I’d love to see an event source for DNSFilter added to the available list of integrations. It’s a solid alternative to Cisco Umbrella, especially when it pertains to Mac devices (which there is already a short list of supported services for when it comes to DNS).
TwinGate is a VPN/Zero Trust Connector that serves to replace the traditional VPN architecture. It would seem there aren’t any Zero Trust event sources (others being things like Perimeter81, Zscaler, etc). I think getting these added in would give a lot of organizations greatly improved visibility.
So we do actually have an event source for Zscaler LSS which is exactly like you described, a VPN alternative. So if we were to create a default integration for TwinGate, that is exactly where it would go, under the Ingress Authentication type.
There’s currently a decent amount of work on the plate for the IDR team so new integrations aren’t being prioritized among other items at the moment but I do suggest creating a support case as an IDEA or RFE. A lot of the integrations we build are essentially customer driven. So if there is heavy overlap between our customers and the customers use of TwinGate for example, that would certainly upgrade the priority of the project.
I am dropping here Vector (vector.dev) .toml configuration on how to extract, remap and correlate and send Twingate connection logs to InsightIDR as Universal Ingress Authentication.
Tested and worked for me, can see the field in the Ingress Authentication logs tab.