Log Source Integrations

Armor works with you to ingest the logs and event data from sources throughout your environments so that those events can be analyzed and correlated in the chosen SIEM platform. This event data is first ingested, then parsed and normalized before being passed through the platform’s various analytics capabilities.

During the onboarding process, we’ll work with you to identify a list of log sources you wish to ingest. Log sources that are on our list of supported log sources can be ingested, parsed, and queried out-of-the-box. For log sources that are not currently supported, we can build the required parsers and rules. These logs can be ingested using various methods described below and stored in locations and for a period of time configured by you.

Ingestion Methods and Flows

Logs and event data will be ingested in one of several ways for each log source. Depending on the SIEM platform in use, Armor will configure either a native (out-of-the-box) connector or a custom (typically API-based) connector. Below are links to the native connectors and ingestion formats:

• Microsoft Sentinel Ingestion Methods
• Google Chronicle Ingestion Methods

Data Sovereignty and Security

All log data is ingested into your cloud environment in a location of your choosing. All processing performed by Armor will be conducted within this environment, and the raw data will never leave this environment. Representations of the data (such as summarizations of the raw data) may be exported outside of this environment in, for example and without limitation, the following scenarios:

• Armor SOC personnel who are not physically located in the same jurisdiction as the customer’s environment may be required to execute queries against the data in the course of performing their duties. While the raw data will not leave the customer’s environment, the results of the query will be displayed on the SOC agent’s machine for analysis.
• Summarizations of the raw log data may be exported to the Armor platform for further analysis or reporting requirements. The raw log information is never exported to Armor directly.

All data centers in which Armor maintains infrastructure are SOC II Type 2 and ISO/IEC 27001 certified.

Log Retention

By default, logs are retained on the platform for a duration of 3 months. This can be adjusted based on your requirements, if necessary, up to a maximum of 24 months. However, we recommend that customers opt for a cold storage solution for retention periods of more than 6 months. This is a more cost-efficient alternative as storing logs in hot storage will incur higher costs.