Aegis InsightOps Secure / Integrations

Works with your stack. Not just the parts of it you wish you had chosen.

Secure integrates across your security tooling, identity systems, cloud platforms, and data infrastructure. We built the integration fabric to meet your stack where it is, not where a vendor wishes it were.

Request the Assessment → See how it works

Integration categories

30+

Tools integrated today

Named technology partners

OCSF

Normalized schema

How integrations actually work

Not a logo page. An integration fabric with actual architecture behind it.

Every integration page looks the same from the outside: logos in a grid, maybe a tagline. The difference between them is what happens after a customer signs. Here is what the Secure integration fabric actually does.

Ingest via Cribl Stream

All integrations land through Cribl Stream workers running in your AWS tenancy. Cribl handles the ugly work: connector maintenance, protocol translation, rate limiting, retry, and transport. Your security tools see a stable consumer; Secure sees a clean stream.

Normalize to OCSF schema

Data lands in Open Cybersecurity Schema Framework (OCSF) format. Every alert from every source becomes queryable the same way, regardless of which vendor produced it. Your investigators stop memorizing vendor-specific field names.

Store in your OpenSearch

Hot data sits in OpenSearch in your AWS account, encrypted with your KMS keys, indexed for sub-second investigation queries. Cold data tiers to S3 on a schedule you define. You own every byte.

Correlate with context

Infrastructure topology from Aegis PM, asset ownership from your CMDB, and identity state from your IdP are overlaid on every event. An alert stops being "a detection" and becomes "a detection on the payment processor workload owned by the Commerce Platform team."

What counts as an integration?

Every integration on this page falls into one or more of these modes. Not every tool supports every mode, and we are honest about which does what.

Ingest

Secure reads from the tool: alerts, events, telemetry, context. Every tool on this page supports ingest at a minimum.

Context

Secure inherits metadata: asset tags, user attributes, business service assignments. Context integrations make every investigation more precise.

Action

Secure writes back to the tool: close a ticket, isolate a host, enrich a finding. Actions always run through an approval workflow you control.

Integration readiness scoring

During the assessment, we score every tool in your stack green, yellow, or red based on API maturity, authentication model, data quality, and integration effort. You get a candid view of which integrations are day-one, which need work, and which we would advise against pursuing.

SIEM and log analytics

Unify what your SIEM already sees with everything it doesn't.

Secure ingests normalized security data from your SIEM and log analytics tools, treats the telemetry as the source of record, and adds investigation context from sources your SIEM may not have visibility into.

Data flow

Read: alerts, detections, correlated events, raw logs. Write: enriched context, investigation state, closed-alert reasoning. Secure does not replace the SIEM; it makes the SIEM more useful by correlating across sources.

Top integrations

Splunk

IVI Partner

Splunk (Cisco)

Ingest: Alerts, detections, notable events, raw log search
Auth: OAuth, HEC token, REST API
Context: Tagged hosts, user attribution, field extractions
Action: Update notable events, close alerts with reasoning

Works with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security.

Microsoft Sentinel

IVI Partner

Microsoft

Ingest: Incidents, analytics rules, entities, raw KQL results
Auth: OAuth, Service Principal, managed identity
Context: Microsoft Graph enrichment, Entra ID user context, Defender signals
Action: Update incidents, close with reasoning, trigger playbooks

Native Azure integration with minimal egress via PrivateLink.

Sumo Logic

Ingest: Signals, insights, detections, raw search
Auth: API access keys, OAuth
Context: Threat intel feeds, entity context
Action: Signal enrichment, insight closure

Cloud-native SIEM, works with Cloud SIEM Enterprise.

Also integrated

IBM QRadar Elastic Security Exabeam Google Chronicle Rapid7 InsightIDR

Endpoint detection and response

Your EDR sees what lands on the host. Secure connects that to everything else.

EDR and XDR platforms are the ground truth for host activity. Secure ingests their detections, enriches with infrastructure context, and correlates with identity, network, and cloud signals.

Data flow

Read: detections, host telemetry, process trees, quarantine events. