# Connectors **Native Integrations for Comprehensive Security Coverage** AR² provides 74+ native connectors that enable seamless integration with your existing security infrastructure. Each connector is purpose-built to provide bidirectional communication, allowing AR² agents to ingest alerts, query context, and execute response actions without custom development. All connectors are maintained by BluSapphire, ensuring compatibility with the latest versions of integrated tools and automatic updates as APIs evolve. ## Connector Architecture ### Integration Patterns AR² connectors support three primary integration patterns: * Alert Ingestion (Pull) * AR² periodically queries security tools for new alerts * Suitable for tools without webhook/push capabilities * Configurable polling intervals (1-60 minutes) * Automatic deduplication and state tracking * Alert Streaming (Push) * Security tools push alerts to AR² via webhooks * Real-time alert delivery (< 1 second latency) * Preferred method for time-sensitive threats * Automatic retry and buffering for reliability * Bidirectional API * Full read/write access to security tool capabilities * Enables context enrichment during investigations * Supports automated response actions * Used for EDR, firewalls, identity providers ### Connector Capabilities Matrix | Capability | Description | Example Use Case | | --------------------- | -------------------------------------- | ------------------------------------------------------------ | | **Alert Ingestion** | Receive security alerts and events | SIEM correlation alerts, EDR detections | | **Context Query** | Retrieve additional investigation data | Query SIEM for related logs, fetch endpoint details from EDR | | **Threat Enrichment** | Lookup IOCs and threat intelligence | Check IP reputation, query file hashes | | **Response Actions** | Execute containment and remediation | Isolate endpoint, block IP, disable user account | | **Ticket Management** | Create and update incident tickets | Create ServiceNow ticket, add investigation notes | | **Status Sync** | Bidirectional status updates | Mark SIEM alert as resolved, close EDR case | ## Connector Catalog ### Cloud & Identity Platforms #### Microsoft Azure / EntraID **Category:** Cloud Identity & Access Management\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Sign-in logs, audit logs, identity protection alerts * **Context Queries**: User details, group memberships, conditional access policies, MFA status * **Response Actions**: Disable user account, revoke sessions, enforce MFA, reset password * **API Requirements**: Azure AD Premium P2 license, Global Administrator or Security Administrator role * **Setup Time**: 1-2 hours **Common Use Cases:** * Investigate compromised user accounts * Detect impossible travel and anomalous sign-ins * Automate account lockout for high-risk users * Enforce MFA for suspicious authentications #### AWS Security Hub **Category:** Cloud Security Posture Management\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: GuardDuty findings, Config compliance violations, Inspector vulnerabilities, third-party tool findings * **Context Queries**: EC2 instance details, S3 bucket configurations, IAM policies, VPC flow logs * **Response Actions**: Isolate EC2 instances, modify security groups, revoke IAM credentials, enable GuardDuty * **API Requirements**: AWS account with Security Hub enabled, IAM role with appropriate permissions * **Setup Time**: 2-3 hours **Common Use Cases:** * Respond to GuardDuty threat detections * Remediate misconfigurations automatically * Investigate lateral movement in AWS environments * Enforce security group policies #### Google Cloud Security Command Center (SCC) **Category:** Cloud Security Posture Management\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security findings from GCP services, Event Threat Detection, Container Threat Detection * **Context Queries**: GCE instance metadata, GCS bucket permissions, IAM bindings, VPC logs * **Response Actions**: Stop GCE instances, modify firewall rules, revoke service account keys * **API Requirements**: GCP project with SCC enabled, service account with Security Center Admin role * **Setup Time**: 2-3 hours ### SIEM Platforms #### Splunk **Category:** Security Information and Event Management\ **Capabilities:** Alert Ingestion, Context Query, Status Sync **Integration Details:** * **Alert Sources**: Notable