Connector Types & Functions

Stellar Cyber supports parsing of log data forwarded to sensors, however you can also use API connections to pull data from SaaS and cloud-based applications. API connectors are also used to push changes such as blocking on a firewall or disabling users. API connectors are developed per request and are released with new versions of Stellar Cyber.

For guidance creating or managing the connectors, refer to: Working with the Connectors Table.

All Connectors

Following are the available connectors in Stellar Cyber. Click a connector name to learn how to add and configure that type of connector. Additional details are available on the connectors indicated to support Third Party Native Alert Integration.

Connector

 

Collect

Respond

Alert Integration

Indices

Runs On

Interval*

External Actions

HTTP Proxy supported

Cloud Security

 

 

 

 

 

 

 

 

 

    Prisma Cloud

 

 

 

Linux

Syslog

DP

Configurable

 

 

    Symantec Cloud Workload Protection

 

 

 

Syslog

DP

Configurable

 

Database

 

 

 

 

 

 

 

 

 

    Microsoft SQL Server (Klassify)

 

 

 

Syslog Sensor

Configurable

 

 

    MySQL

 

 

 

 

Syslog DP

Configurable

 

 

DNS Security

 

 

 

 

 

 

 

 

 

    HYAS Protect

 

 

Syslog DP Configurable

 

Email

 

 

 

 

 

 

 

 

 

    Barracuda Email Security

 

 

Syslog DP

N/A

  • Remediate Email

    Mimecast

 

 

Syslog DP

5 minutes

 

    Proofpoint on Demand

 

 

Syslog DP

Every hour

 

 

    Proofpoint Targeted Attack Protection

 

Syslog DP

Configurable

 

    Symantec Email Security.cloud

 

 

 

Syslog

DP

Configurable

 

Endpoint Security

 

 

 

 

 

 

 

 

 

    Acronis Cyber Protect Cloud

 

Syslog DP

Configurable

 

    Akamai

 

 

 

Syslog DP

Configurable

  

    Bitdefender

 

Syslog DP

N/A

  • Contain Host

    BlackBerry Cylance

 

 

Syslog DP

N/A

  • Contain Host

Available on request via Universal Webhook Responder:

  • Run Script

  • Add Hash to Global Quarantine

  • Add Hash to Global Safelist

    Broadcom Symantec Endpoint Security (SES)

 

 

Syslog

Assets

DP

Configurable

 

    Cisco AMP

 

 

 

Syslog
Assets
Linux

DP

Configurable

  

4.3.0-4.3.4

    CrowdStrike (Hosts)    CrowdStrike (Events)

4.3.5+

    CrowdStrike (Hosts/Events)

Syslog
Assets
DP

Configurable

  • Contain Host

  • Hide Host

    Cybereason

Syslog
Assets
Sensor Monitoring

DP

Configurable

  • Contain Host

    Cynet

 

Syslog

DP N/A
  • Contain Host

  • Shutdown Host

 

    Deep Instinct

Syslog

DP

Configurable

  • Contain Host

    Forescout

 

 

 

Syslog DP or Sensor N/A
  • Update Device

 

    HIBUN

 

 

Syslog DP Configurable

 

    Huntress

 

Syslog DP Configurable

 

    Jamf Protect

 

 

Syslog DP

Configurable

 

    LimaCharlie

 

Syslog DP Configurable

 

    Malwarebytes

 

 

Syslog DP Configurable

 

    Microsoft Defender for Endpoint

 

Syslog DP

Configurable

  • Contain Host

 

    Palo Alto Networks CORTEX XDR

 

Syslog DP N/A

 

    SentinelOne

Syslog
Assets
Linux
DP

Configurable

  • Initiate Scan

  • Kill Threat

  • Quarantine Threat

  • Remediate Threat

  • Contain Host
    (Isolate Endpoint)


for collect
and respond

    SonicWall Capture Client

 

 

Syslog
Scans
Assets
Linux
DP

Configurable

  • Initiate Scan

  • Disconnect Host

  • Restart Machine

  • Shut Down


for collect
and respond

    Sophos Central

Syslog DP Configurable
  • Contain Host
    (Isolate Endpoint)

    Trellix (FireEye) Endpoint Security HX

 

Syslog

Assets

Alert

DP

Configurable

 

    Trellix MVISION Endpoint Security

 

 

Syslog DP Configurable  

    Trend Micro Apex Central

 

 

 

Syslog DP Configurable  

 

    Trend Micro Cloud One Workload Security

 

 

 

Syslog DP Configurable  
    Trend Micro Vision One

 

 

Syslog DP Configurable  
    VMware Carbon Black Cloud

Syslog DP Configurable  
    VMware Workspace ONE

 

 

Syslog DP Configurable  

    Webroot

 

 

 

Syslog DP Configurable  

Firewall

 

 

 

 

 

 

 

 

 

    AWS

 

 

N/A

DP N/A
  • Block IP Address

    Barracuda Firewall

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    Check Point

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    Cisco FMC

 

