Connector Types & Functions

Stellar Cyber supports parsing of log data forwarded to sensors, however you can also use API connections to pull data from SaaS and cloud-based applications. API connectors are also used to push changes such as blocking on a firewall or disabling users. API connectors are developed per request and are released with new versions of Stellar Cyber.

For guidance creating or managing the connectors, refer to: Working with the Connectors Table.

All Connectors

Following are the available connectors in Stellar Cyber. Click a connector name to learn how to add and configure that type of connector. Additional details are available on the connectors indicated to support Third Party Native Alert Integration.

Connector	Indices	Runs On	Interval*	External Actions	HTTP Proxy supported
Cloud Security
Prisma Cloud	Linux Syslog	DP	Configurable
Symantec Cloud Workload Protection	Syslog	DP	Configurable
Database
Microsoft SQL Server (Klassify)	Syslog	Sensor	Configurable
MySQL	Syslog	DP	Configurable
DNS Security
HYAS Protect	Syslog	DP	Configurable
Email
Barracuda Email Security	Syslog	DP	N/A	Remediate Email
Mimecast	Syslog	DP	5 minutes
Proofpoint on Demand	Syslog	DP	Every hour
Proofpoint Targeted Attack Protection	Syslog	DP	Configurable
Symantec Email Security.cloud	Syslog	DP	Configurable
Endpoint Security
Acronis Cyber Protect Cloud	Syslog	DP	Configurable
Akamai	Syslog	DP	Configurable
Bitdefender	Syslog	DP	N/A	Contain Host
BlackBerry Cylance	Syslog	DP	N/A	Contain Host Available on request via Universal Webhook Responder: Run Script Add Hash to Global Quarantine Add Hash to Global Safelist
Broadcom Symantec Endpoint Security (SES)	Syslog Assets	DP	Configurable
Cisco AMP	Syslog Assets Linux	DP	Configurable
4.3.0-4.3.4 CrowdStrike (Hosts) CrowdStrike (Events) 4.3.5+ CrowdStrike (Hosts/Events)	Syslog Assets	DP	Configurable	Contain Host Hide Host
Cybereason	Syslog Assets Sensor Monitoring	DP	Configurable	Contain Host
Cynet	Syslog	DP	N/A	Contain Host Shutdown Host
Deep Instinct	Syslog	DP	Configurable	Contain Host
Forescout	Syslog	DP or Sensor	N/A	Update Device
HIBUN	Syslog	DP	Configurable
Huntress	Syslog	DP	Configurable
Jamf Protect	Syslog	DP	Configurable
LimaCharlie	Syslog	DP	Configurable
Malwarebytes	Syslog	DP	Configurable
Microsoft Defender for Endpoint	Syslog	DP	Configurable	Contain Host
Palo Alto Networks CORTEX XDR	Syslog	DP	N/A
SentinelOne	Syslog Assets Linux	DP	Configurable	Initiate Scan Kill Threat Quarantine Threat Remediate Threat Contain Host (Isolate Endpoint)	for collect and respond
SonicWall Capture Client	Syslog Scans Assets Linux	DP	Configurable	Initiate Scan Disconnect Host Restart Machine Shut Down	for collect and respond
Sophos Central	Syslog	DP	Configurable	Contain Host (Isolate Endpoint)
Trellix (FireEye) Endpoint Security HX	Syslog Assets Alert	DP	Configurable
