Connectors and Integrations Summary
The table below summarizes Stellar Cyber connectors and third party alert integrations and correlates them to assets.
Definitions
The definitions in the table are as follows:
-
Connector— A method of collecting information and compiling it into Interflow records that are indexed and stored in the Data Lake. Stellar Cyber develops connectors based on the access methods provided for each external data source, typically an API. These processes run on the Data Processor (DP) to fetch information actively on a scheduled basis. Connectors collect data from external sources and can also respond to actions such as blocking on a firewall or disabling users. The connection to a data source can be configured in Stellar Cyber. For all connectors, see Connector Types & Functions.
-
Collect—A function of a connector that collects data from external data sources and adds it to the Data Lake.
-
Respond—A function of a connector that takes actions on external data sources in response to detected security events.
-
Third party alert integration—The process of ingesting, normalizing, and enriching alerts that are natively created by third party services. These alerts are then mapped to the Stellar Cyber XDR Kill Chain and added to the Alert index. The integration allows for the correlation of third-party native alerts with Stellar Cyber's built-in alerts, leveraging Machine Learning (ML) and Security Analytics (SA) to enhance the alert data. This process includes deduplication to reduce noise. For all third party alert integrations, see Integration of Third Party Native Alerts.
-
Detections—The identification of potential threats or risky behavior using various techniques such as Machine Learning (ML) and Security Analytics (SA), as well as rules, and third party alert integration. Detections can be based on known bad behaviors, anomalies, or suspicious activities identified through different methods. These detections generate alerts which are then correlated into cases for further investigation.
-
Asset Discovery—The process of identifying assets and tracking assets within a network from observed data using a passive discovery service. This service can discover assets via data collected from various sources such as endpoint data sources (for example, EDR or Directory Services), cloud audit logs, traffic-related sources (for example, firewalls), Stellar Cyber server sensors (Linux and Windows), Stellar Cyber modular sensors, and other log sources or connectors. The discovered assets can include both IP and MAC addresses, which are associated with hosts. This process happens in real time as new data comes into the system, and the unique assets are counted daily. The discovered data is then used to analyze the behavior of these assets to detect security events.
Legend
The columns in the table are as follows:
-
Connector Name—The name of the connector in alphabetic order, and a link to the document
-
Connector Category—The category to which the connector belongs
-
Integration Function—The function of the integration:
-
Collect—only collect
-
Respond—only respond
-
Collect, Respond—both collect and respond
-
Third party—third party alert integration
-
-
Third Party Alert Integration Name—The name of the third party alert integration and a link to the document
-
Third Party Based On—What the third party alert integration is based on:
-
connector, and if there is a specific content type that needs to be configured, as well as the msg_class
-
parser, and if there is a specific format, such as CEF
-
Windows agent
-
-
Detections—What to enter in the Stellar Cyber Detections & Response page (https://detections.stellarcyber.ai/v5.3.0/) in the Select Applications field to produce a list of built-in detections and third party alert integrations supported for a data source
-
Asset Discovery—Whether the data source sends assets to the Assets index
Connectors and Integrations Table
| Connector Name | Connector Category | Integration Function |
Third Party Alert Integration Name |
Third Party Based On |
Detections (Select Applications) |
Asset Discovery |
|---|---|---|---|---|---|---|
| 1Password | Password Management | Collect |
|
|
1Password |
|
| Acronis Cyber Protect Cloud | Endpoint Security | Collect, Third party |
Connector, Content Type: Alerts, msg_class: |
Acronis Cyber Protect |
Yes, Content Type: Agents |
|
| Active Directory | IdP | Collect, Respond |
