Connector Types & Functions
Stellar Cyber supports parsing of log data forwarded to sensors, however you can also use API connections to pull data from SaaS and cloud-based applications. API connectors are also used to push changes such as blocking on a firewall or disabling users. API connectors are developed per request and are released with new versions of Stellar Cyber.
For guidance creating or managing the connectors, refer to: Working with the Connectors Table.
All Connectors
Following are the available connectors in Stellar Cyber. Click a connector name to learn how to add and configure that type of connector. Additional details are available on the connectors indicated to support Third Party Native Alert Integration.
Connector |
|
Collect |
Respond |
Indices |
Runs On |
Interval* |
External Actions |
HTTP Proxy supported |
|
---|---|---|---|---|---|---|---|---|---|
Cloud Security |
|
|
|
|
|
|
|
|
|
Prisma Cloud |
|
|
Linux Syslog |
DP |
Configurable |
|
|
||
|
|
|
|
Syslog |
DP |
Configurable |
|
|
|
Database |
|
|
|
|
|
|
|
|
|
Microsoft SQL Server (Klassify) |
|
|
Syslog | Sensor |
Configurable |
|
|
||
MySQL |
|
|
Syslog | DP |
Configurable |
|
|
||
|
|
|
|
|
|
|
|
|
|
Barracuda Email Security |
|
|
Syslog | DP |
N/A |
|
|
||
Mimecast |
|
|
Syslog | DP |
5 minutes |
|
|
||
Proofpoint on Demand |
|
|
Syslog | DP |
Every hour |
|
|
||
Proofpoint Targeted Attacke Protection (TAP) |
|
|
Syslog | DP |
Configurable |
|
|
||
|
|
|
|
Syslog |
DP |
Configurable |
|
|
|
Endpoint Security |
|
|
|
|
|
|
|
|
|
Acronis Cyber Protect Cloud |
|
|
Syslog | DP |
Configurable |
|
|
||
Akamai |
|
|
Syslog | DP |
Configurable |
|
|||
Bitdefender |
|
|
Syslog | DP |
N/A |
|
|
||
BlackBerry Cylance |
|
|
Syslog | DP |
N/A |
|
|
||
|
|
|
|
Syslog Assets |
DP |
Configurable |
|
|
|
Cisco AMP |
|
|
Syslog |
DP |
Configurable |
|
|||
4.3.0-4.3.4 4.3.5+
|
|
|
Syslog Assets |
DP |
Configurable |
|
|
||
Cybereason |
|
|
Syslog |
DP |
Configurable |
|
|
||
Cynet |
|
|
Syslog |
DP | N/A |
|
|
||
|
|
|
|
Syslog |
DP |
Configurable |
|
|
|
Forescout |
|
|
Syslog | DP or Sensor | N/A |
|
|
||
HIBUN |
|
|
Syslog | DP | Configurable |
|
|
||
Jamf Protect |
|
|
Syslog | DP |
Configurable |
|
|
||
Microsoft Defender for Endpoint |
|
|
|
Syslog | DP |
Configurable |
|
|
|
SentinelOne |
|
|
Syslog Assets Linux |
DP |
Configurable |
|
|
||
SonicWall Capture Client |
|
|
Syslog Scans Assets Linux |
DP |
Configurable |
|
|
||
Sophos Central |
|
|
Syslog | DP | Configurable |
|
|
||
|
|
|
|
Syslog Assets Alert |
DP |
Configurable |
|
|
|
Trend Micro Apex Central |
|
|
Syslog | DP | Configurable |
|
|||
Trend Micro Cloud One |
|
|
Syslog | DP | Configurable | ||||
Trend Micro Vision One |
|
|
Syslog | DP | Configurable | ||||
VMware Carbon Black Cloud |
|
|
Syslog | DP | Configurable | ||||
VMware Workspace ONE |
|
|
Syslog | DP | Configurable | ||||
Webroot |
|
|
Syslog | DP | Configurable | ||||
Firewall |
|
|
|
|
|
|
|
|
|
|
|
|
N/A |
DP | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP | N/A |
|
|
||
|
|
|
N/A | DP | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
|
|
N/A | DP or Sensor | N/A |
|
|
||
|
N/A | DP or Sensor | N/A |
|
|
||||
Honeypot |
|
|
|
|
|
|
|
|
|
|
|
Syslog |
DP | Configurable |
|
||||
IdP |
|
|
|
|
|
|
|
|
|
Active Directory |
|
|
Windows |
DP (respond) |
Configurable |
|
|
||
Duo Security |
|
|
Syslog | DP | Configurable |
|
|
||
JumpCloud |
|
|
Syslog | DP | Configurable |
|
|
||
Okta |
|
|
Syslog | DP | Configurable |
|
|
||
|
|
|
|
Syslog Traffic |
DP |
Configurable |
|
||
PaaS |
|
|
|
|
|
|
|
|
|
AWS CloudTrail |
|
|
AWS Traffic |
DP |
5 minutes |
|
|||
|
|
|
Syslog |
DP |
Configurable |
|
|||
|
|
|
