search

Connectors

Native Integrations for Comprehensive Security Coverage

AR² provides 74+ native connectors that enable seamless integration with your existing security infrastructure. Each connector is purpose-built to provide bidirectional communication, allowing AR² agents to ingest alerts, query context, and execute response actions without custom development.

All connectors are maintained by BluSapphire, ensuring compatibility with the latest versions of integrated tools and automatic updates as APIs evolve.

hashtag
Connector Architecture

hashtag
Integration Patterns

AR² connectors support three primary integration patterns:

  • Alert Ingestion (Pull)

    • AR² periodically queries security tools for new alerts

    • Suitable for tools without webhook/push capabilities

    • Configurable polling intervals (1-60 minutes)

    • Automatic deduplication and state tracking

  • Alert Streaming (Push)

    • Security tools push alerts to AR² via webhooks

    • Real-time alert delivery (< 1 second latency)

    • Preferred method for time-sensitive threats

    • Automatic retry and buffering for reliability

  • Bidirectional API

    • Full read/write access to security tool capabilities

    • Enables context enrichment during investigations

    • Supports automated response actions

    • Used for EDR, firewalls, identity providers

hashtag
Connector Capabilities Matrix

Capability
Description
Example Use Case

Alert Ingestion

Receive security alerts and events

SIEM correlation alerts, EDR detections

Context Query

Retrieve additional investigation data

Query SIEM for related logs, fetch endpoint details from EDR

Threat Enrichment

Lookup IOCs and threat intelligence

Check IP reputation, query file hashes

Response Actions

Execute containment and remediation

Isolate endpoint, block IP, disable user account

Ticket Management

Create and update incident tickets

Create ServiceNow ticket, add investigation notes

Status Sync

Bidirectional status updates

Mark SIEM alert as resolved, close EDR case

hashtag
Connector Catalog

hashtag
Cloud & Identity Platforms

hashtag
Microsoft Azure / EntraID

Category: Cloud Identity & Access Management Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Sign-in logs, audit logs, identity protection alerts

  • Context Queries: User details, group memberships, conditional access policies, MFA status

  • Response Actions: Disable user account, revoke sessions, enforce MFA, reset password

  • API Requirements: Azure AD Premium P2 license, Global Administrator or Security Administrator role

  • Setup Time: 1-2 hours

Common Use Cases:

  • Investigate compromised user accounts

  • Detect impossible travel and anomalous sign-ins

  • Automate account lockout for high-risk users

  • Enforce MFA for suspicious authentications

hashtag
AWS Security Hub

Category: Cloud Security Posture Management Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: GuardDuty findings, Config compliance violations, Inspector vulnerabilities, third-party tool findings

  • Context Queries: EC2 instance details, S3 bucket configurations, IAM policies, VPC flow logs

  • Response Actions: Isolate EC2 instances, modify security groups, revoke IAM credentials, enable GuardDuty

  • API Requirements: AWS account with Security Hub enabled, IAM role with appropriate permissions

  • Setup Time: 2-3 hours

Common Use Cases:

  • Respond to GuardDuty threat detections

  • Remediate misconfigurations automatically

  • Investigate lateral movement in AWS environments

  • Enforce security group policies

hashtag
Google Cloud Security Command Center (SCC)

Category: Cloud Security Posture Management Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security findings from GCP services, Event Threat Detection, Container Threat Detection

  • Context Queries: GCE instance metadata, GCS bucket permissions, IAM bindings, VPC logs

  • Response Actions: Stop GCE instances, modify firewall rules, revoke service account keys

  • API Requirements: GCP project with SCC enabled, service account with Security Center Admin role

  • Setup Time: 2-3 hours

hashtag
SIEM Platforms

hashtag
Splunk

Category: Security Information and Event Management Capabilities: Alert Ingestion, Context Query, Status Sync

Integration Details:

  • Alert Sources: Notable events, correlation searches, scheduled searches

  • Context Queries: SPL queries for related logs, user activity, network connections

  • Response Actions: Update notable event status, add comments, create correlation rules

