Connectors and Integrations Summary

The table below summarizes Stellar Cyber connectors and third party alert integrations and correlates them to assets.

Definitions

The definitions in the table are as follows:

  • Connector— A method of collecting information and compiling it into Interflow records that are indexed and stored in the Data Lake. Stellar Cyber develops connectors based on the access methods provided for each external data source, typically an API. These processes run on the Data Processor (DP) to fetch information actively on a scheduled basis. Connectors collect data from external sources and can also respond to actions such as blocking on a firewall or disabling users. The connection to a data source can be configured in Stellar Cyber. For all connectors, see Connector Types & Functions.

  • Collect—A function of a connector that collects data from external data sources and adds it to the Data Lake.

  • Respond—A function of a connector that takes actions on external data sources in response to detected security events.

  • Third party alert integration—The process of ingesting, normalizing, and enriching alerts that are natively created by third party services. These alerts are then mapped to the Stellar Cyber XDR Kill Chain and added to the Alert index. The integration allows for the correlation of third-party native alerts with Stellar Cyber's built-in alerts, leveraging Machine Learning (ML) and Security Analytics (SA) to enhance the alert data. This process includes deduplication to reduce noise. For all third party alert integrations, see Integration of Third Party Native Alerts.

  • Detections—The identification of potential threats or risky behavior using various techniques such as Machine Learning (ML) and Security Analytics (SA), as well as rules, and third party alert integration. Detections can be based on known bad behaviors, anomalies, or suspicious activities identified through different methods. These detections generate alerts which are then correlated into cases for further investigation.

  • Asset Discovery—The process of identifying assets and tracking assets within a network from observed data using a passive discovery service. This service can discover assets via data collected from various sources such as endpoint data sources (for example, EDR or Directory Services), cloud audit logs, traffic-related sources (for example, firewalls), Stellar Cyber server sensors (Linux and Windows), Stellar Cyber modular sensors, and other log sources or connectors. The discovered assets can include both IP and MAC addresses, which are associated with hosts. This process happens in real time as new data comes into the system, and the unique assets are counted daily. The discovered data is then used to analyze the behavior of these assets to detect security events.

Legend

The columns in the table are as follows:

  • Connector Name—The name of the connector in alphabetic order, and a link to the document

  • Connector Category—The category to which the connector belongs

  • Integration Function—The function of the integration:

    • Collect—only collect

    • Respond—only respond

    • Collect, Respond—both collect and respond

    • Third party—third party alert integration

  • Third Party Alert Integration Name—The name of the third party alert integration and a link to the document

  • Third Party Based On—What the third party alert integration is based on:

    • connector, and if there is a specific content type that needs to be configured, as well as the msg_class

    • parser, and if there is a specific format, such as CEF

    • Windows agent

  • Detections—What to enter in the Stellar Cyber Detections & Response page (https://detections.stellarcyber.ai/v/6.1.0) in the Select Applications field to produce a list of built-in detections and third party alert integrations supported for a data source

  • Asset Discovery—Whether the data source sends assets to the Assets index

Connectors and Integrations Table

Connector Name Connector Category Integration Function

Third Party Alert Integration Name

Third Party Based On

Detections (Select Applications)

Asset Discovery
1Password Password Management Collect

 

 

1Password

 
Abnormal Security Email Security Email Collect, Third party

Abnormal Security Email Security: Integration of Third Party Native Alerts

Connector, Content Type: Threats, msg_class: abnormal_security_email_security_threat

Abnormal Security

 
Acronis Cyber Protect Cloud Endpoint Security Collect,
Third party

Acronis: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: acronis_cyber_protect_alert

Acronis Cyber Protect

Yes, Content Type: Agents
Active Directory IdP Collect,
Respond

 

 

Active Directory

Yes, Content Type: Computers
Akamai Endpoint Security Collect

 

 

 

Yes, Content Type: Connectors
Amazon Security Lake Web Security Collect

 

 

Amazon Security Lake

 
Armis Endpoint Security Collect,
Third party

Armis: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: armis_alerts

Armis

Yes, Content Type: Devices
Aruba Central Network Management Collect

 

 

 

 
Automox IT Management Collect

 

 

 

Yes, Content Type: Devices

Avanan

 

Third party

Avanan: Integration of Third Party Native Alerts

Parser (HTTP JSON format), Content Type: N/A, msg_class: avanan

Avanan

 