|
|
Active Directory |
Yes, Content Type: Computers |
| Akamai | Endpoint Security | Collect |
|
|
|
Yes, Content Type: Connectors |
| Amazon Security Lake | Web Security | Collect |
|
|
Amazon Security Lake |
|
| Armis | Endpoint Security | Collect |
|
|
Armis |
Yes, Content Type: Devices |
|
Avanan |
|
Third party |
Parser (HTTP JSON format), Content Type: N/A, msg_class: |
Avanan |
|
|
|
PaaS |
Collect |
|
|
AWS Cloudtrail |
|
|
|
PaaS |
Collect |
|
|
AWS Cloudwatch |
|
|
|
Firewall |
Respond |
|
|
|
|
|
|
PaaS |
Collect, |
AWS GuardDuty: Integration of Third Party Native Alerts |
Connector, Content Type: N/A, msg_class: |
AWS GuardDuty |
|
|
|
PaaS |
Collect, |
Microsoft Defender for Cloud: Integration of Third Party Native Alerts and Microsoft Sentinel: Integration of Third Party Native Alerts |
Connector, Content Type: Microsoft Defender for Cloud, msg_class: |
Azure Event Hub |
|
|
|
|
Respond |
|
|
Barracuda Email |
|
|
|
Firewall |
Respond |
|
|
Barracuda Firewall Logs |
|
|
| Endpoint Security |
Respond, |
Bitdefender: Integration of Third Party Native Alerts |
Parser (Syslog JSON format), Content Type: N/A, msg_class: several |
BitDefender |
|
|
| Endpoint Security |
Respond, |
Blackberry CylancePROTECT and CylanceOPTICS: Integration of Third Party Native Alerts |
Cylance logs, Content Type: N/A, msg_class: |
Cylance Optics, Cylance Protect |
|
|
|
SaaS |
Collect |
|
|
|
|
|
| Endpoint Security |
Collect |
|
|
|
Yes, Content Type: Devices |
|
|
Cloud Security |
Collect |
|
|
|
|
|
|
|
Collect |
|
|
|
|
|
|
Web Security |
Collect |
|
|
|
|
|
|
SASE |
Collect |
|
|
Cato Networks |
|
|
|
Firewall |
Respond |
|
|
Checkpoint Firewall |
|
|
| Endpoint Security |
Collect |
|
|
|
Yes, Content Type: Computers |
|
|
Firewall |
Respond |
|
|
Cisco Firepower(FW class) |
|
|
|
Firewall |
Respond |
|
|
Meraki |
|
|
|
DNS Security |
Collect |
|
|
Cisco Umbrella |
|
|
|
Web Security |
Collect |
|
|
|
|
|
| Endpoint Security |
Collect, |
CrowdStrike (Hosts/Events): Integration of Third Party Native Alerts |
Connector. Content Type: Detection Summary Event, msg_class: |
Crowdstrike (Endpoint) |
Yes, Content Type: Host |
|
|
Vulnerability Scanner |
Collect |
|
|
CyberCNS |
|
|
| Endpoint Security |
Collect, |
Cybereason: Integration of Third Party Native Alerts |
Connector: Content Type: MalOp, msg_class: |
Cybereason (EDR) |
Yes, Content Type: Sensor |
|
| Endpoint Security |
Collect, |
Parser (CEF format), Content Type: N/A, msg_class: |
Cynet |
Yes, Content Type: Hosts |
||
|
Vulnerability Scanner |
Collect |
|
|
|
Yes, Content Type: Host |
|
| Endpoint Security |
Collect, |
Deep Instinct: Integration of Third Party Native Alerts |
Connector, Content Type: Events, msg_class: |
Deep Instinct |
Yes, Content Type: Devices |
|
|
IdP |
Collect |
|
|
|
|
|
|
Webhook |
Respond, |
ESET Protect: Integration of Third Party Native Alerts |
Parser (Syslog JSON format), Content Type: N/A, msg_class: |
ESET PROTECT |
|
|
|
NDR |
Collect |
|
|
ExtraHop Reveal(x) 360 |
Yes, Content Type: Devices |
|
|
Firewall |
Respond |
|
|
|
|
|
|
Firewall |
Respond |
|
|
F5 Big IP |
|
|
|
Firewall |
Respond |
|
|
F5 Silverline |
|
|
| Endpoint Security |
Respond |
|
|
ForeScout |
|
|
|
Firewall |
Respond |
|
|
Fortinet FortiGate(FW class) |
|
|
|
PaaS |
Collect |
|
|
Generic S3 |
|
|
|
PaaS |
Collect |
|
|
Google Cloud Audit Logging |
|
|
|
SaaS |
Collect, |
Google Workspace: Integration of Third Party Native Alerts |
Connector, Content Type: Alert, msg_class: |
G-Suite |
|
|
|
Security Switch |
Respond |
|
|
|
|
|
| Endpoint Security |
Collect
|
|
|
Hibun |
|
|
|
Firewall |
Respond |
|
|
Hillstone(FW class) |
|
|
| Endpoint Security |
Collect,
|
Huntress: Integration of Third Party Native Alerts |
Connector, Content Type: Incident Reports, msg_class: |
Huntress |
Yes, Content Type: Agents |
|
|
DNS Security |
Collect, |
HYAS Protect: Integration of Third Party Native Alerts |
Connector, Content Type: DNS Log Reports, msg_class: |
HYAS Protect |
Yes, Content Type: Agents |
|
|
Web Security |
Collect |
|
|
Imperva Incapsula |
Yes, Content Type: Logs |
|
|
Web Security |
Collect |
|
|
Indusface |
|
|
| Endpoint Security |
Collect |
|
|
Jamf Protect |
Yes, Content Types: Alerts and Computers |
|
|
IdP |
Collect |
|
|
|
|
|
|
Web Security |
Collect |
|
|
LastPass |
|
|
| Endpoint Security |
Collect, |
LimaCharlie: Integration of Third Party Native Alerts |