  • API Requirements: Splunk Enterprise Security, REST API access, admin or power user role

  • Setup Time: 2-4 hours

Common Use Cases:

  • Investigate SIEM correlation alerts

  • Query raw logs for forensic evidence

  • Enrich alerts with historical context

  • Close false positive notable events

hashtag
IBM QRadar

Category: Security Information and Event Management Capabilities: Alert Ingestion, Context Query, Status Sync

Integration Details:

  • Alert Sources: Offenses (correlated alerts), custom rules, anomaly detection

  • Context Queries: AQL queries for events, flows, assets, vulnerabilities

  • Response Actions: Close offenses, assign to analysts, add notes

  • API Requirements: QRadar 7.3+, authorized service token

  • Setup Time: 2-4 hours

hashtag
Azure Sentinel

Category: Cloud-Native SIEM Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Analytics rules, fusion ML detections, scheduled queries

  • Context Queries: KQL queries across Log Analytics workspace

  • Response Actions: Update incident status, add comments, run playbooks

  • API Requirements: Azure Sentinel workspace, Sentinel Contributor role

  • Setup Time: 2-3 hours

hashtag
Wazuh

Category: Open-Source SIEM & XDR Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security alerts, compliance violations, file integrity monitoring

  • Context Queries: Agent status, vulnerability data, configuration assessment

  • Response Actions: Active response commands, agent management

  • API Requirements: Wazuh manager API access, admin credentials

  • Setup Time: 2-3 hours

hashtag
EDR / XDR Platforms

hashtag
CrowdStrike Falcon

Category: Endpoint Detection & Response Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Detections, incidents, IOA (Indicators of Attack)

  • Context Queries: Process trees, network connections, file details, host information

  • Response Actions: Contain host, kill process, quarantine file, run RTR commands

  • API Requirements: Falcon API client with appropriate scopes

  • Setup Time: 1-2 hours

Common Use Cases:

  • Investigate malware detections

  • Contain compromised endpoints

  • Hunt for IOCs across fleet

  • Execute forensic commands remotely

hashtag
SentinelOne

Category: Endpoint Detection & Response Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Threats, alerts, Deep Visibility events

  • Context Queries: Process lineage, network activity, file analysis, endpoint inventory

  • Response Actions: Isolate endpoint, kill process, remediate threat, rollback changes

  • API Requirements: SentinelOne API token with appropriate permissions

  • Setup Time: 1-2 hours

hashtag
Microsoft Defender for Endpoint

Category: Endpoint Detection & Response Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security alerts, automated investigations, advanced hunting detections

  • Context Queries: Device details, user activity, file prevalence, network connections

  • Response Actions: Isolate machine, run antivirus scan, collect investigation package, block file

  • API Requirements: Microsoft 365 Defender, application registration with appropriate permissions

  • Setup Time: 2-3 hours

hashtag
Trend Micro Apex One / Vision One

Category: Endpoint Detection & Response Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security events, detections, behavioral monitoring alerts

  • Context Queries: Endpoint status, detection history, threat intelligence

  • Response Actions: Isolate endpoint, terminate process, quarantine file

  • API Requirements: Vision One API key or Apex One admin credentials

  • Setup Time: 2-3 hours

hashtag
Sophos Central

Category: Endpoint Protection & EDR Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security alerts, malware detections, exploit prevention

  • Context Queries: Device details, threat analysis, user activity

  • Response Actions: Isolate endpoint, clean threats, block applications

  • API Requirements: Sophos Central API credentials

  • Setup Time: 1-2 hours

hashtag
Firewall & Network Security

hashtag
Palo Alto Networks (PAN-OS)

Category: Next-Generation Firewall Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Threat logs, traffic logs, WildFire verdicts

  • Context Queries: Security policy rules, session details, threat intelligence

  • Response Actions: Block IP/domain, create security rules, update dynamic address groups

  • API Requirements: PAN-OS 9.0+, API key with appropriate permissions

  • Setup Time: 1-2 hours

Common Use Cases:

