I’m using XSIAM and I’ve run into a bit of a snag with the Automation and Feed integrations. When I set up an instance there, it automatically creates one in the Data sources section too. The thing is, I don’t really want Teams logs in XSIAM, so I’d rather not have that Data sources instance.
Is there a way to turn off just the logs part? I’ve noticed the same thing happens with the JIRA integration. Can anyone tell me if it’s possible to pick and choose which parts of the integration to use? I’d love to keep the automation stuff but skip the log collection.
Thanks in advance for any help you can give me on this!
As someone who’s worked extensively with XSIAM, I can relate to your frustration. The coupling of automation and log collection can be a pain when you’re trying to fine-tune your setup.
In my experience, there’s no built-in way to completely disable log collection for specific integrations while keeping the automation features. However, I’ve found a workaround that might help.
You can try creating a custom log forwarding rule in XSIAM that essentially discards the logs you don’t want. It’s not perfect, but it can significantly reduce the unwanted data ingestion. Here’s what I did:
In XSIAM, navigate to the Log Forwarding section.
Create a new rule targeting the specific integration (e.g., Teams or JIRA).
Set the condition to match all logs from that source.
Instead of forwarding, set the action to discard or send to a null destination.
This approach has worked well for me in managing unwanted logs without losing the automation benefits. Just remember to revisit these rules periodically, especially after updates, to ensure they’re still effective.
I’ve encountered a similar situation with XSIAM integrations. Unfortunately, there isn’t a straightforward way to disable log collection while keeping other features active. The integrations are designed to work as a package, coupling automation with data ingestion.
One workaround I’ve found is to set up strict filtering rules in the Data Sources section. You can configure these to severely limit or essentially block log ingestion from specific sources like Teams or JIRA. This approach allows you to maintain the automation capabilities while minimizing unwanted data collection.
Keep in mind that this method isn’t perfect and may require ongoing maintenance as integration updates roll out. It’s worth reaching out to XSIAM support to see if they have plans to implement more granular control over integration features in future releases.
hey there! i’ve dealt with this too. sadly, there’s no easy way to turn off just the log part. but here’s a trick: use the data management settings to set super short retention for those logs. like, 1 day. it won’t stop collection, but atleast you won’t store much. hope that helps!