Connector Types & Functions
Stellar Cyber supports parsing of log data forwarded to sensors, however you can also use API connections to pull data from SaaS and cloud-based applications. API connectors are also used to push changes such as blocking on a firewall or disabling users. API connectors are developed per request and are released with new versions of Stellar Cyber.
For guidance creating or managing the connectors, refer to: Working with the Connectors Table.
All Connectors
Following are the available connectors in Stellar Cyber. Click a connector name to learn how to add and configure that type of connector. Additional details are available on the connectors indicated to support Third Party Native Alert Integration.
| Connector | 
 | Collect | Respond | Indices | Runs On | Interval* | External Actions | HTTP Proxy supported | |
|---|---|---|---|---|---|---|---|---|---|
| Cloud Security | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Prisma Cloud | 
 | 
 | Linux Syslog | DP | Configurable | 
 | 
 | ||
| 
                                                                 | 
 | 
 | 
                                                                 | Syslog | DP | Configurable | 
 | 
 | |
| 
 | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | |
| 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | |||
| Trend Micro Cloud App Security 
 | 
                                                                 | 
 | 
 | 
 | Syslog | DP | 5 minutes | 
 | 
 | 
| Database | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Microsoft SQL Server | 
 | 
 | Syslog Assets | Sensor | Configurable | 
 | 
 | ||
| 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| DNS Security | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Cisco Umbrella | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | |
| 
 | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
|  | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Abnormal Security Email Security | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Barracuda Email Security | 
 | 
 | Syslog | DP | N/A | 
 | 
 | ||
| Hoxhunt | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Mailprotector | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Mimecast API 1.0 | 
 | 
                                                                 | Syslog | DP | 5 minutes | 
 | 
 | ||
| Mimecast API 2.0 | 
                                                                 | 
                                                                 | Syslog | DP | 15 minutes | 
 | 
 | ||
| Proofpoint on Demand | 
 | 
 | Syslog | DP | Every hour | 
 | 
 | ||
| Proofpoint Targeted Attack Protection | 
 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| 
 | 
 | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | 
| 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | |||
| 
 | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Endpoint Security | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Acronis Cyber Protect Cloud | 
 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| Akamai | 
 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| Armis | 
                                                                 | 
                                                                 | Syslog Assets | DP | Configurable | 
 | |||
| Bitdefender | 
 | 
 | Syslog | DP | N/A | 
 | 
 | ||
| BlackBerry Cylance | 
 | 
 | Syslog | DP | N/A | 
 | 
 | ||
| 
 | 
 | 
 | 
                                                                 | Syslog Assets | DP | Configurable | 
 | 
 | |
| Cisco AMP | 
 | 
 | Syslog Assets Linux | DP | Configurable | 
 | |||
| Coro | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| CrowdStrike (Hosts/Events) | 
 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| CrowdStrike FDR | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| CyberArk EPM | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | |||
| Cybereason | 
 | 
 | Syslog Assets Sensor Monitoring | DP | Configurable | 
 | 
 | ||
| Cynet | 
 |   | 
 | Syslog Assets | DP | Configurable | 
 | 
 | |
| Deep Instinct | 
 | 
 | 
 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | 
| Forescout | 
 | 
 | Syslog | DP or Sensor | N/A | 
 | 
 | ||
| FortiEDR | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Group-IB | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| HIBUN | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Huntress | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| Jamf Protect | 
 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| LimaCharlie | 
                                                                 | 
 
                                                                 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| Microsoft Defender for Endpoint | 
 | 
 | 
 | Syslog Assets Scans | DP | Configurable | 
 | 
 | |
| Microsoft Graph Intune | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Palo Alto Networks CORTEX XDR | 
                                                                 | 
                                                                 | 
                                                                 | Syslog Assets | DP | N/A | 
 | 
 | |
| SentinelOne | 
 | 
 | Syslog Assets Linux | DP | Configurable | 
 |   | ||
| SOCRadar | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| SonicWall Capture Client | 
 | 
 | Syslog Scans Assets Linux | DP | Configurable | 
 |   | ||
| Sophos Central | 
 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| ThreatDown OneView (formerly Malwarebytes OneView) | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| Trellix (FireEye) Endpoint Security HX | 
 | 
 | 
 | Syslog Assets Alert | DP | Configurable | 
 | 
 | |
| Trellix MVISION Endpoint Security | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| Trend Micro Apex Central | 
 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| Trend Micro Cloud One Workload Security | 
 | 
 | Syslog Assets | DP | Configurable | ||||
| Trend Micro Vision One | 
 | 
 | Syslog | DP | Configurable | ||||
| VMware Carbon Black Cloud | 
 | 
                                                                 | 
 | Syslog Assets | DP | Configurable | |||
| VMware Workspace ONE | 
 | 
 | Syslog | DP | Configurable | ||||
| 
 | 
 | 
 | Syslog Assets | DP | Configurable | ||||
| 
 | 
                                                                 | 
 | Syslog Assets | DP | Configurable | See Webhook | 
 | ||
| Extended Detection & Response | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
                                                                 | Windows Events | DP | Configurable | 
 | |||
| Firewall | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| AWS | 
 | 
 | 
 | N/A | DP | N/A | 
 | 
 | |
| Azure NSG (Network Security Group) | 
 