events, correlation searches, scheduled searches * **Context Queries**: SPL queries for related logs, user activity, network connections * **Response Actions**: Update notable event status, add comments, create correlation rules * **API Requirements**: Splunk Enterprise Security, REST API access, admin or power user role * **Setup Time**: 2-4 hours **Common Use Cases:** * Investigate SIEM correlation alerts * Query raw logs for forensic evidence * Enrich alerts with historical context * Close false positive notable events #### IBM QRadar **Category:** Security Information and Event Management\ **Capabilities:** Alert Ingestion, Context Query, Status Sync **Integration Details:** * **Alert Sources**: Offenses (correlated alerts), custom rules, anomaly detection * **Context Queries**: AQL queries for events, flows, assets, vulnerabilities * **Response Actions**: Close offenses, assign to analysts, add notes * **API Requirements**: QRadar 7.3+, authorized service token * **Setup Time**: 2-4 hours #### Azure Sentinel **Category:** Cloud-Native SIEM\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Analytics rules, fusion ML detections, scheduled queries * **Context Queries**: KQL queries across Log Analytics workspace * **Response Actions**: Update incident status, add comments, run playbooks * **API Requirements**: Azure Sentinel workspace, Sentinel Contributor role * **Setup Time**: 2-3 hours #### Wazuh **Category:** Open-Source SIEM & XDR\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security alerts, compliance violations, file integrity monitoring * **Context Queries**: Agent status, vulnerability data, configuration assessment * **Response Actions**: Active response commands, agent management * **API Requirements**: Wazuh manager API access, admin credentials * **Setup Time**: 2-3 hours ### EDR / XDR Platforms #### CrowdStrike Falcon **Category:** Endpoint Detection & Response\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Detections, incidents, IOA (Indicators of Attack) * **Context Queries**: Process trees, network connections, file details, host information * **Response Actions**: Contain host, kill process, quarantine file, run RTR commands * **API Requirements**: Falcon API client with appropriate scopes * **Setup Time**: 1-2 hours **Common Use Cases:** * Investigate malware detections * Contain compromised endpoints * Hunt for IOCs across fleet * Execute forensic commands remotely #### SentinelOne **Category:** Endpoint Detection & Response\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Threats, alerts, Deep Visibility events * **Context Queries**: Process lineage, network activity, file analysis, endpoint inventory * **Response Actions**: Isolate endpoint, kill process, remediate threat, rollback changes * **API Requirements**: SentinelOne API token with appropriate permissions * **Setup Time**: 1-2 hours #### Microsoft Defender for Endpoint **Category:** Endpoint Detection & Response\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security alerts, automated investigations, advanced hunting detections * **Context Queries**: Device details, user activity, file prevalence, network connections * **Response Actions**: Isolate machine, run antivirus scan, collect investigation package, block file * **API Requirements**: Microsoft 365 Defender, application registration with appropriate permissions * **Setup Time**: 2-3 hours #### Trend Micro Apex One / Vision One **Category:** Endpoint Detection & Response\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security events, detections, behavioral monitoring alerts * **Context Queries**: Endpoint status, detection history, threat intelligence * **Response Actions**: Isolate endpoint, terminate process, quarantine file * **API Requirements**: Vision One API key or Apex One admin credentials * **Setup Time**: 2-3 hours #### Sophos Central **Category:** Endpoint Protection & EDR\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security alerts, malware detections, exploit prevention * **Context Queries**: Device details, threat analysis, user activity * **Response Actions**: Isolate endpoint, clean threats, block applications * **API Requirements**: Sophos Central API credentials * **Setup Time**: 1-2 hours ### Firewall & Network Security #### Palo Alto Networks (PAN-OS) **Category:** Next-Generation Firewall\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Threat logs, traffic logs, WildFire