Connector Types & Functions
Stellar Cyber supports parsing of log data forwarded to sensors, however you can also use API connections to pull data from SaaS and cloud-based applications. API connectors are also used to push changes such as blocking on a firewall or disabling users. API connectors are developed per request and are released with new versions of Stellar Cyber.
For guidance creating or managing the connectors, refer to: Working with the Connectors Table.
All Connectors
Following are the available connectors in Stellar Cyber. Click a connector name to learn how to add and configure that type of connector. Additional details are available on the connectors indicated to support Third Party Native Alert Integration.
Connector |
|
Collect |
Respond |
Indices |
Runs On |
Interval* |
External Actions |
HTTP Proxy supported |
|
---|---|---|---|---|---|---|---|---|---|
Cloud Security |
|
|
|
|
|
|
|
|
|
Prisma Cloud |
|
|
Linux Syslog |
DP |
Configurable |
|
|
||
Symantec Cloud Workload Protection
|
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Database |
|
|
|
|
|
|
|
|
|
Microsoft SQL Server (Klassify) |
|
|
Syslog | Sensor |
Configurable |
|
|
||
|
|
|
Syslog | DP |
Configurable |
|
|
||
|
|
|
|
|
|
|
|
|
|
Barracuda Email Security |
|
|
Syslog | DP |
N/A |
|
|
||
Mimecast |
|
|
Syslog | DP |
5 minutes |
|
|
||
Proofpoint on Demand |
|
|
Syslog | DP |
Every hour |
|
|
||
Proofpoint Targeted Attack Protection |
|
|
Syslog | DP |
Configurable |
|
|
||
|
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Endpoint Security |
|
|
|
|
|
|
|
|
|
Acronis Cyber Protect Cloud |
|
|
Syslog | DP |
Configurable |
|
|
||
Akamai |
|
|
Syslog | DP |
Configurable |
|
|||
Bitdefender |
|
|
Syslog | DP |
N/A |
|
|
||
BlackBerry Cylance |
|
|
Syslog | DP |
N/A |
Available on request via Universal Webhook Responder:
|
|
||
|
|
|
|
Syslog Assets |
DP |
Configurable |
|
|
|
Cisco AMP |
|
|
Syslog |
DP |
Configurable |
|
|||
4.3.0-4.3.4 CrowdStrike (Hosts) CrowdStrike (Events)4.3.5+ CrowdStrike (Hosts/Events) |
|
|
Syslog Assets |
DP |
Configurable |
|
|
||
Cybereason |
|
|
Syslog |
DP |
Configurable |
|
|
||
Cynet |
|
|
Syslog |
DP | N/A |
|
|
||
Deep Instinct |
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Forescout |
|
|
Syslog | DP or Sensor | N/A |
|
|
||
HIBUN |
|
|
Syslog | DP | Configurable |
|
|
||
Huntress |
|
|
Syslog | DP | Configurable |
|
|
||
Jamf Protect |
|
|
Syslog | DP |
Configurable |
|
|
||
LimaCharlie |
|
|
Syslog | DP | Configurable |
|
|
||
Microsoft Defender for Endpoint |
|
|
|
Syslog | DP |
Configurable |
|
|
|
Palo Alto Networks CORTEX XDR |
|
|
Syslog | DP | N/A |
|
|
||
SentinelOne |
|
|
Syslog Assets Linux |
DP |
Configurable |
|
|
||
SonicWall Capture Client |
|
|
Syslog Scans Assets Linux |
DP |
Configurable |
|
|
||
Sophos Central |
|
|
Syslog | DP | Configurable |
|
|
||
Trellix (FireEye) Endpoint Security HX |
|
|
|
|
Syslog Assets Alert |
DP |
Configurable |
|
|
Trellix MVISION Endpoint Security |
|
|
Syslog | DP | Configurable |
|
|||
Trend Micro Apex Central |
|
|
Syslog | DP | Configurable |
|
|||
Trend Micro Cloud One Workload Security |
|
|
Syslog | DP | Configurable | ||||
Trend Micro Vision One |
|
|
Syslog | DP | Configurable | ||||
VMware Carbon Black Cloud |
|
|
|
Syslog | DP | Configurable | |||
VMware Workspace ONE |
|
|
Syslog | DP | Configurable | ||||
|
|
|
Syslog | DP | Configurable | ||||
Firewall |
|
|
|
|
|
|
|
|
|
AWS |
|
|
|
N/A |
DP | N/A |
|
|
|
Barracuda Firewall |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
Check Point |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
Cisco FMC |
|
|
|
N/A | DP | N/A |
|
|
|
Cisco Meraki Firewall |
|
|
|
N/A | DP | N/A |
|
|
|
F5 BIG-IP ASM |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
F5 BIG-IP Firewall |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
F5 Silverline |
|
|
|
N/A | DP | N/A |
|
|
|
Fortigate |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
Hillstone |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
Palo Alto Networks Firewall |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
SonicWall Firewall |
|
|
|
N/A | DP or Sensor | N/A |
|
|
|
|
|
N/A | DP or Sensor | N/A |
|
|
|||
Honeypot |
|
|
|
|
|
|
|
|
|
|
|
|
Syslog |
DP | Configurable |
|
|||
IdP |
|
|
|
|
|
|
|
|
|
Active Directory |
|
|
Windows |
DP (respond) |
Configurable |
|
|
||
Duo Security |
|
|
Syslog | DP | Configurable |
|
|
||
JumpCloud |
|
|