Trellix MVISION Endpoint Security	Syslog	DP	Configurable
Trend Micro Apex Central	Syslog	DP	Configurable
Trend Micro Cloud One Workload Security	Syslog	DP	Configurable
Trend Micro Vision One	Syslog	DP	Configurable
VMware Carbon Black Cloud	Syslog	DP	Configurable
VMware Workspace ONE	Syslog	DP	Configurable
Webroot	Syslog	DP	Configurable
Firewall
AWS	N/A	DP	N/A	Block IP Address
Barracuda Firewall	N/A	DP or Sensor	N/A	Block IP Address
Check Point	N/A	DP or Sensor	N/A	Block IP Address
Cisco FMC	N/A	DP	N/A	Block IP Address
Cisco Meraki Firewall	N/A	DP	N/A	Block IP Address
F5 BIG-IP ASM	N/A	DP or Sensor	N/A	Block IP Address
F5 BIG-IP Firewall	N/A	DP or Sensor	N/A	Block IP Address
F5 Silverline	N/A	DP	N/A	Block IP Address
Fortigate	N/A	DP or Sensor	N/A	Block IP Address
Hillstone	N/A	DP or Sensor	N/A	Block IP Address
Palo Alto Networks Firewall	N/A	DP or Sensor	N/A	Block IP Address
SonicWall Firewall	N/A	DP or Sensor	N/A	Block IP Address
Sophos XG Firewall	N/A	DP or Sensor	N/A	Block IP Address
Honeypot
Thinkst Canary	Syslog Assets	DP	Configurable
IdP
Active Directory	Windows	DP (respond) or Sensor (collect )	Configurable	Disable User
Duo Security	Syslog	DP	Configurable
JumpCloud	Syslog	DP	Configurable
OKTA	Syslog	DP	Configurable
OneLogin	Syslog Traffic	DP	Configurable
PaaS
AWS CloudTrail	AWS Traffic	DP	5 minutes
AWS CloudWatch	Syslog	DP	Configurable
AWS GuardDuty	Syslog	DP	Configurable
Azure Event Hub	Syslog	DP
Generic S3	Syslog	DP	5 minutes
Google Cloud Audit Logging	Syslog	DP	Configurable
Oracle Cloud Infrastructure (OCI)	Syslog	DP	Configurable
Remote Host
SSH Host	N/A	N/A	N/A	Run a script
SaaS
Box	Syslog	DP	Configurable
Google Workspace	Linux Cloudtrail	DP	Configurable
Microsoft Defender for Cloud Apps	Windows	DP	Configurable
Microsoft Entra ID (formerly Azure Active Directory)	Windows	DP	Configurable	Disable User Confirm Compromised Dismiss Risk
Office 365	Windows	DP	Configurable
Salesforce	Syslog	DP	Configurable
SASE
Cato Networks		DP	Configurable
Security Switch
HanDreamnet Security Switch	Syslog	DP or Sensor	5 minutes	Block IP Address
Vulnerability Scanner
CyberCNS	Scans	DP	Configurable
CYRISMA	Scans Assets	DP	Configurable (hours)
Nessus Scanner	Scans	Sensor	Configurable
Qualys	Syslog Scans	DP	Configurable
Rapid7	Scans	Sensor	Configurable
Tenable.io	Scans	DP	Configurable
Tenable.sc	Scans	Sensor	Configurable
Web Security			Configurable
Amazon Security Lake	Syslog	DP	N/A
Broadcom (Blue Coat / Symantec) WSS	Syslog	DP	5 minutes
Cisco Umbrella	Syslog	DP	Configurable
Cloudflare	Syslog	DP	Configurable
Imperva Incapsula	Syslog	DP	Configurable
Indusface	Syslog	DP	Configurable
LastPass	Syslog	DP	Configurable
Netskope	Syslog	DP	Configurable
Webhook			Configurable
ESET Responders	N/A	DP	N/A	Isolate computer from network End computer isolation from network On-Demand Scan Run command
Custom (Universal Webhook Responder)	N/A	DP or Sensor	N/A	Webhook actions