AWS CloudTrail

PaaS

Collect

 

 

AWS Cloudtrail

 

AWS CloudWatch

PaaS

Collect

 

 

AWS Cloudwatch

 

AWS Firewall

Firewall

Respond

 

 

 

 

AWS GuardDuty

PaaS

Collect,
Third party

AWS GuardDuty: Integration of Third Party Native Alerts

Connector, Content Type: N/A, msg_class: aws_guardduty_finding

AWS GuardDuty

 

AWS Inspector

Vulnerability Scanner

Collect

 

 

 

 

Azure Event Hub

PaaS

Collect,
Third party

Microsoft Defender for Cloud: Integration of Third Party Native Alerts and Microsoft Sentinel: Integration of Third Party Native Alerts

Connector, Content Type: Microsoft Defender for Cloud, msg_class: microsoft_defender_cloud and Content Type: Microsoft Sentinel, msg_class: microsoft_sentinel

Azure Event Hub, Microsoft Defender for Cloud Apps, Microsoft Sentinel

 

Azure NSG

Firewall

Respond

 

 

 

 

Barracuda Email

Email

Respond

 

 

Barracuda Email

 

Barracuda Firewall

Firewall

Respond

 

 

Barracuda Firewall Logs

 

Barracuda WAF

Web Security

Collect

 

 

Barracuda WAF

 

BeyondTrust

Privileged Access Management

Collect

 

 

 

 

Bitdefender

Endpoint Security

Respond,
Third party

Bitdefender: Integration of Third Party Native Alerts

Parser (Syslog JSON format), Content Type: N/A, msg_class: several

BitDefender

 

Blackberry Cylance

Endpoint Security

Respond (templates in Universal Webhook Responder),
Third party

Blackberry CylancePROTECT and CylanceOPTICS: Integration of Third Party Native Alerts

Cylance logs, Content Type: N/A, msg_class: cylance_protect_alert

Cylance Optics, Cylance Protect

 

Box

SaaS

Collect

 

 

 

 

Broadcom Symantec Endpoint Security (SES)

Endpoint Security

Collect,
Third party

Broadcom SES: Integration of Third Party Native Alerts

Connector. Content Type: Incidents. msg_class. broadcom_ses_incidents

 

Yes, Content Type: Devices

Broadcom (Symantec) Cloud Workload Protection

Cloud Security

Collect

 

 

 

 

Broadcom (Symantec) Email Security.cloud

Email

Collect

 

 

 

 

Broadcom (Blue Coat / Symantec) WSS

Web Security

Collect

 

 

Symantec Web Security

 

Cato Networks

SASE

Collect

 

 

Cato Networks

 

Check Point

Firewall

Respond

 

 

Checkpoint Firewall

 

Cisco AMP

Endpoint Security

Collect

 

 

 

Yes, Content Type: Computers

Cisco FMC

Firewall

Respond

 

 

Cisco Firepower(FW class)

 

Cisco Meraki Firewall

Firewall

Respond

 

 

Meraki

 

Cisco Umbrella

DNS Security

Collect

 

 

Cisco Umbrella

 

Cloudflare

Web Security

Collect

 

 

 

 

CODA Footprint

Vulnerability Scanner

Collect

 

 

 

Yes, Content Type: Device

Coro

Endpoint Security

Collect

 

 

 

  

CrowdStrike FDR

Endpoint Security

Collect

 

 

 

 

CrowdStrike Streaming

Endpoint Security

Collect,
Respond,
Third party

CrowdStrike (Hosts/Events): Integration of Third Party Native Alerts

Connector. Content Type: Detection Summary Event, msg_class: crowdstrike_detection_summary

Crowdstrike (Endpoint)

Yes, Content Type: Host

CyberArk EPM

Endpoint Security

Collect

 

 

 

 

CyberCNS

Vulnerability Scanner

Collect

 

 

CyberCNS

 

Cybereason

Endpoint Security

Collect,
Respond,
Third party

Cybereason: Integration of Third Party Native Alerts

Connector: Content Type: MalOp, msg_class: cybereason_malops_all_types

Cybereason (EDR)

