Integration library.
Verified, IRON-compliant integration scripts. Click one to use it — no regeneration needed. 26 entries available.
- push✓ IRON 91
Anomali ThreatStream → Microsoft Sentinel
Push Anomali ThreatStream indicators to Microsoft Sentinel daily
Daily run that pulls indicators from Anomali ThreatStream and forwards them to a Sentinel custom log table for hunting.
python0 uses - enrichClick to generate
Shodan → ThreatQ
Enrich ThreatQ IP indicators with Shodan host data
Walks open IP indicators in ThreatQ and writes Shodan ports, services, and vulnerabilities back as attributes.
python0 uses - push✓ IRON 92
CrowdStrike Falcon → Microsoft Sentinel
Forward CrowdStrike detections to Microsoft Sentinel every 15 minutes
Polls the CrowdStrike Falcon detections API every 15 minutes and forwards new detections to a Sentinel custom log table via the Logs Ingestion API.
python0 uses - syncClick to generate
MISP → IBM QRadar
Sync MISP attributes to QRadar reference data every hour
Hourly export of new MISP attributes (by type) to typed QRadar reference sets for use in custom rule conditions.
python0 uses - enrich✓ IRON 90
VirusTotal → Splunk
Enrich a list of hashes against VirusTotal and forward results to Splunk
One-shot bash script: reads a file of SHA256 hashes, queries the VirusTotal v3 API for each, and forwards detection summaries to Splunk HEC.
bash0 uses - enrich✓ IRON 90
Shodan → Microsoft Sentinel
Enrich IPs from a Sentinel watchlist with Shodan host data
One-off run: reads a list of IPs from a Sentinel watchlist via the Logs Query API, queries Shodan for host details on each, and writes results back to a custom log table.
python0 uses - syncClick to generate
ThreatQ → IBM QRadar
Sync ThreatQ indicators to QRadar reference set every 30 minutes
Polls ThreatQ for active high-score indicators and upserts them into a QRadar reference set keyed by indicator value.
python0 uses - pushClick to generate
CrowdStrike Falcon → MISP
Export CrowdStrike detected IOCs to MISP daily
Pulls IOCs from CrowdStrike Falcon detections daily and writes them to MISP as attributes on a curated event.
python0 uses - pushClick to generate
Microsoft Sentinel → IBM Resilient
Open Resilient cases from Sentinel high-severity incidents
Polls Sentinel for High/Critical incidents every 5 minutes and opens matching cases in IBM Resilient with linked artifacts.
python0 uses - pushClick to generate
SentinelOne → IBM QRadar
Ingest SentinelOne threat events into QRadar log source hourly
Polls SentinelOne threats API hourly and forwards them as syslog events to a QRadar log source, preserving threat classification and endpoint.
python0 uses - enrichClick to generate
VirusTotal → ThreatQ
Import VirusTotal file reports into ThreatQ as indicators
One-off ingestion of a curated set of SHA256 hashes into ThreatQ as indicator records, hydrated with VirusTotal detection summaries and vendor verdicts.
python0 uses - syncClick to generate
Microsoft Sentinel → Cortex XSOAR (Palo Alto)
Mirror Microsoft Sentinel incidents into Cortex XSOAR every 5 minutes
Polls Sentinel for new/updated incidents via the Security Insights API and mirrors them as XSOAR incidents, preserving severity and owner.
python0 uses - pushClick to generate
Carbon Black → Microsoft Sentinel
Forward Carbon Black alerts to Microsoft Sentinel daily
Pulls high-severity Carbon Black Cloud alerts daily and forwards them to a Sentinel custom log table for hunting and correlation.
python0 uses - pushClick to generate
CrowdStrike Falcon → Cortex XSOAR (Palo Alto)
Create XSOAR incidents from CrowdStrike Falcon detections every 10 minutes
Polls CrowdStrike for new detections every 10 minutes and opens matching incidents in Cortex XSOAR with device, tactic, and technique preserved.
python0 uses - pushClick to generate
AlienVault OTX → MISP
Import AlienVault OTX pulses into MISP daily as events
Pulls subscribed OTX pulses daily and creates matching MISP events with attributes mapped from pulse indicators.
python0 uses - enrichClick to generate
AbuseIPDB → MISP
Enrich MISP IP attributes with AbuseIPDB confidence scores
Walks all open IP-type attributes in MISP and tags each with its AbuseIPDB abuse confidence score and report categories.
python0 uses - pushClick to generate
Splunk SOAR (Phantom) → Microsoft Sentinel
Export Splunk SOAR action results to Sentinel custom log hourly
Pulls Splunk SOAR action results hourly and writes them to a Sentinel custom log table for playbook telemetry and runbook analytics.
python0 uses - pushClick to generate
Microsoft Defender for Endpoint → Microsoft Sentinel
Forward Defender for Endpoint alerts to Sentinel custom log every 15 minutes
Polls Microsoft Defender for Endpoint Graph API every 15 minutes and writes new alerts to a Sentinel custom log table with full machine and evidence context.
python0 uses - pushClick to generate
Elastic Security → Splunk SOAR (Phantom)
Forward Elastic Security detection alerts to Splunk SOAR
Polls the Elastic Security detection engine for new alerts and creates matching containers + artifacts in Splunk SOAR, with rule context preserved.
python0 uses - enrichClick to generate
GreyNoise → Splunk
Enrich Splunk events with GreyNoise classification via lookup
Periodic pull of GreyNoise RIOT + noise classifications for active source IPs in Splunk, written back to a CSV lookup table for SPL enrichment.
python0 uses - pushClick to generate
IBM QRadar → MISP
Convert QRadar offenses into MISP threat events daily
Daily export of high-magnitude QRadar offenses to MISP as events, with source IPs and domains attached as attributes for sharing.
python0 uses - push✓ IRON 91
IBM QRadar → Cortex XSOAR (Palo Alto)
Mirror new QRadar offenses into Cortex XSOAR every 5 minutes
Polls QRadar for new offenses and creates matching incidents in Cortex XSOAR. Tracks offense IDs to prevent duplicate incidents.
python0 uses - pushClick to generate
IBM Resilient → Splunk
Forward IBM Resilient case events to Splunk for audit
Polls Resilient for new case events and forwards them to Splunk HEC as NDJSON for SOC audit and metrics dashboards.
python0 uses - pushClick to generate
OpenCTI → Splunk
Forward OpenCTI STIX2 indicators to Splunk HEC hourly
Hourly export of new OpenCTI indicators to Splunk via HEC as NDJSON. Preserves valid_from/valid_until and indicator pattern_type for hunting.
python0 uses - pushClick to generate
Splunk → Cortex XSOAR (Palo Alto)
Create XSOAR incidents from Splunk saved-search alerts every 5 minutes
Polls Splunk for new alert results from a saved search and creates matching incidents in Cortex XSOAR, with alert metadata as labels.
python0 uses - push✓ IRON 92
MISP → Splunk
Push MISP IOC attributes to Splunk HEC hourly
Pulls new IOC attributes from MISP every hour and forwards them to Splunk via HEC as NDJSON. Tracks attribute UUIDs (not event UUIDs) for accurate dedup.
python0 uses