MI—One: Issue #11 - Orion Edition

We kick off into 2025 by revisiting industry and integration trends that will surely shape the coming year.

Hello there and welcome back.

Traditionally, the first month of the year is a time for making bold predictions or setting extravagant goals, many of which will unfortunately be forgotten as the year progresses.

Rather than retread those same old waters, let’s try a slightly different tradition - one that’s grounded in the lessons of the past as we look to the future.

So, as we kick off 2025 with our first newsletter of the year, we’d like to take a moment to revisit some key observations from the industry and third-party integration trends we witnessed and expect to continue shaping the way forward.

A few of the major trends we’ve seen this past year and which we expect to continue making waves are:

Autonomous Security Operations Center (ASOC) is currently the industry’s north star, with AI being the key driver of this shift. As AI models continue to mature, the growth of hyperautomation is becoming a major trend serving as a foundation for achieving ASOC's objectives. We are seeing hyperautomation apps/platforms with hundreds of integrations, offering not only lightweight integrations but also incorporating complex SOC workflows.

In addition to pure-play hyperautomation platforms like Torq and Tines, the larger platforms are launching their own hyperautomation platforms. For example, CrowdStrike’s Foundry and Fusion SOAR, SentinelOne’s Singularity Hyperautomation, Google Security Operations, Palo Alto Networks continuing enhancements to Cortex XSOAR, and the like.

Taken as a whole, the trend is clear—hyperautomation is here to stay, reshaping how security operations are managed. Integrating with hyperautomation tools will be key for point solutions to serve a larger ecosystem.
The convergence of cybersecurity with IT is another trend we are observing and there is a rise in organizations demanding deeper integration with IT workflows and data repositories. For instance, ServiceNow Security Operations allows seamless collaboration between IT and security teams during incident response, while Splunk integrates IT monitoring with SIEM capabilities, providing a unified view of operations and security. Similarly, platforms like Microsoft Sentinel and Palo Alto Networks Cortex XSIAM connect security tools with datastore solutions to enable advanced analytics and proactive threat detection across hybrid environments.
As platformization continues to dominate and replace traditional offerings, the way in which point solution applications integrate with large platforms within ecosystems is also evolving. Traditional siloed integrations which were designed to function in isolation are increasingly falling short. Cybersecurity platforms like Palo Alto Networks are at the forefront of this transformation, leading the shift toward ecosystem-centric integration. For instance, Palo Alto Networks’ Cortex XSOAR highlights the transition from standalone tools to collaborative platforms. We are seeing similar strategies being adopted by other major players, particularly among companies that have been acquisitive in recent years and have now integrated their acquisitions into a unified, more powerful offering. As a result, we expect the integration framework to evolve, which will likely influence how future integrations are built. It will be fascinating to watch how this all unfolds in the coming year.
The demand for integration with cloud security platforms continues to grow, driven by the rise of Data Security Posture Management (DSPM) solutions. Platforms like Cyera, Dig Security (now part of Palo Alto Networks), and Rubrik demonstrate how DSPM bridges cloud and data security, enabling real-time data flow monitoring, anomaly detection, and extended threat detection. These solutions integrate seamlessly with major cloud providers such as AWS, Microsoft Azure, and Google Cloud, as well as native tools like AWS GuardDuty and Azure Security Center, ensuring comprehensive protection. While on-premises tool integrations are declining, cloud platforms like Wiz, Palo Alto Networks Prisma Cloud, and CrowdStrike Falcon Cloud Security remain the top choice for modern organizations. This convergence of cloud and data security reflects the growing need for unified cybersecurity strategies to protect both infrastructure (public-facing storage buckets, insecure API configurations, and shadow data repositories) and sensitive data (PII, financial records).
The larger players in the ecosystem have already rolled out their first generation of AI features, and these will become much more capable over time. Customers are now expecting most platforms to incorporate AI into their core offering - not just for threat detection, but also in summarizing the security posture to assist with Analyst fatigue. All Data Lake providers will require high quality, curated datasets of security event schemas in order to effectively train their AI models.

These developments hint at a transformative year ahead for security integrations and automation. As platforms become more sophisticated and interconnected, the need for seamless integration capabilities has never been more critical.

Let's take a deeper deeper dive into what's been happening in the world of cyber security this past month.