Yes, Content Type: Sensor

Cynet

Endpoint Security

Collect,
Respond,
Third party

Cynet: Integration of Third Party Native Alerts

Parser (CEF format),  Content Type: N/A, msg_class: cynet_alert

Cynet

Yes, Content Type: Hosts

CYRISMA

Vulnerability Scanner

Collect

 

 

 

Yes, Content Type: Host

Deep Instinct

Endpoint Security

Collect,
Respond,
Third party

Deep Instinct: Integration of Third Party Native Alerts

Connector, Content Type: Events, msg_class: deep_instinct_maliciousevent

Deep Instinct

Yes, Content Type: Devices

Duo Security

IdP

Collect

 

 

 

 

ESET

Webhook

Respond (templates in Universal Webhook Responder),
Third party

ESET Protect: Integration of Third Party Native Alerts

Parser (Syslog JSON format), Content Type: N/A, msg_class: eset_protect

ESET PROTECT

 

ESET Cloud Office Security (ECOS)

 

Third party

ESET Cloud Office Security: Integration of Third Party Native Alerts

Parser (Syslog format), Content Type: N/A, msg_class:  eset_cos_googledrive, eset_cos_gmail, eset_cos_team, eset_cos_exchange, eset_cos_sharepoint, or eset_cos_onedrive

 

 

ExtraHop Reveal(x) 360

NDR

Collect

 

 

ExtraHop Reveal(x) 360

Yes, Content Type: Devices

F5 BIG-IP ASM

Firewall

Respond

 

 

 

 

F5 BIG-IP Firewall

Firewall

Respond

 

 

F5 Big IP

 

F5 Silverline

Firewall

Respond

 

 

F5 Silverline

 

Forescout

Endpoint Security

Respond

 

 

ForeScout

 

FortiEDR

Endpoint Security

Collect

 

 

Fortinet FortiEDR

 

Fortigate

Firewall

Respond

 

 

Fortinet FortiGate(FW class)

 

Fortinet Lacework

via Generic S3

cloudsec

Third party

Fortinet Lacework: Integration of Third Party Native Alerts

Generic S3 Connector, Content Type: Alert, msg_class: generic_s3_fortinet_lacework_alert_details

Generic S3

 

Fortra Frontline

Vulnerability Scanner

Collect

 

 

 

 

Generic S3

PaaS

Collect

 

 

Generic S3

 

Google Cloud Audit Logging

PaaS

Collect

 

 

Google Cloud Audit Logging

 

Google Cloud Security Command Center

SaaS

Collect

 

 

  

 

Google Workspace

SaaS

Collect,
Third party

Google Workspace: Integration of Third Party Native Alerts

Connector, Content Type: Alert, msg_class: gsuite_alert

G-Suite

 

Group-IB

Endpoint Security

Collect

 

 

 

 

Yes, Content Type: Assets

HanDreamNet (HDN)

Security Switch

Respond

 

 

 

 

HIBUN

Endpoint Security

Collect

 

 

 

Hibun

 

Hillstone

Firewall

Respond

 

 

Hillstone(FW class)

 

Hoxhunt

Email

Collect

 

 

 

 

Huntress

Endpoint Security

Collect,
Third party

 

Huntress: Integration of Third Party Native Alerts

Connector, Content Type: Incident Reports, msg_class: huntress_incident_report

Huntress

Yes, Content Type: Agents

HYAS Protect

DNS Security

Collect,
Third party

HYAS Protect: Integration of Third Party Native Alerts

Connector, Content Type: DNS Log Reports, msg_class: hyas_protect_dns_log_report

HYAS Protect

Yes, Content Type: Agents

Imperva Incapsula

Web Security

Collect

 

 

Imperva Incapsula

Yes, Content Type: Logs

Indusface

Web Security

Collect

 

 

Indusface

 

Jamf Protect

Endpoint Security

Collect

 

 

Jamf Protect

Yes, Content Types: Alerts and Computers

JumpCloud

IdP

Collect

 

 

 

 

Juniper Mist

NDR

Collect

 

 

    

LastPass

Password Management

Collect

 

 

LastPass

 

LimaCharlie

Endpoint Security

Collect,
Third party

LimaCharlie: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: limacharlie_alert

LimaCharlie

Yes, Content Type: Sensors

Mailprotector

Email

Collect

 

 

 

 

Microsoft Defender for Cloud Apps

SaaS

Collect,
Third party

Microsoft Defender for Cloud Apps: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: microsoft_defender_for_cloud_apps_alerts