 

 

N/A DP N/A
  • Block IP Address

 

    Cisco Meraki Firewall

 

 

 

N/A DP N/A
  • Block IP Address

    F5 BIG-IP ASM

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    F5 BIG-IP Firewall

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    F5 Silverline

 

 

 

N/A DP N/A
  • Block IP Address

    Fortigate

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    Hillstone

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    Palo Alto Networks Firewall

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    SonicWall Firewall

 

 

 

N/A DP or Sensor N/A
  • Block IP Address

    Sophos XG Firewall

 

   

 

N/A DP or Sensor N/A
  • Block IP Address

Honeypot

 

 

 

 

 

 

 

 

 

    Thinkst Canary

 

 

 

Syslog
Assets

DP Configurable

 

IdP

 

 

 

 

 

 

 

 

 

    Active Directory

 

 

Windows

DP (respond)
 or Sensor (collect )

Configurable

  • Disable User

 

    Duo Security

 

 

 

Syslog DP Configurable

 

 

    JumpCloud

 

 

 

Syslog DP Configurable

 

    OKTA

 

 

 

Syslog DP Configurable

 

 

    OneLogin

 

 

 

 

Syslog

Traffic

DP

Configurable

 

PaaS

 

 

 

 

 

 

 

 

 

    AWS CloudTrail

 

 

 

AWS
Traffic
DP

5 minutes

 

    AWS CloudWatch

 

 

 

Syslog

DP

Configurable

 

 
    AWS GuardDuty

 

Syslog

DP

Configurable

 

 

    Azure Event Hub

 

Syslog DP

 

 

    Generic S3

 

 

Syslog DP

5 minutes

 

 

    Google Cloud Audit Logging

 

 

Syslog

DP

Configurable

 

 

    Oracle Cloud Infrastructure (OCI)

 

 

Syslog

DP

Configurable

 

 

Remote Host

 

 

 

 

 

 

 

 

 

    SSH Host

 

 

 

 

N/A N/A

N/A

  • Run a script

SaaS

 

 

 

 

 

 

 

 

 

    Box

 

 

Syslog DP Configurable

 

 

    Google Workspace

 

 

Linux
Cloudtrail
DP Configurable

 

 

    Microsoft Defender for Cloud Apps

 

Windows DP Configurable

 

    Microsoft Entra ID (formerly Azure Active Directory)

 

Windows DP Configurable
  • Disable User

  • Confirm Compromised

  • Dismiss Risk

    Office 365

 

Windows DP Configurable

 

    Salesforce

 

 

 

 

Syslog DP Configurable

 

 

SASE

 

 

 

 

 

 

 

 

 

    Cato Networks

 

 

 

 

DP

Configurable

 

Security Switch

 

 

 

 

 

 

 

 

 

     HanDreamnet Security Switch

 

 

 

Syslog DP or Sensor

5 minutes

  • Block IP Address

Vulnerability Scanner

 

 

 

 

 

 

 

 

 

    CyberCNS

 

 

Scans DP Configurable

 

    CYRISMA

 

 

Scans

Assets

DP Configurable (hours)

 

    Nessus Scanner

 

 

 

Scans Sensor Configurable

 

 

    Qualys

 

 

 

Syslog
Scans
DP Configurable

 

    Rapid7

 

 

 

Scans Sensor Configurable

 

 

    Tenable.io

 

 

 

Scans DP Configurable

 

    Tenable.sc

 

 

 

 

Scans Sensor Configurable

 

 

Web Security

 

 

 

 

 

 

Configurable

 

 

    Amazon Security Lake

 

 

Syslog

DP N/A

 

 
    Broadcom (Blue Coat / Symantec) WSS

 

 

 

Syslog DP

5 minutes

 

    Cisco Umbrella

 

 

 

Syslog DP Configurable

 

 

    Cloudflare

 

 

Syslog

DP

Configurable

 

    Imperva Incapsula

 

 

Syslog

DP Configurable

 

    Indusface

 

 

Syslog

DP Configurable

 

    LastPass

 

 

Syslog

DP Configurable

 

    Netskope

 

 

  Syslog DP Configurable

 

Webhook

 

 

 

 

 

 

Configurable

 

 

     ESET Responders

 

 

N/A DP

N/A

  • Isolate computer from network

  • End computer isolation from network

  • On-Demand Scan

  • Run command

     Custom (Universal Webhook Responder)

 

 

N/A DP or Sensor

N/A

  • Webhook actions

* Interval is applicable only to connectors configured to Collect.

Connectors by Response Actions

The information below summarizes possible connector response actions and requirements. These actions can be performed from Event Details or by configuring Automated Threat Hunting.

The following table indicates which connector respond actions are applicable for each external action, along with the requirements to enable that action. Specifically, certain connectors must be configured and the indicated fields in the Interflow must contain non-null, valid data.

