Connectors and Parser: Security Integrations and Applications Built by Metron Labs

Connectors and parsers built by Metron Labs which includes IBM QRadar, Splunk, Phantom, ServiceNow and IBM Resilient and middleware connector built by Metron for API only access security applications.

Connectors and Parser: Security Integrations and Applications Built by Metron Labs


This document outlines several major integrations, connectors and parsers built by Metron Labs.


We have built a number of connectors (aka integrations) that share data between security products. These connectors typically fall into the following categories:

On-prem connectors

These connectors run within an application framework provided by the SIEM/SOAR software. Examples of SIEM/SOAR software we work with are:

  1. Splunk - The app package is installed on the Splunk server and can provide knowledge objects, dashboards, and scripts (Python/Javascript/Java).
  2. IBM QRadar - The app package can provide a DSM (parsing rules for log events) as well as dashboards and scripts for fetching data from an API gateway.
  3. IBM Resilient - The app package typically runs on an integration server that is installed on the customer's premises and which can interface directly with the Resilient server.
  4. ServiceNow - We use the ServiceNow Studio to build applications that can be installed on a customer's ServiceNow instance.
  5. Splunk Phantom - The app package runs on the Splunk Phantom server and uses the Phantom framework to poll for incidents, as well as executes actions via API calls.

Middleware connector

Sometimes, the security products that are being integrated do not have an application framework that can run the integration. Typically, both products only provide API access. In these cases, we can write a middleware connector that can be run on either the customer side, the provider side, or even on another system that acts as a broker between the security products.

An example of a middleware connector we built is:

This architecture allows us to keep the most commonly used functionalities in a central package (named the Forwarder SDK) and write tenants that will forward the results to different consumers. We also have a change detection mechanism that allows us to detect if any data has changed since the last time we polled for incidents.

Metron Labs is also in the process of building a fully managed middleware forwarder that would allow your team to run plugins on our cloud infrastructure (or, alternately, on your premises).


Metron Labs has extensive experience building parsers to extract data from external log sources. We can work with pretty much any format:

  1. Syslog
  2. JSON
  3. CEF
  4. Key-value pairs
  5. NetFlow
  6. Regex

Have questions about our integration work or any specific application? Contact our team at