Microsoft Defender for Cloud Apps

 

Microsoft Defender for Endpoint

Endpoint Security

Collect,
Respond,
Third party

Microsoft Defender for Endpoint: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: microsoft_defender_alerts

Microsoft Defender

Yes, Content Type: Host

Microsoft Entra ID

SaaS

Collect,
Respond,
Third party

Microsoft Entra ID: Integration of Third Party Native Alerts

Connector, Content Type: Risk Detection Collection, msg_class: azure_ad_risk_detection

Azure AD

 

Microsoft Graph Intune

Endpoint Security

Collect

 

 

    

Microsoft Graph Security API

Extended Detection & Response

Collect,
Third party

Microsoft Defender XDR: Integration of Third Party Native Alerts

Connector, Content Type: Alert , msg_class: microsoft_graph_defender_xdr_alert

 

 

Microsoft SQL Server

Database

Collect

 

 

 

Yes, Content Type: Client agent status Logs (Klassify)

Mimecast API 1.0

Email

Collect,
Third party

Mimecast: Integration of Third Party Native Alerts

Connector, Content Type: MTA Log, msg-class: several

Mimecast

 

Mime cast API 2.0

Email

Collect,
Third party

Mimecast: Integration of Third Party Native Alerts

Connector, Content Type: MTA Log, msg-class: several

Mimecast

 

MySQL

Database

Collect

 

 

 

 

NetFoundry

SASE

Collect

 

 

    

Nessus

Vulnerability Scanner

Collect

 

 

 

Yes

Netskope

Web Security

Collect,
Third party

Netskope: Integration of Third Party Native Alerts

Connector, Content Type: Alert, msg_class: netskopewsg_alert

Netskope WSG

 

NodeZero

Penetration Testing

Collect

 

 

 

Yes, Content Type: Hosts

Office 365

SaaS

Collect,
Third party

Office 365: Integration of Third Party Native Alerts

Connector, Content Type: Audit General, msg_class: office365_audit_general

Office365

 

Office 365 Reporting Web Service

SaaS

Collect

 

 

 

 

Okta

IdP

Collect

 

 

Okta

 

OneLogin

IdP

Collect

 

 

OneLogin

 

Oracle Cloud Infrastructure (OCI) Streaming

PaaS

Collect,
Third party

Oracle Cloud Infrastructure (OCI) CloudGuard: Integration of Third Party Native Alerts

Connector, Content Type: N/A, msg_class: oracle_cloud_guard

OCI Logs

 

Palo Alto Networks CORTEX XDR

Endpoint Security

Collect, Respond,
Third party

Palo Alto Networks CORTEX XDR: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: palo_alto_networks_cortex_xdr_alerts

Palo Alto Networks CORTEX

Yes, Content Type: Endpoints

Palo Alto Networks Firewall

Firewall

Respond

 

 

Palo Alto Networks Firewall

 

Palo Alto Networks Panorama

Firewall

Respond

 

 

Palo Alto Panorama(FW class)

 

Prisma Cloud

Cloud Security

Collect

 

 

Palo Alto Networks Prisma Cloud (Compute Edition)

 

Proofpoint on Demand

Email

Collect

 

 

Proofpoint

 

Proofpoint TAP

Email

Collect,
Third party

Proofpoint Targeted Attack Protection (TAP): Integration of Native Third Party Alerts

Connector, Content Type: Events, msg_class: proofpoint_tap_event

Proofpoint Targeted Attack Protection

 

Qualys

Vulnerability Scanner

Collect

 

 

 

Yes, Content Type: Hosts

Qualys FIM

Vulnerability Scanner

Collect

 

 

 

Yes, Content Type: Asset

Rapid7

Vulnerability Scanner

Collect

 

 

Rapid7

Yes

Recorded Future

Cloud Security

Collect,
Third party

Recorded Future: Integration of Third Party Native Alerts

Connector, Content Type: Alert and Playbook Alert, msg_class: recorded_future_alert and recorded_future_playbook_alert

 

 

Remote SSH Host

Remote Host

Respond

 

 

 

 

Salesforce

SaaS

Collect

 

 

Salesforce

 

SentinelOne

Endpoint Security

Collect,
Respond,
Third party

SentinelOne Cloud: Integration of Third Party Native Alerts

Connector, Content Type: Threat, msg_class: sentinelone_threat_detection

SentinelOne

Yes, Content Type: Host

SOCRadar

Endpoint Security

Collect

 

