Skip to content
IronSOC/Integrations

Integrations

Connect to the SOC ecosystem you already run.

IronSOC plugs into the SIEM, EDR, identity, cloud, AI, ticketing, and exposure tools modern security teams use. Names below reflect supported targets — verify status with your account team during scoping.

Native

Built and maintained directly.

API/Webhook

Supported via documented APIs.

Standards-based

Ingested or emitted via open standards.

Roadmap

Targeted next.

The SIEM loop

Bidirectional by design: alerts in, decisions and evidence back.

01 — Alerts in

Splunk, Elastic, Sentinel, or any OCSF-speaking tool posts its native webhook payload to POST /api/ingest — the adapters understand each vendor's actual format. Live on this site today.

02 — Scored with a trace

Each alert is normalized, scored against the per-actor baseline the system learns automatically, and routed: auto-close, analyst, auto-contain — with 10% of closes trickled to human audit.

03 — Written back

The decision and evidence land where your team works: the alert is closed or escalated in the SIEM with the trace attached, a ticket opens in Jira or ServiceNow, a summary posts to Slack or Teams.

# Point a Splunk alert-action webhook at the live pipeline:
curl -s 'https://ironsoc.com/api/ingest?source=splunk' \
  -H 'content-type: application/json' \
  -d '{"search_name":"Agent tool-call anomaly","result":{"user":"svc-agent-01","urgency":"high","_raw":"tool=shell.exec after retrieved doc said ignore previous instructions"}}'

# → {"route":"auto_contain","score":0.878,"trace":{...}}  · sources: splunk | elastic | sentinel | ocsf | generic

Honesty note: the ingest and triage APIs above are live; write-back connectors (closing the alert in your SIEM, opening the ticket) are wired during design-partner onboarding, in the order the table below reflects. Nothing here bills on ingest — your SIEM keeps the data, IronSOC returns decisions.

SIEM and security data lakes

IronSOC operates above your data layer. We read normalized telemetry and write enrichments and decisions back.

  • Splunk Enterprise / CloudNative
  • Microsoft SentinelNative
  • Google Security OperationsNative
  • PantherAPI/Webhook
  • HuntersAPI/Webhook
  • Sumo LogicAPI/Webhook
  • Elastic SecurityECS / OCSFStandards-based

Endpoint and EDR

Capture process, file, and host telemetry; orchestrate isolation and policy actions through approval gates.

  • CrowdStrike FalconNative
  • Microsoft Defender for EndpointNative
  • SentinelOne SingularityNative
  • Sophos Intercept XAPI/Webhook
  • Palo Alto Cortex XDRAPI/Webhook

Identity providers

Identity is the perimeter. We watch sessions, role grants, MFA drift, OAuth grants, and service accounts.

  • OktaNative
  • Microsoft Entra IDNative
  • Google WorkspaceNative
  • Ping IdentityAPI/Webhook
  • Auth0API/Webhook
  • JumpCloudAPI/Webhook

Cloud and SaaS control planes

Detect IAM mutations, public exposure, admin events, CI/CD actions, Kubernetes activity, and SaaS integrations.

  • AWS (CloudTrail, GuardDuty, Config)Native
  • Microsoft AzureNative
  • Google Cloud (Audit, SCC)Native
  • Kubernetes (audit logs, kube-events)Standards-based
  • GitHub / GitLab / BitbucketNative
  • Salesforce, Workday, AtlassianAPI/Webhook
  • AWS / Azure / GCP marketplaceRoadmap

AI / LLM platforms

Treat prompts, retrieved context, tool calls, and agent decisions as first-class telemetry.

  • OpenAI (Responses, Assistants)Native
  • Anthropic (Messages, Agent SDK)Native
  • Amazon BedrockNative
  • Google Vertex AIAPI/Webhook
  • Azure AI FoundryAPI/Webhook
  • LangChain / LlamaIndexcallbacks + tracesStandards-based
  • Model Context Protocol (MCP) serversNative

Network and edge

Consume firewall, VPN, proxy, and edge logs to correlate exploitation against KEV-listed exposure.

  • Palo Alto Networks NGFWAPI/Webhook
  • Cisco Secure FirewallAPI/Webhook
  • Fortinet FortiGateAPI/Webhook
  • ZscalerAPI/Webhook
  • CloudflareAPI/Webhook

Ticketing and ITSM

Open evidence-rich cases and route remediation to the right owners with bidirectional state sync.

  • Jira / Jira Service ManagementNative
  • ServiceNowNative
  • LinearAPI/Webhook
  • PagerDutyAPI/Webhook
  • OpsgenieAPI/Webhook

Collaboration

Notify the right humans, capture analyst decisions inline, and keep the audit trail with the case.

  • SlackNative
  • Microsoft TeamsNative
  • Email (SMTP, Microsoft 365, Google)Standards-based

Vulnerability and exposure

Combine scanner findings with KEV, EPSS, exposure, and asset criticality to drive exploit-aware queues.

  • Tenable (Nessus, Vulnerability Management)Native
  • Qualys VMDRNative
  • Rapid7 InsightVMAPI/Webhook
  • WizNative
  • SnykAPI/Webhook
  • CISA KEV catalogStandards-based
  • FIRST EPSSStandards-based

Standards

Open standards beat proprietary lock-in.

Where a vendor is missing, IronSOC reads and writes the same standards your team already uses. That keeps the ecosystem portable as the market consolidates.

OCSF
Open Cybersecurity Schema Framework
Sigma
Detection rules
STIX / TAXII
Threat intel exchange
Syslog / CEF / LEEF
Common event formats
OpenTelemetry
Tracing for AI agents
MITRE ATT&CK
Adversary behavior
MITRE ATLAS
AI adversary behavior
OAuth 2.1 / OIDC
Identity federation
SAML 2.0
SSO
SCIM 2.0
User provisioning

Detection-as-code, not console clicks.

Detections are versioned, reviewed, evaluated against test fixtures, and deployed through CI. Customers can fork, extend, and contribute back without leaving their own change-management process.

Missing yours?

We will integrate or document the gap.

If a system in your stack is not listed, IronSOC either ships an integration on roadmap or partners on a webhook bridge. We tell you which before contracting.

Request an integration
Status reflects scoping intent. Verify build status with the IronSOC field engineering team before procurement.