Connectors and Parser: Security Integrations and Applications Built by Metron Labs

Connectors and parsers built by Metron Labs which includes IBM QRadar, Splunk, Phantom, ServiceNow and IBM Resilient and middleware connector built by Metron for API only access security applications.

Prashant Koirala

2 min read
Connectors and Parser: Security Integrations and Applications Built by Metron Labs

Introduction

This document outlines several major integrations, connectors and parsers built by Metron Labs.

Connectors

We have built a number of connectors (aka integrations) that share data between security products. These connectors typically fall into the following categories:

On-prem connectors

These connectors run within an application framework provided by the SIEM/SOAR software. Examples of SIEM/SOAR software we work with are:

  1. Splunk - The app package is installed on the Splunk server and can provide knowledge objects, dashboards, and scripts (Python/Javascript/Java).
  2. IBM QRadar - The app package can provide a DSM (parsing rules for log events) as well as dashboards and scripts for fetching data from an API gateway.
  3. IBM Resilient - The app package typically runs on an integration server that is installed on the customer's premises and which can interface directly with the Resilient server.
  4. ServiceNow - We use the ServiceNow Studio to build applications that can be installed on a customer's ServiceNow instance.
  5. Splunk Phantom - The app package runs on the Splunk Phantom server and uses the Phantom framework to poll for incidents, as well as executes actions via API calls.

Middleware connector

Sometimes, the security products that are being integrated do not have an application framework that can run the integration. Typically, both products only provide API access. In these cases, we can write a middleware connector that can be run on either the customer side, the provider side, or even on another system that acts as a broker between the security products.

An example of a middleware connector we built is:

This architecture allows us to keep the most commonly used functionalities in a central package (named the Forwarder SDK) and write tenants that will forward the results to different consumers. We also have a change detection mechanism that allows us to detect if any data has changed since the last time we polled for incidents.

Metron Labs is also in the process of building a fully managed middleware forwarder that would allow your team to run plugins on our cloud infrastructure (or, alternately, on your premises).

Parsers

Metron Labs has extensive experience building parsers to extract data from external log sources. We can work with pretty much any format:

  1. Syslog
  2. JSON
  3. CEF
  4. Key-value pairs
  5. NetFlow
  6. Regex

Have questions about our integration work or any specific application? Contact our team at connect@metronlabs.com.

Read more

Metron Security Blogs

We build, manage, and maintain integrations for leading digital security companies and teams of all shapes and sizes.

Home

Top Integrations

Popular Blogs

Case Studies

© 2024 Metron Security. All Rights Reserved.