                                                                     | 
 | 
 | N/A | DP | N/A | 
 | 
 | |
| Barracuda Firewall | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| Check Point | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| Cisco FMC | 
 | 
 | 
 | N/A | DP or Sensor  | N/A | 
 | 
 | |
| Cisco Meraki Firewall | 
 | 
 | 
 | N/A | DP | N/A | 
 | 
 | |
| F5 BIG-IP ASM | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| F5 BIG-IP Firewall | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| F5 Silverline | 
 | 
 | 
 | N/A | DP | N/A | 
 | 
 | |
| Fortigate | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| Hillstone | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| Palo Alto Networks | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| Palo Alto Networks Panorama | 
                                                                 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| SonicWall Firewall | 
 | 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |
| 
 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | |||
| Stormshield Network Security (SNS) Firewall |   | N/A | DP | N/A | 
 | 
 | |||
| 
 |   | 
 | N/A | DP | N/A | 
 | 
 | ||
| Honeypot | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| IdP | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Active Directory | 
 | 
 | Windows Assets | DP (respond) | Configurable | 
 | 
 | ||
| Duo Security | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| JumpCloud | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| OKTA | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| 
 | 
 | 
 | 
 | 
 | Syslog Traffic | DP | Configurable | 
 | |
| Internet of Things Security | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| IT Management | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
 | Syslog Assets | DP | 8 hours | 
 | |||
| NDR | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| 
 | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Network Management | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | |||
| PaaS | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| AWS CloudTrail | 
 | 
 | AWS Traffic | DP | 5 minutes | 
 | |||
| AWS CloudWatch | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | ||
| AWS GuardDuty | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | |
| Azure Event Hub | 
 | 
 | Syslog | DP | 
 | 
 | |||
| Generic S3 | 
                                                                 | *For Fortinet Lacework only | Syslog AWS Events | DP | 5 minutes | 
 | 
 | ||
| Google Cloud Audit Logging | 
 | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | 
| Oracle Cloud Infrastructure Streaming 
 | 
 | 
 | 
 | 
 | Syslog | DP | N/A | 
 | 
 | 
| Password Management | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 1Password | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | |||
| 
 | 
 | 
 | Syslog | DP | Configurable | 
 | |||
| Penetration Testing | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
 | Syslog Scans Assets | DP | Configurable | 
 | |||
| Privileged Access Management | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | |||
| Remote Host | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | N/A | N/A | N/A | 
 | 
 | ||
| SaaS | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Box | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Google Cloud Security Command Center | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Google Workspace | 
 | 
 | Linux Cloudtrail | DP | Configurable | 
 | 
 | ||
| Microsoft Defender for Cloud Apps | 
                                                                 | 
 | Windows | DP | Configurable | 
 | 
 | ||
| Microsoft Entra ID (formerly Azure Active Directory) | 
 | 
 | Windows | DP | Configurable | 
 | 
 | ||
| Office 365 | 
 | 
 | Windows | DP | Configurable | 
 | 
 | ||
| Office 365 Reporting Web Service | 
                                                                 | 
 | Windows | DP | Configurable | 
 | 
 | ||
| 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| SASE | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | Traffic | DP | Configurable | 
 | 
 | |
| NetFoundry |   | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | |
| 
 | 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| Security Switch | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | Syslog | DP or Sensor | 5 minutes | 
 | 
 | ||
| Vulnerability Scanner | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| AWS Inspector |   | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | |
| 
 | 
                                                                 | 
 | Syslog Scans Assets | DP | 8 hours | 
 | |||
| CyberCNS | 
                                                                 | 
 | Scans | DP | Configurable | 
 | 
 | ||
| CYRISMA | 
 | 
 | Scans Assets | DP | Configurable (hours) | 
 | 
 | ||
| Fortra Frontline | 
                                                                 | 
 | Scans | DP | Configurable | 
 | 
 | ||
| Nessus Scanner | 
 | 
 | 
 | Scans Assets | Sensor | Configurable | 
 | 
 | |
| Qualys | 
 | 
 | Syslog Scans Assets | DP | Configurable | 
 | 
 | ||
| Qualys FIM | 
                                                                 | 
 | Syslog Assets | DP | Configurable | 
 | 
 | ||
| Rapid7 | 
 | 
 | 
 | Scans Assets | Sensor | Configurable | 
 | 
 | |
| Tenable.io | 
 | 
 | 
 | Scans Assets | DP | Configurable | 
 | 
 | |
| 
 | 
 | 
 | 
 | Scans Assets | Sensor | Configurable | 
 | 
 | |
| Web Security | 
 | 
 | 
 | 
 | 
 | 
 | Configurable | 
 | 
 | 
| Amazon Security Lake | 
                                                                 | 
 | Syslog | DP | N/A | 
 | |||
| 
                                                                 | 
 | Syslog | DP | Configurable | 
 | 
 | |||
| Broadcom (Blue Coat / Symantec) WSS | 
 | 
 | 
 | Syslog | DP | 5 minutes | 
 | 
 | |
| Cloudflare | 
 | 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | 
| Imperva Incapsula | 
 | 
 | Syslog Assets | DP | Configurable | 
 | |||
| Indusface | 
 | 
 | Syslog | DP | Configurable | 
 | |||
| 
 | 
 | 
 | Syslog | DP | Configurable | 
 | 
 | ||
| 
 | 
                                                                 | 
 | Syslog | DP | N/A | 
 | 
 | ||
| Webhook | 
 | 
 | 
 | 
 | 
 | 
 | Configurable | 
 | 
 | 
| Custom (Universal Webhook Responder) | 
                                                                 | 
 | N/A | DP or Sensor | N/A | 
 | 
 | ||
| Cylance (Respond) | 
                                                                 | 
 | N/A | DP | N/A | 
 | 
 | ||
| ESET Responders | 
                                                                 | 
                                                                 | N/A | DP | N/A | 
 | 
 | ||
| WiatchGuard Firebox | 
                                                                 | 
 | N/A | DP | N/A | 
 | 
 | ||
| WithSecure Elements (Respond) | 
                                                                 | 
 | N/A | DP | N/A | 
 | 
 | 
* Interval is applicable only to connectors configured to Collect.
Connectors by Response Actions
The information below summarizes possible connector response actions and requirements. These actions can be performed from Event Details or by configuring Automated Threat Hunting.
The following table indicates which connector respond actions are applicable for each external action, along with the requirements to enable that action. Specifically, certain connectors must be configured and the indicated fields in the Interflow must contain non-null, valid data.
| External Action | Connector and Data Requirement*  | Applicable Connectors | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Block IP / Block on Firewall | At least one firewall or security switch connector is configured and 
 | AWS, Barracuda Firewall, Azure NSG,  Check Point, Cisco FMC, Cisco Meraki, F5 BIG-IP ASM, F5 BIG-IP Firewall, F5 Silverline, Fortigate, HanDreamnet Security Switch, Hillstone, Palo Alto Networks Firewall, Palo Alto Networks Panorama, SonicWall Firewall, Sophos XG Firewall, Stormshield Network Security (SNS) Firewall  , Versa Networks Firewall  | ||||||||||||
| Disable User | Active Directory or Microsoft Entra ID (formerly Azure AD) connector | Active Directory, Microsoft Entra ID (formerly Azure Active Directory) | ||||||||||||
| Confirm Compromised | Microsoft Entra ID (formerly Azure AD) connector 
 
