periodically poll your application's API for new audit logs. 

On the other hand, push-based integrations involve the SaaS Vendor forwarding events directly from the product to the SIEM Vendor's APIs. Regardless of the integration method, building a robust SIEM integration involves hosting resources, handling errors, retrying failed processes, ensuring data integrity, and monitoring the delivery of logs. This process can consume several weeks of engineering effort.

Now, there's a better way. You can use Census to simplify the process of exposing audit logs to your customers' SIEM providers.

Use Case

Census offers a simplified solution to streamline SIEM integrations without significant engineering effort. By connecting your data warehouse to Census, you can effortlessly sync audit data to any customer in need, eliminating the need for custom integrations. Census supports various destination options, including Webhooks, S3, and custom API destinations published by SIEM providers. 

Plus, Census provides built-in exception handling, alerting, retries, and state tracking, ensuring reliable delivery of audit logs to the designated destinations. Now, you can focus on your core product work while easily meeting your customers' SIEM integration requirements.

Here's a high-level data pipeline to demonstrate how Census simplifies the process of forwarding audit logs to customers' SIEM providers:

Let's walk through this step-by-step:

1. Collect and transform your audit data into your data warehouse, which may include data from your product's database and authentication provider. Leveraging tools like Fivetran can help consolidate audit events from multiple sources into your warehouse.
2. Connect your data source to Census, allowing you to leverage Census's powerful features for data synchronization.
3. Use Census segments to create a segment of audit data specific to each customer that requests an audit
4. Create a Destination connection to send your customer's logs to. This could be a Webhook, or an S3 bucket location for their SIEM provider to ingest from.
5. Sync the data from your customer' segment to your customer's destination service. You'l want to configure an Append sync to ensure each audit log is only sent to the destination a single time. 
6. Bonus: Set up alerts on SIEM syncs to ensure that logs are being delivered reliably.
7. Another bonus: Enable logs in your data source so you can keep track of every record sent to every destination.

👀  For an even more in-depth breakdown of how we at Census used Census to forward audit logs to our customers' SIEM tools, stay tuned for a deep dive article on our engineering blog!