Syslog | DP | Configurable |
|
|
||
OKTA |
|
|
Syslog | DP | Configurable |
|
|
||
|
|
|
|
|
Syslog Traffic |
DP |
Configurable |
|
|
PaaS |
|
|
|
|
|
|
|
|
|
AWS CloudTrail |
|
|
AWS Traffic |
DP |
5 minutes |
|
|||
AWS CloudWatch |
|
|
|
Syslog |
DP |
Configurable |
|
||
AWS GuardDuty |
|
|
|
Syslog |
DP |
Configurable |
|
|
|
Azure Event Hub |
|
|
Syslog | DP |
|
|
|||
Generic S3 |
|
|
Syslog | DP |
5 minutes |
|
|
||
Google Cloud Audit Logging |
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Oracle Cloud Infrastructure (OCI)
|
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Remote Host |
|
|
|
|
|
|
|
|
|
|
|
|
N/A | N/A |
N/A |
|
|
||
SaaS |
|
|
|
|
|
|
|
|
|
Box |
|
|
Syslog | DP | Configurable |
|
|
||
Google Workspace |
|
|
Linux Cloudtrail |
DP | Configurable |
|
|
||
Microsoft Defender for Cloud Apps |
|
|
Windows | DP | Configurable |
|
|
||
Microsoft Entra ID (formerly Azure Active Directory) |
|
|
Windows | DP | Configurable |
|
|
||
Office 365 |
|
|
Windows | DP | Configurable |
|
|
||
|
|
|
Syslog | DP | Configurable |
|
|
||
SASE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DP |
Configurable |
|
|
Security Switch |
|
|
|
|
|
|
|
|
|
|
|
|
Syslog | DP or Sensor |
5 minutes |
|
|
||
Vulnerability Scanner |
|
|
|
|
|
|
|
|
|
CyberCNS |
|
|
Scans | DP | Configurable |
|
|
||
Nessus Scanner |
|
|
|
Scans | Sensor | Configurable |
|
|
|
Qualys |
|
|
Syslog
Scans |
DP | Configurable |
|
|
||
Rapid7 |
|
|
|
Scans | Sensor | Configurable |
|
|
|
Tenable.io |
|
|
|
Scans | DP | Configurable |
|
|
|
|
|
|
|
Scans | Sensor | Configurable |
|
|
|
Web Security |
|
|
|
|
|
|
Configurable |
|
|
Amazon Security Lake |
|
|
Syslog |
DP | N/A |
|
|||
Broadcom (Blue Coat / Symantec) WSS |
|
|
|
Syslog | DP |
5 minutes |
|
|
|
Cisco Umbrella |
|
|
|
Syslog | DP | Configurable |
|
|
|
Cloudflare |
|
|
|
|
Syslog |
DP |
Configurable |
|
|
Imperva Incapsula |
|
|
Syslog |
DP | Configurable |
|
|||
Indusface |
|
|
Syslog |
DP | Configurable |
|
|||
LastPass |
|
|
Syslog |
DP | Configurable |
|
|||
|
|
|
Syslog | DP | Configurable |
|
|
||
Webhook |
|
|
|
|
|
|
Configurable |
|
|
Custom (Universal Webhook Responder) |
|
|
N/A | DP or Sensor |
N/A |
|
|
* Interval is applicable only to connectors configured to Collect.
Connectors by Response Actions
The information below summarizes possible connector response actions and requirements. These actions can be performed from Event Details or by configuring Automated Threat Hunting.
The following table indicates which connector respond actions are applicable for each external action, along with the requirements to enable that action. Specifically, certain connectors must be configured and the indicated fields in the Interflow must contain non-null, valid data.
External Action |
Connector and Data Requirement* |
Applicable Connectors |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Block IP / Block on Firewall |
At least one firewall or security switch connector is configured and
|
AWS, Barracuda Firewall, Check Point, Cisco FMC, Cisco Meraki, F5 BIG-IP ASM, F5 BIG-IP Firewall, F5 Silverline, Fortigate, HanDreamnet Security Switch, Hillstone, Palo Alto Networks Firewall, Palo Alto Networks Panorama, SonicWall Firewall, Sophos XG Firewall | ||||||||||||
Disable User |
Active Directory or Microsoft Entra ID (formerly Azure AD) connector |
Active Directory, Microsoft Entra ID (formerly Azure Active Directory) |
||||||||||||
Confirm Compromised |
Microsoft Entra ID (formerly Azure AD) connector
|
|||||||||||||
Dismiss Risk |
Microsoft Entra ID (formerly Azure AD) connector
|
|||||||||||||
Run a Script | Always available | SSH Host | ||||||||||||
Contain Host (Isolate Endpoint) |
One of the following connectors is configured. The required data varies based on connector to be used for response.
|
Bitdefender, CrowdStrike, Cybereason, Deep Instinct, BlackBerry Cylance, Cynet, Microsoft Defender for Endpoint, SentinelOne, Sophos Central, VMware Carbon Black |
||||||||||||
Hide Host |
CrowdStrike |
CrowdStrike | ||||||||||||
Forescout |
||||||||||||||
Initiate Scan |
|
|||||||||||||
SentinelOne |
||||||||||||||
SentinelOne |
||||||||||||||
Remediate Threat |
SentinelOne |
|||||||||||||
Disconnect Host |
SonicWall Capture Client |
SonicWall Capture Client | ||||||||||||
SonicWall Capture Client |
||||||||||||||
SonicWall Capture Client Cynet |
||||||||||||||
Barracuda Email Security Service |
||||||||||||||
N/A |