verdicts * **Context Queries**: Security policy rules, session details, threat intelligence * **Response Actions**: Block IP/domain, create security rules, update dynamic address groups * **API Requirements**: PAN-OS 9.0+, API key with appropriate permissions * **Setup Time**: 1-2 hours **Common Use Cases:** * Block malicious IPs and domains * Investigate network-based attacks * Create dynamic block lists * Enforce security policies #### Fortinet FortiGate **Category:** Next-Generation Firewall\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: IPS alerts, web filter violations, antivirus detections * **Context Queries**: Traffic logs, security events, policy configurations * **Response Actions**: Block IP addresses, create firewall policies, ban users * **API Requirements**: FortiOS API access, admin credentials * **Setup Time**: 1-2 hours #### Checkpoint Firewall **Category:** Enterprise Firewall\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: IPS events, threat prevention logs, application control * **Context Queries**: Log queries, policy rules, threat intelligence * **Response Actions**: Block IPs, create access rules, update threat prevention profiles * **API Requirements**: Checkpoint Management API, admin credentials * **Setup Time**: 1-2 hours #### Cisco Firewalls (ASA, WSA, ESA) **Category:** Enterprise Security Appliances\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security events, web/email threats, intrusion attempts * **Context Queries**: Connection logs, web traffic, email analysis * **Response Actions**: Block IPs/URLs, create ACLs, quarantine emails * **API Requirements**: REST API access, admin credentials * **Setup Time**: 2-3 hours #### Netskope **Category:** Cloud Access Security Broker (CASB)\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: DLP violations, malware detections, policy violations * **Context Queries**: User activity, cloud app usage, data movement * **Response Actions**: Block cloud apps, quarantine files, enforce policies * **API Requirements**: Netskope API token * **Setup Time**: 1-2 hours #### Skyhigh Security (McAfee MVISION) **Category:** Cloud Access Security Broker (CASB)\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Cloud security incidents, DLP alerts, threat detections * **Context Queries**: Cloud service usage, user behavior, data exposure * **Response Actions**: Block services, enforce policies, quarantine content * **API Requirements**: Skyhigh API credentials * **Setup Time**: 1-2 hours ### Identity & Access Management #### Okta **Category:** Identity Provider & SSO\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security events, authentication failures, policy violations * **Context Queries**: User profiles, group memberships, application access, session details * **Response Actions**: Suspend user, clear sessions, reset MFA, deactivate account * **API Requirements**: Okta API token with appropriate scopes * **Setup Time**: 1-2 hours **Common Use Cases:** * Investigate account takeover attempts * Respond to credential stuffing attacks * Automate user suspension for compromised accounts * Enforce step-up authentication #### Cisco Duo **Category:** Multi-Factor Authentication\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Authentication logs, fraud attempts, bypass events * **Context Queries**: User authentication history, device trust, location patterns * **Response Actions**: Deny authentication, remove trusted devices, enforce MFA * **API Requirements**: Duo Admin API credentials * **Setup Time**: 1-2 hours #### Zscaler **Category:** Zero Trust Network Access\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Security policy violations, malware detections, data loss prevention * **Context Queries**: User activity, web traffic, application access * **Response Actions**: Block users, enforce policies, isolate traffic * **API Requirements**: Zscaler API credentials * **Setup Time**: 1-2 hours #### ForcePoint **Category:** Data Loss Prevention & CASB\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: DLP incidents, insider threat alerts, policy violations * **Context Queries**: User behavior, data movement, policy matches * **Response Actions**: Block transfers, quarantine files, notify users * **API Requirements**: ForcePoint API access * **Setup Time**: 2-3 hours ### Email Security #### Proofpoint (TAP & Email Protection) **Category:** Email Security Gateway\ **Capabilities:** Alert Ingestion, Context Query, Threat Enrichment **Integration Details:** * **Alert Sources**: Phishing detections, malware attachments, impostor emails, credential theft * **Context Queries**: Email forensics, URL analysis, attachment details, campaign information * **Response Actions**: Quarantine emails, block senders, remove from mailboxes * **API Requirements**: Proofpoint TAP API credentials * **Setup Time**: 2-3 hours **Common Use Cases:** * Investigate phishing campaigns * Analyze malicious URLs and attachments * Track email-based threats * Automate email remediation #### Mimecast **Category:** Email Security & Archiving\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Spam, malware, impersonation attacks, data leakage * **Context Queries**: Email logs, attachment analysis, URL reputation * **Response Actions**: Block senders, release from quarantine, create policies * **API Requirements**: Mimecast API credentials * **Setup Time**: 2-3 hours #### Barracuda Email Protection **Category:** Email Security Gateway\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Spam, phishing, malware, account takeover * **Context Queries**: Email logs, threat details, sender reputation * **Response Actions**: Quarantine emails, block domains, update policies * **API Requirements**: Barracuda API access * **Setup Time**: 2-3 hours #### Cisco Email Security (ESA) **Category:** Email Security Appliance\ **Capabilities:** Alert Ingestion, Context Query, Response Actions **Integration Details:** * **Alert Sources**: Spam, malware, phishing, outbreak alerts * **Context Queries**: Message tracking, threat analysis, sender verification * **Response Actions**: Quarantine messages, block senders, update filters * **API Requirements:** REST API access * **Setup Time**: 2-3 hours ### Ticketing & ITSM #### ServiceNow **Category:** IT Service Management\ **Capabilities:** Ticket Management, Status Sync **Integration Details:** * **Alert Sources**: Security incidents (if ServiceNow SecOps used) * **Context Queries**: Incident history, CMDB data, user information * **Response Actions**: Create incidents, update status, add work notes, assign to groups, close tickets * **API Requirements**: ServiceNow instance, integration user with appropriate roles * **Setup Time**: 1-2 hours **Common Use Cases:** * Automatically create incident tickets for AR² investigations * Sync investigation status with ServiceNow * Add investigation evidence as work notes * Close tickets when remediation complete #### Jira (Service Management) **Category:** Issue Tracking & Service Management\ **Capabilities:** Ticket Management, Status Sync **Integration Details:** * **Alert Sources**: N/A (ticketing only) * **Context Queries**: Issue history, custom fields, user assignments * **Response Actions**: Create issues, update status, add comments, transition workflows * **API Requirements**: Jira Cloud or Data Center, API token or OAuth * **Setup Time**: 1-2 hours #### FreshDesk **Category:** Help Desk & Ticketing\ **Capabilities:** Ticket Management, Status Sync **Integration Details:** * **Alert Sources**: N/A (ticketing only) * **Context Queries**: Ticket history, requester details, agent assignments * **Response Actions**: Create tickets, update status, add notes, assign agents * **API Requirements**: FreshDesk API key * **Setup Time**: 1-2 hours ### Threat Intelligence #### VirusTotal **Category:** Malware & URL Analysis\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: File hash reputation, URL analysis, domain information, IP reputation * **API Requirements**: VirusTotal API key (free or premium) * **Rate Limits**: 4 requests/minute (free), 1000 requests/minute (premium) * **Setup Time**: 15 minutes **Common Use Cases:** * Check file hash reputation * Analyze suspicious URLs * Investigate domain registrations * Assess IP address reputation #### AlienVault OTX **Category:** Open Threat Exchange\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IOC reputation, pulse subscriptions, related indicators * **API Requirements**: Free OTX account and API key * **Rate Limits**: 10 requests/second * **Setup Time**: 15 minutes #### Recorded Future **Category:** Threat Intelligence Platform\ **Capabilities:** Threat Enrichment, Context Query **Integration Details:** * **Enrichment Queries**: IOC risk scores, threat actor attribution, vulnerability intelligence * **API Requirements**: Recorded