  • Block malicious IPs and domains

  • Investigate network-based attacks

  • Create dynamic block lists

  • Enforce security policies

hashtag
Fortinet FortiGate

Category: Next-Generation Firewall Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: IPS alerts, web filter violations, antivirus detections

  • Context Queries: Traffic logs, security events, policy configurations

  • Response Actions: Block IP addresses, create firewall policies, ban users

  • API Requirements: FortiOS API access, admin credentials

  • Setup Time: 1-2 hours

hashtag
Checkpoint Firewall

Category: Enterprise Firewall Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: IPS events, threat prevention logs, application control

  • Context Queries: Log queries, policy rules, threat intelligence

  • Response Actions: Block IPs, create access rules, update threat prevention profiles

  • API Requirements: Checkpoint Management API, admin credentials

  • Setup Time: 1-2 hours

hashtag
Cisco Firewalls (ASA, WSA, ESA)

Category: Enterprise Security Appliances Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security events, web/email threats, intrusion attempts

  • Context Queries: Connection logs, web traffic, email analysis

  • Response Actions: Block IPs/URLs, create ACLs, quarantine emails

  • API Requirements: REST API access, admin credentials

  • Setup Time: 2-3 hours

hashtag
Netskope

Category: Cloud Access Security Broker (CASB) Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: DLP violations, malware detections, policy violations

  • Context Queries: User activity, cloud app usage, data movement

  • Response Actions: Block cloud apps, quarantine files, enforce policies

  • API Requirements: Netskope API token

  • Setup Time: 1-2 hours

hashtag
Skyhigh Security (McAfee MVISION)

Category: Cloud Access Security Broker (CASB) Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Cloud security incidents, DLP alerts, threat detections

  • Context Queries: Cloud service usage, user behavior, data exposure

  • Response Actions: Block services, enforce policies, quarantine content

  • API Requirements: Skyhigh API credentials

  • Setup Time: 1-2 hours

hashtag
Identity & Access Management

hashtag
Okta

Category: Identity Provider & SSO Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security events, authentication failures, policy violations

  • Context Queries: User profiles, group memberships, application access, session details

  • Response Actions: Suspend user, clear sessions, reset MFA, deactivate account

  • API Requirements: Okta API token with appropriate scopes

  • Setup Time: 1-2 hours

Common Use Cases:

  • Investigate account takeover attempts

  • Respond to credential stuffing attacks

  • Automate user suspension for compromised accounts

  • Enforce step-up authentication

hashtag
Cisco Duo

Category: Multi-Factor Authentication Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Authentication logs, fraud attempts, bypass events

  • Context Queries: User authentication history, device trust, location patterns

  • Response Actions: Deny authentication, remove trusted devices, enforce MFA

  • API Requirements: Duo Admin API credentials

  • Setup Time: 1-2 hours

hashtag
Zscaler

Category: Zero Trust Network Access Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Security policy violations, malware detections, data loss prevention

  • Context Queries: User activity, web traffic, application access

  • Response Actions: Block users, enforce policies, isolate traffic

  • API Requirements: Zscaler API credentials

  • Setup Time: 1-2 hours

hashtag
ForcePoint

Category: Data Loss Prevention & CASB Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: DLP incidents, insider threat alerts, policy violations

  • Context Queries: User behavior, data movement, policy matches

  • Response Actions: Block transfers, quarantine files, notify users

  • API Requirements: ForcePoint API access

  • Setup Time: 2-3 hours

hashtag
Email Security

hashtag
Proofpoint (TAP & Email Protection)

Category: Email Security Gateway Capabilities: Alert Ingestion, Context Query, Threat Enrichment

Integration Details:

  • Alert Sources: Phishing detections, malware attachments, impostor emails, credential theft

  • Context Queries: Email forensics, URL analysis, attachment details, campaign information

  • Response Actions: Quarantine emails, block senders, remove from mailboxes

  • API Requirements: Proofpoint TAP API credentials

  • Setup Time: 2-3 hours

Common Use Cases:

  • Investigate phishing campaigns

  • Analyze malicious URLs and attachments

  • Track email-based threats

  • Automate email remediation

hashtag
Mimecast

Category: Email Security & Archiving Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Spam, malware, impersonation attacks, data leakage

  • Context Queries: Email logs, attachment analysis, URL reputation

  • Response Actions: Block senders, release from quarantine, create policies

  • API Requirements: Mimecast API credentials

  • Setup Time: 2-3 hours

hashtag
Barracuda Email Protection

Category: Email Security Gateway Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Spam, phishing, malware, account takeover

  • Context Queries: Email logs, threat details, sender reputation

  • Response Actions: Quarantine emails, block domains, update policies

  • API Requirements: Barracuda API access

  • Setup Time: 2-3 hours

hashtag
Cisco Email Security (ESA)

Category: Email Security Appliance Capabilities: Alert Ingestion, Context Query, Response Actions

Integration Details:

  • Alert Sources: Spam, malware, phishing, outbreak alerts

  • Context Queries: Message tracking, threat analysis, sender verification

  • Response Actions: Quarantine messages, block senders, update filters

  • API Requirements: REST API access

  • Setup Time: 2-3 hours

hashtag
Ticketing & ITSM

hashtag
ServiceNow

Category: IT Service Management Capabilities: Ticket Management, Status Sync

Integration Details:

  • Alert Sources: Security incidents (if ServiceNow SecOps used)

  • Context Queries: Incident history, CMDB data, user information

  • Response Actions: Create incidents, update status, add work notes, assign to groups, close tickets

  • API Requirements: ServiceNow instance, integration user with appropriate roles

  • Setup Time: 1-2 hours

Common Use Cases:

  • Automatically create incident tickets for AR² investigations

  • Sync investigation status with ServiceNow

  • Add investigation evidence as work notes

  • Close tickets when remediation complete

hashtag
Jira (Service Management)

Category: Issue Tracking & Service Management Capabilities: Ticket Management, Status Sync

Integration Details:

  • Alert Sources: N/A (ticketing only)

  • Context Queries: Issue history, custom fields, user assignments

  • Response Actions: Create issues, update status, add comments, transition workflows

  • API Requirements: Jira Cloud or Data Center, API token or OAuth

  • Setup Time: 1-2 hours

hashtag
FreshDesk

Category: Help Desk & Ticketing Capabilities: Ticket Management, Status Sync

Integration Details:

  • Alert Sources: N/A (ticketing only)

  • Context Queries: Ticket history, requester details, agent assignments

  • Response Actions: Create tickets, update status, add notes, assign agents

  • API Requirements: FreshDesk API key

  • Setup Time: 1-2 hours

hashtag
Threat Intelligence

hashtag
VirusTotal

Category: Malware & URL Analysis Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: File hash reputation, URL analysis, domain information, IP reputation

  • API Requirements: VirusTotal API key (free or premium)

  • Rate Limits: 4 requests/minute (free), 1000 requests/minute (premium)

  • Setup Time: 15 minutes

Common Use Cases:

  • Check file hash reputation

  • Analyze suspicious URLs

  • Investigate domain registrations

  • Assess IP address reputation

hashtag
AlienVault OTX

Category: Open Threat Exchange Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IOC reputation, pulse subscriptions, related indicators

  • API Requirements: Free OTX account and API key

  • Rate Limits: 10 requests/second

  • Setup Time: 15 minutes

hashtag
Recorded Future

Category: Threat Intelligence Platform Capabilities: Threat Enrichment, Context Query

Integration Details:

  • Enrichment Queries: IOC risk scores, threat actor attribution, vulnerability intelligence

  • API Requirements: Recorded Future subscription and API token

  • Setup Time: 1-2 hours

hashtag
AbuseIPDB

Category: IP Reputation Database Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IP abuse confidence score, report history, geolocation

  • API Requirements: Free or paid API key

  • Rate Limits: 1000 requests/day (free), higher limits for paid

  • Setup Time: 15 minutes

hashtag
GreyNoise

Category: Internet Scanner Intelligence Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Distinguish malicious IPs from benign scanners, classification, tags