* Interval is applicable only to connectors configured to Collect.

Connectors by Response Actions

The information below summarizes possible connector response actions and requirements. These actions can be performed from Event Details or by configuring Automated Threat Hunting.

The following table indicates which connector respond actions are applicable for each external action, along with the requirements to enable that action. Specifically, certain connectors must be configured and the indicated fields in the Interflow must contain non-null, valid data.

External Action

Connector and Data Requirement*
for Action Availability

Applicable Connectors

Block IP / Block on Firewall

At least one firewall or security switch connector is configured and required fields are populated dstip or srcip

AWS, Barracuda Firewall, Check Point, Cisco FMC, Cisco Meraki, F5 BIG-IP ASM, F5 BIG-IP Firewall, F5 Silverline, Fortigate, HanDreamnet Security Switch, Hillstone, Palo Alto Networks Firewall, Palo Alto Networks Panorama, SonicWall Firewall, Sophos XG Firewall

Disable User

Active Directory or Microsoft Entra ID (formerly Azure AD) connector required field userPrincipalName

Active Directory, Microsoft Entra ID (formerly Azure Active Directory)

Confirm Compromised

Microsoft Entra ID (formerly Azure AD) connector required field

msg_class of Content Type	User ID on Which to Perform Action
`azure_ad_audit`	`initiatedBy.user.id`
`azure_ad_signin`	`userId`
`azure_ad_risk_detection`	`userId`
`azure_ad_risky_user`	`azure_ad.id`
`user_profile`	`user_profile.id`

Microsoft Entra ID (formerly Azure Active Directory)

Dismiss Risk

Microsoft Entra ID (formerly Azure AD) connector required field

msg_class of Content Type	User ID on Which to Perform Action
`azure_ad_audit`	`initiatedBy.user.id`
`azure_ad_signin`	`userId`
`azure_ad_risk_detection`	`userId`
`azure_ad_risky_user`	`azure_ad.id`
`user_profile`	`user_profile.id`

Microsoft Entra ID (formerly Azure Active Directory)

Run a Script Always available SSH Host

Contain Host (Isolate Endpoint)

One of the following connectors is configured. The required data varies based on connector to be used for response.

Bitdefender required fieldsOne of bitdefender.computer_id or bitdefender.endpointId
CrowdStrike required fieldsdstip or srcip or hostip
Cybereason required fieldscybereason.plyumId
Cylance required fields
device and device.deviceID or
cylance and one of cylance.device_id or srcmac or dstmac or ( host and host.mac)
Cynet required fields are any value other than an IP Address in at least one of these: hostip_host, srcip_host, computer_name or host.name
Deep Instinct: required fields
deep_instinct_asset and deep_instinct.id or
deep_instinct_suspiciousevent and deep_instinct.device_id or
deep_instinct_maliciousevent and deep_instinct.device_id
Microsoft Defender for Endpoint required fields microsoft_defender.id and microsoft_defender.machineId
SentinelOne required fields agentRealtimeInfo and AgentRealtimeInfo.agentId
Sophos Central required fields sophos.hostip_assetid i

Bitdefender, CrowdStrike, Cybereason, Deep Instinct, BlackBerry Cylance, Cynet, Microsoft Defender for Endpoint, SentinelOne, Sophos Central, VMware Carbon Black

Hide Host

CrowdStrike required fieldsdstip or srcip or hostip

CrowdStrike

Update Device

Forescout required fields srcip, dstip, srcmac, dstmac

Forescout

Initiate Scan

SentinelOne required fields agentRealtimeInfo and AgentRealtimeInfo.agentId
SonicWall Capture Client required fieldsdevice.deviceId and device.InstallToken

SentinelOne, SonicWall Capture Client

Kill Threat

SentinelOne required fieldsmsg_origin.source is SentinelOne_endpointor msg_origin.source is SentinelOne and the following fields are present and valid: threatInfo,and threatInfo.threatId

SentinelOne

Quarantine Threat

SentinelOne required fieldsmsg_origin.source is SentinelOne_endpoint or msg_origin.source is SentinelOne and threatInfo and threatInfo.threatId is present and valid

SentinelOne

Remediate Threat

SentinelOne required fieldsmsg_origin.source is SentinelOne_endpoint or msg_origin.source is SentinelOne and the following fields are present and valid: threatInfo, threatInfo.detectionType,and threatInfo.threatId and threatInfo.detectionType is dynamic
The endpoint must also be either a Mac OS or Windows host. if it is not, then a Quarantine is performed instead

SentinelOne

Disconnect Host

SonicWall Capture Client required fieldsdevice.deviceId and device.InstallToken

SonicWall Capture Client

Restart Machine

SonicWall Capture Client required fieldsdevice.deviceId and device.InstallToken

SonicWall Capture Client

Shut Down (Shutdown Host)

SonicWall Capture Client required fieldsdevice.deviceId and device.InstallToken

Cynet required fields are any value other than an IP Address in at least one of these: hostip_host, srcip_host, computer_name or host.name. Feature modified in noted release

SonicWall Capture Client, Cynet

Remediate Email

Barracuda Email Security Service required fieldsbarracuda.account_id and barracuda.subject and barracuda.env_from and barracuda.hdr_from

Barracuda Email Security

Webhook

N/A

Universal Webhook Responder , ESET Responders