This document outlines several major integrations, connectors and parsers built by Metron Labs.
We have built a number of connectors (aka integrations) that share data between security products. These connectors typically fall into the following categories:
These connectors run within an application framework provided by the SIEM/SOAR software. Examples of SIEM/SOAR software we work with are:
- IBM QRadar - The app package can provide a DSM (parsing rules for log events) as well as dashboards and scripts for fetching data from an API gateway.
- IBM Resilient - The app package typically runs on an integration server that is installed on the customers premises, and which can interface directly with the Resilient server.
- ServiceNow - We use the ServiceNow Studio to build applications, which can be installed on a customer's ServiceNow instance.
- Splunk Phantom - The app package runs on the Splunk Phantom server and uses the Phantom framework to poll for incidents, as well as execute actions via API calls.
Sometimes, the security products that are being integrated do not have an application framework that can run the integration. Typically, both products only provide API access. In these cases, we can write a middleware connector that can be run on either the customer side, the provider side, or even on another system that acts as a broker between the security products.
An example of a middleware connector we built is:
This architecture allows us to keep the most commonly used functionalities in a central package (named the Forwarder SDK) and write tenants that will forward the results to different consumers. We also have a change detection mechanism that allows us to detect if any data has changed since the last time we polled for incidents.
Metron Labs is also in the process of building a fully managed middleware forwarder that would allow your team to run plugins on our cloud infrastructure (or, alternately, in your premises).
Metron labs has extensive experience building parsers to extract data from external log sources. We can work with pretty much any format:
- Key-Value pairs
Have questions about our integration work or any specific application? Contact our team at firstname.lastname@example.org.