  • API Requirements: GreyNoise API key

  • Setup Time: 15 minutes

hashtag
URLhaus

Category: Malware URL Database Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: URL reputation, malware family, payload information

  • API Requirements: Free, no authentication required

  • Setup Time: 10 minutes

hashtag
PhishTank

Category: Phishing URL Database Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Phishing URL verification, submission details

  • API Requirements: Free API key

  • Setup Time: 10 minutes

hashtag
Have I Been Pwned (HIBP)

Category: Breach Intelligence Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Email address breach history, password exposure

  • API Requirements: HIBP API key (paid for automated queries)

  • Setup Time: 15 minutes

hashtag
MalwareBazaar

Category: Malware Sample Repository Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Malware hash lookup, sample details, signatures

  • API Requirements: Free, no authentication required

  • Setup Time: 10 minutes

hashtag
RiskIQ PassiveTotal

Category: Threat Intelligence & Attack Surface Capabilities: Threat Enrichment, Context Query

Integration Details:

  • Enrichment Queries: Domain/IP relationships, WHOIS data, SSL certificates, passive DNS

  • API Requirements: RiskIQ subscription and API credentials

  • Setup Time: 1-2 hours

hashtag
Censys

Category: Internet Asset Intelligence Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IP/domain exposure, certificate information, service enumeration

  • API Requirements: Censys API credentials

  • Setup Time: 30 minutes

hashtag
Shodan

Category: Internet Device Search Engine Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IP service information, vulnerability exposure, device details

  • API Requirements: Shodan API key

  • Setup Time: 15 minutes

hashtag
IBM X-Force Exchange

Category: Threat Intelligence Platform Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IOC reputation, threat reports, vulnerability data

  • API Requirements: IBM X-Force account and API key

  • Setup Time: 30 minutes

hashtag
Emerging Threats (Proofpoint ET Intelligence)

Category: IDS/IPS Rules & Threat Intelligence Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Rule information, IOC feeds, threat categories

  • API Requirements: ET Intelligence subscription

  • Setup Time: 1 hour

hashtag
Hunter.io

Category: Email Verification & OSINT Capabilities: Context Query

Integration Details:

  • Enrichment Queries: Email verification, domain email patterns, contact discovery

  • API Requirements: Hunter.io API key

  • Setup Time: 15 minutes

hashtag
SANS Internet Storm Center

Category: Threat Intelligence & Research Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IP reputation, port scanning activity, threat trends

  • API Requirements: Free, no authentication required

  • Setup Time: 10 minutes

hashtag
Anomali ThreatStream

Category: Threat Intelligence Platform Capabilities: Threat Enrichment, Context Query

Integration Details:

  • Enrichment Queries: IOC intelligence, threat actor profiles, campaign tracking

  • API Requirements: Anomali subscription and API credentials

  • Setup Time: 1-2 hours

hashtag
Sandbox & Malware Analysis

hashtag
Hybrid Analysis

Category: Malware Sandbox Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: File behavior analysis, IOC extraction, malware family identification

  • API Requirements: Hybrid Analysis API key

  • Setup Time: 30 minutes

hashtag
Joe Sandbox

Category: Malware Analysis Platform Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Deep malware analysis, behavior reports, IOC extraction

  • API Requirements: Joe Sandbox subscription and API key

  • Setup Time: 30 minutes

hashtag
ANY.RUN

Category: Interactive Malware Sandbox Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: Malware behavior, network activity, process tree

  • API Requirements: ANY.RUN API key

  • Setup Time: 30 minutes

hashtag
Vulnerability Management

hashtag
Qualys VMDR

Category: Vulnerability Management Capabilities: Context Query

Integration Details:

  • Context Queries: Asset vulnerabilities, patch status, compliance posture

  • API Requirements: Qualys subscription and API credentials

  • Setup Time: 1-2 hours

hashtag
Rapid7 InsightVM / Nexpose

Category: Vulnerability Management Capabilities: Context Query

Integration Details:

  • Context Queries: Vulnerability data, asset inventory, risk scores

  • API Requirements: Rapid7 API key

  • Setup Time: 1-2 hours

hashtag
Tenable Nessus / Tenable.io

Category: Vulnerability Scanning Capabilities: Context Query

Integration Details:

  • Context Queries: Scan results, vulnerability details, asset information

  • API Requirements: Tenable API keys

  • Setup Time: 1-2 hours

hashtag
Log Management & Search

hashtag
Elasticsearch

Category: Search & Analytics Engine Capabilities: Context Query

Integration Details:

  • Context Queries: Full-text log search, aggregations, time-series analysis

  • API Requirements: Elasticsearch cluster access, appropriate index permissions

  • Setup Time: 1-2 hours

hashtag
OpenSearch

Category: Search & Analytics Engine Capabilities: Context Query

Integration Details:

  • Context Queries: Log search, aggregations, dashboards

  • API Requirements: OpenSearch cluster access

  • Setup Time: 1-2 hours

hashtag
Threat Intelligence Platforms

hashtag
MISP (Malware Information Sharing Platform)

Category: Threat Intelligence Sharing Capabilities: Threat Enrichment, Context Query

Integration Details:

  • Enrichment Queries: IOC lookup, event correlation, threat sharing

  • API Requirements: MISP instance access, API key

  • Setup Time: 1-2 hours

hashtag
ThreatConnect

Category: Threat Intelligence Platform Capabilities: Threat Enrichment, Context Query

Integration Details:

  • Enrichment Queries: IOC intelligence, threat campaigns, adversary tracking

  • API Requirements: ThreatConnect subscription and API credentials

  • Setup Time: 1-2 hours

hashtag
Talos Intelligence

Category: Threat Intelligence & Reputation Capabilities: Threat Enrichment

Integration Details:

  • Enrichment Queries: IP/domain reputation, threat categories, blocklist status

  • API Requirements: Free, web-based queries

  • Setup Time: 15 minutes

hashtag
Custom Connector Development

hashtag
When to Build Custom Connectors

Consider custom connector development when:

  • Proprietary Tools: Your organization uses internally developed security tools

  • Niche Vendors: Security tool not in our standard catalog

  • Specialized Requirements: Unique integration patterns or data formats

  • Legacy Systems: Older systems without modern APIs

hashtag
Custom Connector Framework

AR² provides a connector SDK that simplifies custom development:

SDK Features:

  • Python-Based: Leverage familiar Python libraries and frameworks

  • Template Library: Pre-built templates for common integration patterns

  • Testing Framework: Automated testing and validation tools

  • Documentation Generator: Auto-generate connector documentation

  • Deployment Automation: One-command deployment to AR² platform

hashtag
Development Process

1

hashtag
Requirements Gathering

Define integration scope, API capabilities, authentication (1-2 days).

2

hashtag
Development

Implement connector using SDK templates (3-5 days).

3

hashtag
Testing

Unit tests, integration tests, end-to-end validation (2-3 days).

4

hashtag
Documentation

Usage guide, configuration parameters, troubleshooting (1 day).

5

hashtag
Deployment

Deploy to AR² environment, configure in production (1 day).

Total Custom Connector Timeline: 1-2 weeks

hashtag
Professional Services

BluSapphire offers professional services for custom connector development:

  • Connector Development: We build the connector for you ($5,000 - $15,000 per connector)

  • Integration Consulting: Architecture review and integration planning ($200/hour)

  • Training: SDK training for your development team (2-day workshop, $5,000)

hashtag
Connector Maintenance & Updates

hashtag
Automatic Updates

All native connectors are automatically updated by BluSapphire:

  • API Changes: Connectors updated within 30 days of vendor API changes

  • Security Patches: Critical security updates deployed within 48 hours

  • Feature Enhancements: New capabilities added quarterly

  • Compatibility Testing: Continuous testing against latest tool versions

hashtag
Version Compatibility

Connector Update Type
Customer Action Required
Notification

Patch (bug fixes)