Syslog |
DP |
Configurable |
|
|
||
|
|
Syslog | DP |
|
|
|
|||
|
|
|
|
Syslog |
DP |
Configurable |
|
|
|
Oracle Cloud Infrastructure (OCI) |
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Remote Host |
|
|
|
|
|
|
|
|
|
SSH Host |
|
|
N/A | N/A |
N/A |
|
|
||
SaaS |
|
|
|
|
|
|
|
|
|
Azure Active Directory |
|
|
Windows | DP | Configurable |
|
|
||
Box |
|
|
Syslog | DP | Configurable |
|
|
||
Google Workspace |
|
|
Linux Cloudtrail |
DP | Configurable |
|
|
||
Office 365 |
|
|
Windows | DP | Configurable |
|
|
||
Salesforce |
|
|
Syslog | DP | Configurable |
|
|
||
SASE |
|
|
|
|
|
|
|
|
|
Cato Networks |
|
|
|
|
|
DP |
Configurable |
|
|
Security Switch |
|
|
|
|
|
|
|
|
|
|
|
Syslog | DP or Sensor |
5 minutes |
|
|
|||
Vulnerability Scanner |
|
|
|
|
|
|
|
|
|
CYRISMA |
|
|
Scans Assets |
DP | Configurable (hours) |
|
|
||
Nessus Scanner |
|
|
|
Scans | Sensor | Configurable |
|
|
|
Qualys |
|
|
Syslog
Scans |
DP | Configurable |
|
|
||
Rapid7 |
|
|
|
Scans | Sensor | Configurable |
|
|
|
Tenable.io |
|
|
|
Scans | DP | Configurable |
|
|
|
Tenable.sc |
|
|
|
Scans | Sensor | Configurable |
|
|
|
Web Security |
|
|
|
|
|
|
Configurable |
|
|
Broadcom (Blue Coat / Symantec) WSS |
|
|
|
Syslog | DP |
5 minutes |
|
|
|
Cisco Umbrella |
|
|
|
Syslog | DP | Configurable |
|
|
|
|
|
|
|
Syslog |
DP |
Configurable |
|
|
|
|
|
Syslog |
DP | Configurable |
|
||||
|
|
Syslog |
DP | Configurable |
|
||||
|
|
Syslog |
DP | Configurable |
|
||||
NetSkope |
|
|
|
Syslog | DP | Configurable |
|
|
|
|
|
Syslog |
DP | Configurable |
|
||||
Webhook |
|
|
|
|
|
|
Configurable |
|
|
Universal Webhook Responder |
|
|
N/A | DP or Sensor |
N/A |
|
|
* Interval is applicable only to connectors configured to Collect.
Connectors by Response Actions
The information below summarizes possible connector response actions and requirements. These actions can be performed from Event Details or by configuring Automated Threat Hunting.
The following table indicates which connector respond actions are applicable for each external action, along with the requirements to enable that action. Specifically, certain connectors must be configured and the indicated fields in the Interflow must contain non-null, valid data.
External Action |
Connector and Data Requirement* |
Applicable Connectors |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Block IP / Block on Firewall |
At least one firewall or security switch connector is configured and
|
AWS, Barracuda Firewall, Check Point, Cisco (Firepower) FMC, Cisco Meraki, F5 BIG-IP ASM, F5 BIG-IP Firewall, F5 Silverline, Fortigate, HanDreamnet Security Switch, Hillstone, Palo Alto Networks, SonicWall Firewall, Sophos XG Firewall | ||||||||||||
Disable User |
Active Directory or Azure AD connector |
|||||||||||||
Confirm Compromised |
Azure AD connector
|
|||||||||||||
Dismiss Risk |
Azure AD connector
|
|||||||||||||
Run a Script | Always available | SSH Host | ||||||||||||
Contain Host (Isolate Endpoint) |
One of the following connectors is configured. The required data varies based on connector to be used for response.
|
Bitdefender, CrowdStrike, Cybereason, Deep Instinct, BlackBerry Cylance, Cynet, Microsoft Defender for Endpoint, SentinelOne, Sophos Central |
||||||||||||
Hide Host |
CrowdStrike |
CrowdStrike | ||||||||||||
Forescout |
||||||||||||||
Initiate Scan |
|
|||||||||||||
SentinelOne |
||||||||||||||
SentinelOne |
||||||||||||||
Remediate Threat |
SentinelOne |
|||||||||||||
Disconnect Host |
SonicWall Capture Client |
SonicWall Capture Client | ||||||||||||
SonicWall Capture Client |
||||||||||||||
SonicWall Capture Client Cynet |
||||||||||||||
Barracuda Email Security Service |