 | |||||||||||||
| Dismiss Risk | Microsoft Entra ID (formerly Azure AD) connector 
 
 | |||||||||||||
| Revoke Existing Sign-In Sessions | Active Directory or Microsoft Entra ID (formerly Azure AD) connector | |||||||||||||
| Run a Script | Always available | SSH Host | ||||||||||||
| Contain Host (Isolate Endpoint) | One of the following connectors is configured. The required data varies based on connector to be used for response. 
 | Bitdefender,  CrowdStrike,  Cybereason, Deep Instinct, BlackBerry Cylance, Cynet, Microsoft Defender for Endpoint, Palo Alto Networks CORTEX XDR,  | ||||||||||||
| Hide Host | CrowdStrike | CrowdStrike | ||||||||||||
| Forescout | ||||||||||||||
| Initiate Scan | 
 | |||||||||||||
| SentinelOne | ||||||||||||||
| SentinelOne | ||||||||||||||
| Remediate Threat | SentinelOne | |||||||||||||
| Disconnect Host | SonicWall Capture Client | SonicWall Capture Client | ||||||||||||
| SonicWall Capture Client | ||||||||||||||
| SonicWall Capture Client Cynet | ||||||||||||||
| Barracuda Email Security Service | ||||||||||||||
| N/A | Universal Webhook Responder, ESET Responders WithSecure Elements (Respond)
                                                                 | 
 
                                                             
                                                                 
                                                             
                                                            
