AWS AppFabric quickly connects software as a service (SaaS) applications across your organization. IT and security teams can then easily manage and secure applications using a standard schema. Use AWS AppFabric security features to automatically normalize application data for administrators and security analysts to monitor common security policies and user access.
AppFabric connects SaaS applications including Asana, the Atlassian Jira suite, Dropbox, Miro, Okta, Slack, ServiceNow, Smartsheet, Webex by Cisco, Zendesk, Zoom, GitHub, Google Workspace, and Microsoft 365, with more coming soon. To learn more about each supported applications, see AWS AppFabric Supported Applications.
Application data from AppFabric is compatible with security tools like Logz.io, Netskope, NetWitness, Rapid7, and Splunk, or your proprietary security solution. To learn more about supported security tools or how to connect to a proprietary security solution, see AWS AppFabric Supported Applications.
SaaS application audit logs (for example, event type, workspace name, actor identifier, or device details) are automatically normalized into the Open Cybersecurity Schema Framework (OCSF), or raw data is made available in two data formats—JSON or Apache Parquet. AppFabric only normalizes usage data for applications authorized in the AWS Management Console. Once authorized, AppFabric automatically ingests and normalizes application data. Data is sent to Amazon Simple Storage Service (Amazon S3) or through Amazon Kinesis Data Firehose. Using Amazon Kinesis, you can also deliver this data to Amazon Security Lake. From Amazon S3, Kinesis, or Security Lake, audit log data is sent to the security tool of your choice.
AppFabric automatically enriches each application’s audit log data with a user email address when applicable (when user identity [UID] is matched to the employee email address). By enriching each audit log event with a user identifier (email address), security teams can reduce security incident response time. With this feature, security analysts will more easily know which user an anomalous event is related to, enabling a faster incidence response. For example, if there is a large volume of logins from the same user across SaaS applications, a common user email address will help security analysts determine the source user faster. Previously, they would see only app-specific UIDs and would have to look up those UIDs in SaaS applications to determine the user.
Quickly manage employee access to the applications that they need. Security and IT admin teams can use AppFabric to quickly see who has access to what application(s) by running a simple search using the employee’s corporate email address. AppFabric will then verify application access or deprovisioning status across all connected applications.
AppFabric is at the forefront of creating baselines for SaaS applications. AppFabric closely works with the open-source OCSF community to create new event categories and classes. Together, we have introduced Application Activity as an OCSF event category and introduced activities (like export) specific to SaaS applications in the OCSF.