None (automatic)

Email notification

Minor (new features)

None (automatic)

Email notification + release notes

Major (breaking changes)

Review and approve

30-day advance notice + migration guide

hashtag
Deprecation Policy

When security tools are deprecated or replaced:

  • 12-Month Notice: Advance notification of connector deprecation

  • Migration Support: Assistance migrating to replacement tools

  • Extended Support: Optional paid support for deprecated connectors (12 months)

hashtag
Integration Best Practices

hashtag
Start with Core Integrations

Recommended First 5 Connectors:

  • Primary SIEM (Splunk, QRadar, Sentinel)

  • EDR platform (CrowdStrike, SentinelOne, Defender)

  • Cloud security (AWS Security Hub, Azure Defender, GCP SCC)

  • Identity provider (Okta, Azure AD)

  • Ticketing system (ServiceNow, Jira)

hashtag
Validate Data Quality

Before enabling connectors in production:

  • Test Alert Flow: Verify alerts are ingested correctly

  • Validate Context Queries: Ensure queries return expected data

  • Test Response Actions: Validate actions in non-production environment

  • Check Rate Limits: Confirm API rate limits are sufficient

hashtag
Configure Appropriate Permissions

Follow principle of least privilege:

  • Read-Only: For threat intelligence and context enrichment

  • Read-Write: For response actions (isolate, block, disable)

  • Admin: Only when absolutely necessary (rare)

hashtag
Monitor Connector Health

AR² provides built-in connector monitoring:

  • Connection Status: Real-time status of each connector

  • API Rate Limits: Track usage against limits

  • Error Rates: Alert on elevated error rates

  • Latency Metrics: Monitor query and action performance

hashtag
Implement Staged Rollout

Deploy connectors in phases:

  • Phase 1: Alert ingestion only (observe, no actions)

  • Phase 2: Enable context queries (enrich investigations)

  • Phase 3: Enable low-risk actions (create tickets, add comments)

  • Phase 4: Enable high-risk actions (isolate, block, disable)

hashtag
Troubleshooting Common Issues

hashtag
Authentication Failures

Symptoms: Connector shows "Authentication Failed" status

Common Causes:

  • Expired API keys or tokens

  • Insufficient permissions

  • IP allowlist restrictions

  • Credential rotation without updating AR²

Resolution:

  1. Verify credentials are current

  2. Check API key/token expiration

  3. Confirm required permissions are granted

  4. Update AR² connector configuration with new credentials

hashtag
Rate Limit Errors

Symptoms: Connector shows "Rate Limit Exceeded" errors

Common Causes:

  • High alert volume exceeds API limits

  • Multiple systems querying same API

  • Insufficient API tier for usage

Resolution:

  1. Review API rate limits for your tier

  2. Adjust AR² polling intervals

  3. Upgrade to higher API tier if available

  4. Implement request batching where supported

hashtag
Data Quality Issues

Symptoms: Incomplete or incorrect data in investigations

Common Causes:

  • Misconfigured log sources

  • Incomplete security tool deployment

  • Data retention policies too aggressive

  • API returning partial results

Resolution:

  1. Validate security tool configuration

  2. Check data retention settings

  3. Review API query parameters

  4. Enable verbose logging for debugging

Request a Connector: If you need a connector not on our roadmap, contact [email protected]

hashtag
Conclusion

AR²'s comprehensive connector ecosystem enables seamless integration with your existing security infrastructure, eliminating the need for custom development in most cases. With 74+ native connectors and a robust SDK for custom development, AR² can integrate with virtually any security tool in your environment.

All connectors are maintained and updated by BluSapphire, ensuring long-term compatibility and reliability as your security tools evolve.

For connector-specific questions, integration support, or custom connector development inquiries, contact [email protected]

Document Version: 1.0 Last Updated: February 2026 Next Review: May 2026

PreviousEnterprise IntelligenceNextDesign Principles

Last updated