Future subscription and API token * **Setup Time**: 1-2 hours #### AbuseIPDB **Category:** IP Reputation Database\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IP abuse confidence score, report history, geolocation * **API Requirements**: Free or paid API key * **Rate Limits**: 1000 requests/day (free), higher limits for paid * **Setup Time**: 15 minutes #### GreyNoise **Category:** Internet Scanner Intelligence\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Distinguish malicious IPs from benign scanners, classification, tags * **API Requirements**: GreyNoise API key * **Setup Time**: 15 minutes #### URLhaus **Category:** Malware URL Database\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: URL reputation, malware family, payload information * **API Requirements**: Free, no authentication required * **Setup Time**: 10 minutes #### PhishTank **Category:** Phishing URL Database\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Phishing URL verification, submission details * **API Requirements**: Free API key * **Setup Time**: 10 minutes #### Have I Been Pwned (HIBP) **Category:** Breach Intelligence\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Email address breach history, password exposure * **API Requirements**: HIBP API key (paid for automated queries) * **Setup Time**: 15 minutes #### MalwareBazaar **Category:** Malware Sample Repository\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Malware hash lookup, sample details, signatures * **API Requirements**: Free, no authentication required * **Setup Time**: 10 minutes #### RiskIQ PassiveTotal **Category:** Threat Intelligence & Attack Surface\ **Capabilities:** Threat Enrichment, Context Query **Integration Details:** * **Enrichment Queries**: Domain/IP relationships, WHOIS data, SSL certificates, passive DNS * **API Requirements**: RiskIQ subscription and API credentials * **Setup Time**: 1-2 hours #### Censys **Category:** Internet Asset Intelligence\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IP/domain exposure, certificate information, service enumeration * **API Requirements**: Censys API credentials * **Setup Time**: 30 minutes #### Shodan **Category:** Internet Device Search Engine\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IP service information, vulnerability exposure, device details * **API Requirements**: Shodan API key * **Setup Time**: 15 minutes #### IBM X-Force Exchange **Category:** Threat Intelligence Platform\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IOC reputation, threat reports, vulnerability data * **API Requirements**: IBM X-Force account and API key * **Setup Time**: 30 minutes #### Emerging Threats (Proofpoint ET Intelligence) **Category:** IDS/IPS Rules & Threat Intelligence\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Rule information, IOC feeds, threat categories * **API Requirements**: ET Intelligence subscription * **Setup Time**: 1 hour #### Hunter.io **Category:** Email Verification & OSINT\ **Capabilities:** Context Query **Integration Details:** * **Enrichment Queries**: Email verification, domain email patterns, contact discovery * **API Requirements**: Hunter.io API key * **Setup Time**: 15 minutes #### SANS Internet Storm Center **Category:** Threat Intelligence & Research\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IP reputation, port scanning activity, threat trends * **API Requirements**: Free, no authentication required * **Setup Time**: 10 minutes #### Anomali ThreatStream **Category:** Threat Intelligence Platform\ **Capabilities:** Threat Enrichment, Context Query **Integration Details:** * **Enrichment Queries**: IOC intelligence, threat actor profiles, campaign tracking * **API Requirements**: Anomali subscription and API credentials * **Setup Time**: 1-2 hours ### Sandbox & Malware Analysis #### Hybrid Analysis **Category:** Malware Sandbox\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: File behavior analysis, IOC extraction, malware family identification * **API Requirements**: Hybrid Analysis API key * **Setup Time**: 30 minutes #### Joe Sandbox **Category:** Malware Analysis Platform\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Deep malware analysis, behavior reports, IOC extraction * **API Requirements**: Joe Sandbox subscription and API key * **Setup Time**: 30 minutes #### ANY.RUN **Category:** Interactive Malware Sandbox\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: Malware behavior, network activity, process tree * **API Requirements**: ANY.RUN API key * **Setup Time**: 30 minutes ### Vulnerability Management #### Qualys VMDR **Category:** Vulnerability Management\ **Capabilities:** Context Query **Integration Details:** * **Context Queries**: Asset vulnerabilities, patch status, compliance posture * **API Requirements**: Qualys subscription and API credentials * **Setup Time**: 1-2 hours #### Rapid7 InsightVM / Nexpose **Category:** Vulnerability Management\ **Capabilities:** Context Query **Integration Details:** * **Context Queries**: Vulnerability data, asset inventory, risk scores * **API Requirements**: Rapid7 API key * **Setup Time**: 1-2 hours #### Tenable Nessus / Tenable.io **Category:** Vulnerability Scanning\ **Capabilities:** Context Query **Integration Details:** * **Context Queries**: Scan results, vulnerability details, asset information * **API Requirements**: Tenable API keys * **Setup Time**: 1-2 hours *** ### Log Management & Search #### Elasticsearch **Category:** Search & Analytics Engine\ **Capabilities:** Context Query **Integration Details:** * **Context Queries**: Full-text log search, aggregations, time-series analysis * **API Requirements**: Elasticsearch cluster access, appropriate index permissions * **Setup Time**: 1-2 hours #### OpenSearch **Category:** Search & Analytics Engine\ **Capabilities:** Context Query **Integration Details:** * **Context Queries**: Log search, aggregations, dashboards * **API Requirements**: OpenSearch cluster access * **Setup Time**: 1-2 hours ### Threat Intelligence Platforms #### MISP (Malware Information Sharing Platform) **Category:** Threat Intelligence Sharing\ **Capabilities:** Threat Enrichment, Context Query **Integration Details:** * **Enrichment Queries**: IOC lookup, event correlation, threat sharing * **API Requirements**: MISP instance access, API key * **Setup Time**: 1-2 hours #### ThreatConnect **Category:** Threat Intelligence Platform\ **Capabilities:** Threat Enrichment, Context Query **Integration Details:** * **Enrichment Queries**: IOC intelligence, threat campaigns, adversary tracking * **API Requirements**: ThreatConnect subscription and API credentials * **Setup Time**: 1-2 hours #### Talos Intelligence **Category:** Threat Intelligence & Reputation\ **Capabilities:** Threat Enrichment **Integration Details:** * **Enrichment Queries**: IP/domain reputation, threat categories, blocklist status * **API Requirements**: Free, web-based queries * **Setup Time**: 15 minutes *** ## Custom Connector Development ### When to Build Custom Connectors Consider custom connector development when: * Proprietary Tools: Your organization uses internally developed security tools * Niche Vendors: Security tool not in our standard catalog * Specialized Requirements: Unique integration patterns or data formats * Legacy Systems: Older systems without modern APIs ### Custom Connector Framework AR² provides a connector SDK that simplifies custom development: SDK Features: * Python-Based: Leverage familiar Python libraries and frameworks * Template Library: Pre-built templates for common integration patterns * Testing Framework: Automated testing and validation tools * Documentation Generator: Auto-generate connector documentation * Deployment Automation: One-command deployment to AR² platform ### Development Process {% stepper %} {% step %} ### Requirements Gathering Define integration scope, API capabilities, authentication (1-2 days). {% endstep %} {% step %} ### Development Implement connector using SDK templates (3-5 days). {% endstep %} {% step %} ### Testing Unit tests, integration tests, end-to-end validation (2-3 days). {% endstep %} {% step %} ### Documentation Usage guide, configuration parameters, troubleshooting (1 day). {% endstep %} {% step %} ### Deployment Deploy to AR² environment, configure in production (1 day). **Total Custom Connector Timeline:** 1-2 weeks {% endstep %} {% endstepper %} ### Professional Services BluSapphire offers professional services for custom connector development: * Connector Development: We build the connector for you ($5,000 - $15,000 per connector) * Integration Consulting: Architecture review and integration planning ($200/hour) * Training: SDK training for your development team (2-day workshop, $5,000) ## Connector Maintenance & Updates ### Automatic Updates All native connectors are automatically