Kicking Off the Year with our SOC Dev Jam 2025

We kicked off the year with our SOC Dev Jam: A Security Operations Center Code Jam on January 16th, bringing together talented engineers to solve complex security challenges with innovative solutions. The event centered around real-world SOC scenarios, leveraging popular open-source and IT tools. Participants worked with platforms like Elastic Stack, JIRA, and CVE Data, tackling use cases inspired by the everyday operations of a modern SOC. It was an inspiring start to the year, fostering creativity and collaboration to address critical security problems. The event was a huge success, and we’re excited to host many more hackathons and code jams throughout the year. If you’re interested in sponsoring a problem or participating, we’d love to hear from you.

Under the Lens — Microsoft Security

Expanding your organization’s security playbook can appear daunting at times. With so many tools, platforms, and integration options available it’s not always clear where the most immediate benefits lie.

Fortunately, numerous providers offer comprehensive, multi-tool suites that can cover a range of security needs. In this month’s edition, we’re taking a closer and curated look at the Microsoft suite of security products.

Let’s begin with the basics. Microsoft provides a comprehensive security suite across key areas:

Threat Detection & Response: Microsoft Sentinel for real-time threat detection and investigation, and Microsoft Defender for XDR for multi-product integration across endpoints, identities, and the cloud.
Endpoint & Identity Protection: Microsoft Defender for Endpoint secure devices, while Microsoft Entra ID and Defender for Identity focus on identity management and protecting user identities.
Cloud & Email Security: Microsoft Defender for Cloud and Azure Firewall secure cloud environments, and Defender for Office 365 protects email and collaboration tools from threats.
Data Compliance & IoT Security: Microsoft Purview and Priva handle data governance and privacy, while Defender for IoT secures IoT and operational technology devices.

a sound wave with a lightning bolt on a blue screen

There are different ways to approach these offerings, as each is designed for effective integration and scalability with Microsoft’s security suite.

Here are some tech tips and tricks that could be helpful as you build your roadmap using these products:

Leverage Microsoft Security Architecture: This ensures that the integration is efficient, secure, and aligned with best practices.
Use Microsoft Graph Security API: Microsoft Graph Security API is a centralized interface used to access alerts, actions, and threat intelligence across the Microsoft ecosystem.
Analyse and Automate Microsoft Sentinel: Use KQL (Kusto Query Language) for creating custom queries and analytics, and Automate response actions using playbooks with Azure Logic Apps.
Detection with Microsoft Defender for Endpoint: Deploy agents or enable integration with existing endpoint management solutions.
Connect using Entra ID: Use APIs to enable SSO, MFA, and conditional access policies and synchronize users and groups using Entra ID.
Microsoft Defender for Cloud: Use Azure Policy to enforce security standards and compliance.
Automate and Streamline Workflows
- Use Azure Logic Apps for automation.
- Trigger playbooks in Sentinel for automated responses.
- Connect to third-party solutions (e.g., ServiceNow, Slack) for notifications and ticketing.
- Leverage Power Automate for simpler automation scenarios.

Security Application and Version Updates

Keeping your security apps updated and at their most recent version is an industry-wide best practice. However, critical patches and version changes can easily get lost in all the noise of your day-to-day operations and other priorities.

Fortunately, Metron avidly tracks the latest happenings with most third-party security apps (it’s part of what we do, after all).

To keep you up to date, here are a few recent releases you may have missed.

Note: While most integrations ensure backward compatibility, the architecture of an integration may sometimes cause certain features to be unavailable. Be sure to read the full version of any release notes, or speak with your favorite technical expert before proceeding.

Palo Alto Network’s Cortex XSIAM released version 2.4 with security operations updates. Key updates include:
- Expanded Capabilities: Added native EDR support (CrowdStrike, SentinelOne, Microsoft Defender), enhanced attack surface management scanning, and improved data ingestion for NGFW and email platforms.
- Enhanced Platform: Implemented new Enterprise Multi-Tenant & MSSP licensing, introduced new Dataset Views with RBAC support, and extended XQL with new functions.
- You can find more details in their official release notes.

Splunk Enterprise released version 9.4.0 on December 16, 2024. The enhancements include:
- Improved Deployment: Enhanced Deployment Server with agent health overview.
- Platform Upgrades: Upgraded KV store server to version 7.0, added support for metric indexes in Federated Search, and supported cgroups version 2.
- Development Enhancements: Introduced SPL2-based application development support, added new eval functions for data type conversion, and enhanced Dashboard Studio.
- Operational Improvements: Automated rolling upgrade for systemd-managed instances and introduced persistent queues for Splunk-to-Splunk protocol.
Removed Features:
- Removed Stats V1 command and eliminated the Internal Library Settings page.
Please refer to their official release documentation for additional details.

