Connectors (Ingestion Layer)

The connectors are the entry point for alerts into Chronicle SOAR. Their goal is to translate raw input data coming from multiple sources into Chronicle SOAR data. The connectors get alerts (or equivalent data – e.g. alarms, correlation events, TI hit-lists etc) from 3rd party tools and forward normalized data into the Data Processing layer. The Chronicle SOAR platform provides out-of-the-box connectors for most popular security systems used today.

Chronicle SOAR provides Python SDK to develop new connectors in a quick and easy way. The framework supports a variety of input data formats (CSV, JSON, XML, etc) and connection protocols (Files, RESTfull services, SysLog, etc).

The connector framework also provides a mechanism to filter noise data withing a time period (the Overflow Mechanism). This allows users to manage overflow alerts in an easier way.

Key Points

The connectors framework supports a variety of input formats (CSV, JSON, XML, etc) and connection protocols (Files, RESTfull services, SysLog, etc)
Multiple connector instances can run in parallel to allow scaling out
The framework and connector types can be extended with custom Python scripts
The Overflow Mechanism – Helps manage noisy data with rule-based configuration
The Connectors are managed directly from the platform console.

Welcome to

Chronicle SOAR Product Documentation

Connectors (Ingestion Layer)

Architecture Guide

Welcome to

Chronicle SOAR Product Documentation

Connectors (Ingestion Layer)

Architecture Guide

Suggested articles