updated by BluSapphire: * API Changes: Connectors updated within 30 days of vendor API changes * Security Patches: Critical security updates deployed within 48 hours * Feature Enhancements: New capabilities added quarterly * Compatibility Testing: Continuous testing against latest tool versions ### Version Compatibility | Connector Update Type | Customer Action Required | Notification | | ---------------------------- | ------------------------ | --------------------------------------- | | **Patch** (bug fixes) | None (automatic) | Email notification | | **Minor** (new features) | None (automatic) | Email notification + release notes | | **Major** (breaking changes) | Review and approve | 30-day advance notice + migration guide | ### Deprecation Policy When security tools are deprecated or replaced: * 12-Month Notice: Advance notification of connector deprecation * Migration Support: Assistance migrating to replacement tools * Extended Support: Optional paid support for deprecated connectors (12 months) *** ## Integration Best Practices ### Start with Core Integrations Recommended First 5 Connectors: * Primary SIEM (Splunk, QRadar, Sentinel) * EDR platform (CrowdStrike, SentinelOne, Defender) * Cloud security (AWS Security Hub, Azure Defender, GCP SCC) * Identity provider (Okta, Azure AD) * Ticketing system (ServiceNow, Jira) ### Validate Data Quality Before enabling connectors in production: * Test Alert Flow: Verify alerts are ingested correctly * Validate Context Queries: Ensure queries return expected data * Test Response Actions: Validate actions in non-production environment * Check Rate Limits: Confirm API rate limits are sufficient ### Configure Appropriate Permissions Follow principle of least privilege: * Read-Only: For threat intelligence and context enrichment * Read-Write: For response actions (isolate, block, disable) * Admin: Only when absolutely necessary (rare) ### Monitor Connector Health AR² provides built-in connector monitoring: * Connection Status: Real-time status of each connector * API Rate Limits: Track usage against limits * Error Rates: Alert on elevated error rates * Latency Metrics: Monitor query and action performance ### Implement Staged Rollout Deploy connectors in phases: * Phase 1: Alert ingestion only (observe, no actions) * Phase 2: Enable context queries (enrich investigations) * Phase 3: Enable low-risk actions (create tickets, add comments) * Phase 4: Enable high-risk actions (isolate, block, disable) *** ## Troubleshooting Common Issues ### Authentication Failures **Symptoms:** Connector shows "Authentication Failed" status **Common Causes:** * Expired API keys or tokens * Insufficient permissions * IP allowlist restrictions * Credential rotation without updating AR² **Resolution:** 1. Verify credentials are current 2. Check API key/token expiration 3. Confirm required permissions are granted 4. Update AR² connector configuration with new credentials ### Rate Limit Errors **Symptoms:** Connector shows "Rate Limit Exceeded" errors **Common Causes:** * High alert volume exceeds API limits * Multiple systems querying same API * Insufficient API tier for usage **Resolution:** 1. Review API rate limits for your tier 2. Adjust AR² polling intervals 3. Upgrade to higher API tier if available 4. Implement request batching where supported ### Data Quality Issues **Symptoms:** Incomplete or incorrect data in investigations **Common Causes:** * Misconfigured log sources * Incomplete security tool deployment * Data retention policies too aggressive * API returning partial results **Resolution:** 1. Validate security tool configuration 2. Check data retention settings 3. Review API query parameters 4. Enable verbose logging for debugging Request a Connector: If you need a connector not on our roadmap, contact ## Conclusion AR²'s comprehensive connector ecosystem enables seamless integration with your existing security infrastructure, eliminating the need for custom development in most cases. With 74+ native connectors and a robust SDK for custom development, AR² can integrate with virtually any security tool in your environment. All connectors are maintained and updated by BluSapphire, ensuring long-term compatibility and reliability as your security tools evolve. For connector-specific questions, integration support, or custom connector development inquiries, contact Document Version: 1.0\ Last Updated: February 2026\ Next Review: May 2026