Elasticsearch released version 8.17.1 released his update includes bug fixes and enhancements across various features, including aggregations, CCS, data streams, downsampling, ES|QL, ILM+SLM, Infra/Node Lifecycle, Infra/REST API, Ingest Node, License, Machine Learning, and Search.
- Bug Fixes:
  - Resolved issues in aggregations, CCS, data streams, downsampling, ES|QL, ILM+SLM, Infra/Node Lifecycle, Infra/REST API, Ingest Node, License, Machine Learning, and Search.
  - Improved handling of nested fields in index reader wrappers for authorization.
- Enhancements:
  - Added mapping for event_name for OTel logs in data streams.
  - Included new fields (tier_preference, creation_date, and version) in the Elasticsearch monitoring template.
- New Features:
  - Made logsdb generally available.
You can find more details in their official release notes.

Insights: From Our Integration Factory

Things at Metron are often busy - but it’s a good busy, you know?

At any given time, we’re immersed in building hundreds of connectors, parsers, integrations, and workflows.

Here are a few of our recent batch that stand out, and hopefully, some of these will inspire you as you plan your integration roadmap.

Armis + CAASM: This integration between Armis and the CAASM platform enhances enterprise asset visibility and security posture management by incorporating IoT device data. By ingesting Armis' device, user, and vulnerability data, organizations can maintain a comprehensive view of their IoT asset landscape within their CAASM solution.
Key Data Streams:
- Device Information: Captures details of connected IoT assets, from smart building systems to specialized medical equipment.
- User Data: Maps relationships between devices and their associated users/operators.
- Vulnerability Data: Imports discovered security weaknesses and exposure points specific to IoT devices.

Microsoft Sentinel + TIP: This integration connects a Threat Intelligence Platform (TIP) with Microsoft Sentinel, creating a unified threat monitoring and analysis workflow. By converting TIP logs into Sentinel-compatible formats, the integration enables security teams to leverage Sentinel's powerful analysis capabilities for TIP-generated alerts.
Core Functionality:
- Seamless ingestion of TIP alerts into Microsoft Sentinel
- Automatic format conversion of TIP logs for Sentinel compatibility
- Native display of TIP alerts within Sentinel's interface
- Integration with Sentinel workbooks for enhanced visualization

Google SecOps + TIP: This integration between TIP and Google SecOps enables bidirectional alert management and automated response capabilities. The implementation focuses on streamlining security operations by bridging TIP's threat intelligence capabilities with Google SecOps' automation features.
The core functionality of this integration includes:
- Bidirectional alert management between TIP and Google SecOps.
- Creation and retrieval of TIP alerts within the Google SecOps interface.
- Automated response workflows using Google SecOps playbooks.
- Connectivity validation to ensure reliable integration performance.

Before you go…

As we embark on a new year, we remain committed to building a more secure and innovative future together. If you're planning to attend any of these industry events, we would be delighted to connect with you.

Black Hat Asia, April 1 — April 4, 2025, Singapore
RSAC, April 28 — May 1, 2025, San Francisco

Feel free to drop us a note at connect@metronlabs.com, and we’ll be sure to reach out to coordinate.

P.S. If any of these caught your eye, don’t hesitate to contact us for more details at connect@metronlabs.com.

ServiceNow SecOps Architecture: From Detection to Response

CCF Implementation for ServiceNow Service Graph Connectors

Strengthen Your Cloud Security: Integrate Prisma Cloud CWPP with Your BAS Platform

ServiceNow SecOps Architecture: From Detection to Response

CCF Implementation for ServiceNow Service Graph Connectors

Strengthen Your Cloud Security: Integrate Prisma Cloud CWPP with Your BAS Platform

OCSF Version History: A Guide to Enhancements and Security Benefits

ServiceNow SecOps Architecture: From Detection to Response

CCF Implementation for ServiceNow Service Graph Connectors

Strengthen Your Cloud Security: Integrate Prisma Cloud CWPP with Your BAS Platform

Read more

ServiceNow SecOps Architecture: From Detection to Response

CCF Implementation for ServiceNow Service Graph Connectors

Strengthen Your Cloud Security: Integrate Prisma Cloud CWPP with Your BAS Platform

OCSF Version History: A Guide to Enhancements and Security Benefits

Company

Top Integrations

Product And Services

Featured Blogs

Contact Us