 

 

 

SonicWall Capture Client

Endpoint Security

Collect,
Respond

 

 

 

Yes, Content Type: Host

SonicWall Firewall

Firewall

Respond

 

 

SonicWall(FW class)

 

Sophos Central

Endpoint Security

Collect,
Respond,
Third party

Sophos Central: Integration of Third Party Native Alerts

Connector, Content Type: Alerts and Events, msg_class:  sophos_alerts and sophos_events

Sophos Endpoint

Yes, Content Types: Alerts and Events

Sophos XG

Firewall

Respond

 

 

Sophos XG Firewall

 

Stormshield Network Security (SNS) Firewall

Firewall

Respond

 

 

Stormshield Net Security Firewall (FW class)

 

Sucuri Security

Web Security

Collect

 

 

 

 

Tenable Cloud Security

Cloud Security

Collect

 

 

 

 

Tenable.io

Vulnerability Scanner

Collect

 

 

 

Yes, Content Type: Vulnerabilities

Tenable.sc

Vulnerability Scanner

Collect

 

 

 

Yes, Content Type: Vulnerabilities

Thinkst Canary

Honeypot

Collect

 

 

Thinkst Canary

Yes, Content Type: Devices

ThreatDown OneView (formerly Malwarebytes OneView)

 Endpoint Security

Collect

 

 

 

Yes, Content Type: Endpoints

Trellix (FireEye) Endpoint Security HX

Endpoint Security

Collect,
Third party

Trellix (FireEye) Endpoint Security:Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: fireeye_alerts

FireEye HX

Yes, Content Type: Hosts

Trellix MVISION

Endpoint Security

Collect,
Third Party

Trellix MVISION: Integration of Third Party Native Alerts

Connector, Content Type:Alerts, msg_class: trellix_mvision_edr_alerts

Trellix MVISION

Yes, Content Type: Devices

Trend Micro Apex Central

Endpoint Security

Collect

 

 

Trend Micro - Apex Central

Yes, Content Types: Agents and Servers

Trend Micro Cloud App Security

Cloud Security

Collect

 

 

 

 

Trend Micro Cloud One Workload Security

Endpoint Security

Collect

 

 

 

Yes, Content Type: Computers
Trend Micro Email Security Email Collect

 

 

 

 

Trend Micro Vision One

Endpoint Security

Collect,
Third party

Trend Micro Vision One: Integration of Third Party Native Alerts

Connector, Content Type: Alerts, msg_class: trendmicro_visionone_alerts

Trend Micro Vision One

 

Universal Webhook

Webhook

Respond (Custom)

 

 

 

 

VadeSecure

Email

Collect

 

 

 

 

Varonis DatAdvantage

 

Third party

Varonis DatAdvantage: Integration of Third Party Native Alerts

Parser (CEF format), Content Type: N/A, msg_class:  varonis_datadvantage_file_system_operation or varonis_datadvantage_directory_services_operation

Varonis-Datadvantage

 

Verkada

Internet of Things Security

Collect

 

 

 

 

Versa Networks Concerto

SASE

Collect

 

 

 Versa Networks SASE  

Versa Networks Firewall

Firewall

Respond

 

 

 Versa Networks Firewall  

VMware Carbon Black Cloud

Endpoint Security

Collect,
Respond,
Third party

VMware Carbon Black Cloud: Integration of Third Party Native Alerts

Connector, Content Type: Alert, msg_class: carbonblack_alert

Carbon Black

Yes, Content Type: Alert
VMware Workspace ONE

Endpoint Security

Collect

 

 

VMware Workspace One

 

WatchGuard Firebox

Webhook

Respond (templates in Universal Webhook Responder)

 

 

 

 

Webroot

Endpoint Security

Collect

 

 

Webroot

Yes, Content Type: Endpoints

Windows Defender Antivirus

 

Third party

Windows Defender Antivirus: Integration of Third Party Native Alerts

Windows agent, Content Type: N/A, msg_class: Microsoft-Windows-Windows Defender

Windows Agent

 

WithSecure Elements

Endpoint Security, Webhook

Collect, Respond (templates in Universal Webhook Responder)

 

 

 

Yes, Content Type: Devices