External Action

Connector and Data Requirement*
for Action Availability

Applicable Connectors

Block IP / Block on Firewall

At least one firewall or security switch connector is configured and required fields are populatedClosed dstip or srcip

 

AWS, Barracuda Firewall, Check Point, Cisco FMC, Cisco Meraki, F5 BIG-IP ASM, F5 BIG-IP Firewall, F5 Silverline, Fortigate, HanDreamnet Security SwitchHillstone, Palo Alto Networks Firewall, Palo Alto Networks Panorama, SonicWall Firewall, Sophos XG Firewall
Disable User

Active Directory or Microsoft Entra ID (formerly Azure AD) connector required fieldClosed userPrincipalName

Active Directory, Microsoft Entra ID (formerly Azure Active Directory)

Confirm Compromised

Microsoft Entra ID (formerly Azure AD) connector required fieldClosed

msg_class of Content Type User ID on Which to Perform Action
azure_ad_audit initiatedBy.user.id
azure_ad_signin userId
azure_ad_risk_detection userId
azure_ad_risky_user azure_ad.id
user_profile user_profile.id

Microsoft Entra ID (formerly Azure Active Directory)

Dismiss Risk

Microsoft Entra ID (formerly Azure AD) connector required fieldClosed

msg_class of Content Type User ID on Which to Perform Action
azure_ad_audit initiatedBy.user.id
azure_ad_signin userId
azure_ad_risk_detection userId
azure_ad_risky_user azure_ad.id
user_profile user_profile.id

Microsoft Entra ID (formerly Azure Active Directory)

Run a Script Always available SSH Host
Contain Host (Isolate Endpoint)

One of the following connectors is configured. The required data varies based on connector to be used for response.

  • Bitdefender required fieldsClosedOne of bitdefender.computer_id or bitdefender.endpointId

  • CrowdStrike required fieldsCloseddstip or srcip or hostip

  • Cybereason required fieldsClosedcybereason.plyumId  

  • Cylance required fieldsClosed
    device and device.deviceID or
    cylance and one of cylance.device_id or srcmac or dstmac or ( host and host.mac)

  • Cynet required fieldsClosed are any value other than an IP Address in at least one of these: hostip_host, srcip_host, computer_name or host.name

  • Deep Instinct:  required fieldsClosed
    deep_instinct_asset and deep_instinct.id or
    deep_instinct_suspiciousevent and deep_instinct.device_id or
    deep_instinct_maliciousevent
    and deep_instinct.device_id

  • Microsoft Defender for Endpoint required fields Closedmicrosoft_defender.id and microsoft_defender.machineId

  • SentinelOne required fields Closed agentRealtimeInfo and AgentRealtimeInfo.agentId

  • Sophos Central required fields Closedsophos.hostip_assetid i

Bitdefender, CrowdStrike, Cybereason, Deep Instinct, BlackBerry Cylance, Cynet, Microsoft Defender for Endpoint, SentinelOne, Sophos Central, VMware Carbon Black

Hide Host

CrowdStrike required fieldsCloseddstip or srcip or hostip

CrowdStrike

Update Device

Forescout required fieldsClosed srcip, dstip, srcmac, dstmac

Forescout

Initiate Scan
  • SentinelOne required fields ClosedagentRealtimeInfo and AgentRealtimeInfo.agentId

  • SonicWall Capture Client required fieldsCloseddevice.deviceId and device.InstallToken

SentinelOne, SonicWall Capture Client

Kill Threat

SentinelOne required fieldsClosedmsg_origin.source is SentinelOne_endpointor msg_origin.source is SentinelOne and the following fields are present and valid: threatInfo,and threatInfo.threatId

SentinelOne

Quarantine Threat

SentinelOne required fieldsClosedmsg_origin.source is SentinelOne_endpoint or msg_origin.source is SentinelOne and threatInfo and threatInfo.threatId is present and valid

SentinelOne

Remediate Threat

SentinelOne required fieldsClosedmsg_origin.source is SentinelOne_endpoint or msg_origin.source is SentinelOne and the following fields are present and valid: threatInfo, threatInfo.detectionType,and threatInfo.threatId and threatInfo.detectionType is dynamic
The endpoint must also be either a Mac OS or Windows host. if it is not, then a Quarantine is performed instead

SentinelOne

Disconnect Host

SonicWall Capture Client required fieldsCloseddevice.deviceId and device.InstallToken

SonicWall Capture Client

Restart Machine

SonicWall Capture Client required fieldsCloseddevice.deviceId and device.InstallToken

SonicWall Capture Client

Shut Down (Shutdown Host)

SonicWall Capture Client required fieldsCloseddevice.deviceId and device.InstallToken

Cynet required fieldsClosed are any value other than an IP Address in at least one of these: hostip_host, srcip_host, computer_name or host.name.

SonicWall Capture Client, Cynet

Remediate Email

Barracuda Email Security Service required fieldsClosedbarracuda.account_id and barracuda.subject and barracuda.env_from and barracuda.hdr_from

Barracuda Email Security

Webhook

N/A

Universal Webhook Responder , ESET Responders