Overview
Exaforce supports ingestion from custom log sources, enabling security teams to extend detection and investigation coverage to any telemetry that isn't covered by a native integration. By mapping custom data to Exaforce's unified schema, teams gain immediate access to AI-driven triage, correlation with other systems, and the full investigation experience without building custom pipelines or parsers.
How it works
Teams configure a custom log source by defining how raw events map to Exaforce's normalized schema fields. Once mapped, logs flow continuously into the platform and are treated like any other telemetry source, such as enriched with identity context, correlated across systems, and analyzed for threats. Exaforce provides a set of baseline detections that work immediately on the mapped data, while teams can author additional custom detections tailored to their specific use cases and threat models.
Core capabilities
Schema mapping for any data format
Exaforce's schema mapping interface allows teams to define how fields in their custom logs correspond to standard Exaforce entities. This normalization ensures custom logs integrate seamlessly with existing detections and investigation workflows.
Out-of-the-box detections
Once mapped, custom log sources benefit from a library of baseline detections that identify common threats such as unusual access patterns, failed authentication attempts, unusual ARNs, and suspicious network activity. These detections work across all data sources using the unified schema, providing immediate security value.
Custom detection authoring
Teams can create tailored detections specific to their custom log source using Exaforce's Query Builder. Define conditions, thresholds, and correlations that match your environment's unique risks and operational patterns, ensuring high-fidelity alerts with minimal noise.
Unified triage and investigation
Custom log data flows into the same AI-driven triage and investigation workflows as native integrations. Alerts are automatically enriched with identity context, correlated with activity from other systems, and presented in a unified timeline that accelerates root cause analysis and response.
Benefits
Custom log source support eliminates blind spots by extending Exaforce coverage to any security-relevant telemetry, regardless of vendor or format. It reduces integration complexity since teams map fields once and immediately gain detection, triage, and investigation capabilities without building custom pipelines. The combination of out-of-the-box and custom detections ensures teams can balance speed to value with precision tuning for their specific environment.