Connector Setup Guide
Step-by-step instructions for configuring each connector type.
Overview
Connectors enable Triage Warden to:
- Ingest alerts from SIEMs and security tools
- Enrich incidents with threat intelligence
- Execute actions like creating tickets or isolating hosts
- Send notifications to communication platforms
Adding a Connector
- Navigate to Settings → Connectors
- Click Add Connector
- Select connector type
- Fill in the required fields
- Click Test Connection to verify
- Click Save
Threat Intelligence Connectors
VirusTotal
Enriches file hashes, URLs, IPs, and domains with reputation data.
Prerequisites:
- VirusTotal account (free or premium)
- API key from virustotal.com/gui/my-apikey
Configuration:
| Field | Value |
|---|---|
| Name | VirusTotal |
| Type | virustotal |
| API Key | Your API key |
| Rate Limit | 4 (free) or 500 (premium) |
Rate Limits:
- Free tier: 4 requests/minute
- Premium: 500+ requests/minute
Verify It Works:
- Create a test incident with a known-bad hash
- Check incident enrichments for VirusTotal data
AlienVault OTX
Open threat intelligence from AlienVault.
Prerequisites:
- OTX account at otx.alienvault.com
- API key from Settings → API Keys
Configuration:
| Field | Value |
|---|---|
| Name | AlienVault OTX |
| Type | alienvault |
| API Key | Your OTX API key |
SIEM Connectors
Splunk
Ingest alerts from Splunk and run queries.
Prerequisites:
- Splunk Enterprise or Cloud
- HTTP Event Collector (HEC) token
- User with search capabilities
Configuration:
| Field | Value |
|---|---|
| Name | Splunk Production |
| Type | splunk |
| Host | https://splunk.company.com:8089 |
| Username | Service account username |
| Password | Service account password |
| App | search (or your app context) |
Setting Up Webhooks:
- In Splunk, create an alert action that sends to webhook
- Configure webhook URL:
https://triage.company.com/api/webhooks/splunk - Set webhook secret in Triage Warden connector config
Elastic Security
Connect to Elastic Security for SIEM alerts.
Prerequisites:
- Elasticsearch 7.x or 8.x
- User with read access to security indices
Configuration:
| Field | Value |
|---|---|
| Name | Elastic SIEM |
| Type | elastic |
| URL | https://elasticsearch.company.com:9200 |
| Username | Service account username |
| Password | Service account password |
| Index Pattern | security-* or .alerts-security.* |
Microsoft Sentinel
Azure Sentinel integration for cloud SIEM.
Prerequisites:
- Azure subscription with Sentinel workspace
- App registration with Log Analytics Reader role
Configuration:
| Field | Value |
|---|---|
| Name | Azure Sentinel |
| Type | sentinel |
| Workspace ID | Log Analytics Workspace ID |
| Tenant ID | Azure AD Tenant ID |
| Client ID | App Registration Client ID |
| Client Secret | App Registration Secret |
Azure Setup:
- Create App Registration in Azure AD
- Grant
Log Analytics Readerrole on Sentinel workspace - Create client secret
- Copy IDs and secret to Triage Warden
EDR Connectors
CrowdStrike Falcon
Endpoint detection and host isolation.
Prerequisites:
- CrowdStrike Falcon subscription
- API client with appropriate scopes
Configuration:
| Field | Value |
|---|---|
| Name | CrowdStrike Falcon |
| Type | crowdstrike |
| Region | us-1, us-2, eu-1, or us-gov-1 |
| Client ID | OAuth Client ID |
| Client Secret | OAuth Client Secret |
Required API Scopes:
Detections: ReadHosts: Read, Write(for isolation)Incidents: Read
CrowdStrike Setup:
- Go to Support → API Clients and Keys
- Create new API client
- Select required scopes
- Copy Client ID and Secret
Microsoft Defender for Endpoint
MDE integration for alerts and host actions.
Prerequisites:
- Microsoft 365 E5 or Defender for Endpoint license
- App registration with Defender API permissions
Configuration:
| Field | Value |
|---|---|
| Name | Defender for Endpoint |
| Type | defender |
| Tenant ID | Azure AD Tenant ID |
| Client ID | App Registration Client ID |
| Client Secret | App Registration Secret |
Required API Permissions:
Alert.Read.AllMachine.Read.AllMachine.Isolate(for isolation actions)
SentinelOne
SentinelOne EDR integration.
Prerequisites:
- SentinelOne console access
- API token with appropriate permissions
Configuration:
| Field | Value |
|---|---|
| Name | SentinelOne |
| Type | sentinelone |
| Console URL | https://usea1-pax8.sentinelone.net |
| API Token | Your API token |
Ticketing Connectors
Jira
Create and manage security tickets.
Prerequisites:
- Jira Cloud or Server instance
- API token (Cloud) or password (Server)
Configuration:
| Field | Value |
|---|---|
| Name | Jira Security |
| Type | jira |
| URL | https://yourcompany.atlassian.net |
| Your Jira email | |
| API Token | API token from Atlassian account |
| Default Project | SEC (your security project key) |
Jira Cloud Setup:
- Go to id.atlassian.com/manage-profile/security/api-tokens
- Create API token
- Use your email as username
Jira Server Setup:
- Use password instead of API token
- Ensure user has project access
ServiceNow
ServiceNow ITSM integration.
Prerequisites:
- ServiceNow instance
- User with incident table access
Configuration:
| Field | Value |
|---|---|
| Name | ServiceNow |
| Type | servicenow |
| Instance URL | https://yourcompany.service-now.com |
| Username | Service account username |
| Password | Service account password |
Identity Connectors
Microsoft 365 / Azure AD
User management and sign-in data.
Prerequisites:
- Azure AD with appropriate licenses
- App registration with Graph API permissions
Configuration:
| Field | Value |
|---|---|
| Name | Microsoft 365 |
| Type | m365 |
| Tenant ID | Azure AD Tenant ID |
| Client ID | App Registration Client ID |
| Client Secret | App Registration Secret |
Required API Permissions:
User.Read.AllAuditLog.Read.AllUser.RevokeSessions.All(for user disable)
Google Workspace
Google Workspace user management.
Prerequisites:
- Google Workspace admin access
- Service account with domain-wide delegation
Configuration:
| Field | Value |
|---|---|
| Name | Google Workspace |
| Type | google |
| Service Account JSON | Paste JSON key file contents |
| Domain | company.com |
Google Setup:
- Create service account in Google Cloud Console
- Enable domain-wide delegation
- Add required OAuth scopes in Google Admin
- Download JSON key file
Testing Connectors
After configuration, always test:
- Click Test Connection in connector settings
- Check the response for success/errors
- For ingestion connectors, verify sample data appears
Common Issues
| Error | Solution |
|---|---|
| Connection refused | Check URL and network access |
| 401 Unauthorized | Verify credentials/API key |
| 403 Forbidden | Check permissions/scopes |
| SSL certificate error | Verify certificate or disable verification |
| Rate limited | Reduce request rate or upgrade tier |
Connector Health
Monitor connector health at Settings → Connectors or via API:
curl http://localhost:8080/health/detailed | jq '.components.connectors'
Healthy connectors show status connected. Troubleshoot any showing error or disconnected.