Connector, Content Type: Alerts, msg_class: |
LimaCharlie |
Yes, Content Type: Sensors |
|
| Endpoint Security |
Collect |
|
|
|
Yes, Content Type: Endpoints |
|
|
SaaS |
Collect, |
Microsoft Defender for Cloud Apps: Integration of Third Party Native Alerts |
Connector, Content Type: Alerts, msg_class: |
Microsoft Defender for Cloud Apps |
|
|
| Endpoint Security |
Collect, |
Microsoft Defender for Endpoint: Integration of Third Party Native Alerts |
Connector, Content Type: Alerts, msg_class: |
Microsoft Defender |
Yes, Content Type: Host |
|
|
SaaS |
Collect, |
Microsoft Entra ID: Integration of Third Party Native Alerts |
Connector, Content Type: Risk Detection Collection, msg_class: |
Azure AD |
|
|
|
Database |
Collect |
|
|
|
Yes, Content Type: Client agent status Logs (Klassify) |
|
|
|
Collect, |
Mimecast: Integration of Third Party Native Alerts |
Connector, Content Type: MTA Log, msg-class: several |
Mimecast |
|
|
|
Database |
Collect |
|
|
|
|
|
|
Vulnerability Scanner |
Collect |
|
|
|
Yes |
|
|
Web Security |
Collect, |
Netskope: Integration of Third Party Native Alerts |
Connector, Content Type: Alert, msg_class: |
Netskope WSG |
|
|
|
SaaS |
Collect, |
Office 365: Integration of Third Party Native Alerts |
Connector, Content Type: Audit General, msg_class: |
Office365 |
|
|
|
IdP |
Collect |
|
|
Okta |
|
|
|
IdP |
Collect |
|
|
OneLogin |
|
|
|
PaaS |
Collect, |
Oracle Cloud Infrastructure (OCI) CloudGuard: Integration of Third Party Native Alerts |
Connector, Content Type: N/A, msg_class: |
OCI Logs |
|
|
| Endpoint Security |
Collect |
|
|
Palo Alto Networks CORTEX |
Yes, Content Type: Endpoints |
|
|
Firewall |
Respond |
|
|
|
|
|
|
Firewall |
Respond |
|
|
Palo Alto Panorama(FW class) |
|
|
|
Cloud Security |
Collect |
|
|
Palo Alto Networks Prisma Cloud (Compute Edition) |
|
|
|
|
Collect |
|
|
Proofpoint |
|
|
|
|
Collect, |
Proofpoint Targeted Attack Protection (TAP): Integration of Native Third Party Alerts |
Connector, Content Type: Events, msg_class: |
Proofpoint Targeted Attack Protection |
|
|
|
Vulnerability Scanner |
Collect |
|
|
|
Yes, Content Type: Hosts |
|
|
Vulnerability Scanner |
Collect |
|
|
Rapid7 |
Yes |
|
|
Remote Host |
Respond |
|
|
|
|
|
|
SaaS |
Collect |
|
|
Salesforce |
|
|
|
Endpoint Security |
Collect, |
SentinelOne Cloud: Integration of Third Party Native Alerts |
Connector, Content Type: Threat, msg_class: |
SentinelOne |
Yes, Content Type: Host |
|
|
Endpoint Security |
Collect, |
|
|
|
Yes, Content Type: Host |
|
|
Firewall |
Respond |
|
|
SonicWall(FW class) |
|
|
|
Endpoint Security |
Collect, |
Sophos Central: Integration of Third Party Native Alerts |
Connector, Content Types: Alerts and Events, msg_class: |
Sophos Endpoint |
Yes, Content Types: Alerts and Events |
|
|
Firewall |
Respond |
|
|
Sophos XG Firewall |
|
|
|
Vulnerability Scanner |
Collect |
|
|
|
Yes, Content Type: Vulnerabilities |
|
|
Vulnerability Scanner |
Collect |
|
|
|
Yes, Content Type: Vulnerabilities |
|
|
Honeypot |
Collect |
|
|
Thinkst Canary |
Yes, Content Type: Devices |
|
|
Endpoint Security |
Collect, |
Trellix (FireEye) Endpoint Security:Integration of Third Party Native Alerts |
Connector, Content Type: Alerts, msg_class: |
FireEye HX |
Yes, Content Type: Hosts |
|
|
Endpoint Security |
Collect |
|
|
Trellix MVISION |
Yes, Content Type: Devices |
|
|
Endpoint Security |
Collect |
|
|
Trend Micro - Apex Central |
Yes, Content Types: Agents and Servers |
|
|
Endpoint Security |
Collect |
|
|
|
Yes, Content Type: Computers |
|
|
Endpoint Security |
Collect, |
Trend Micro Vision One: Integration of Third Party Native Alerts |
Connector, Content Type: Alerts, msg_class: |
Trend Micro Vision One |
|
|
|
Webhook |
Respond |
|
|
|
|
|
|
Varonis DatAdvantage |
|
Third party |
Varonis DatAdvantage: Integration of Third Party Native Alerts |
Parser (CEF format), Content Type: N/A, msg_class: |
Varonis-Datadvantage |
|
|
Endpoint Security |
Collect, |
VMware Carbon Black Cloud: Integration of Third Party Native Alerts |
Connector, Content Type: Alert, msg_class: |
Carbon Black |
Yes, Content Type: Alert |
|
| VMware Workspace ONE |
Endpoint Security |
Collect |
|
|
VMware Workspace One |
|
|
Endpoint Security |
Collect |
|
|
Webroot |
Yes, Content Type: Endpoints |
|
|
Windows Defender Antivirus |
|
Third party |
Windows Defender Antivirus: Integration of Third Party Native Alerts |
Windows agent, Content Type: N/A, msg_class: |
|
|
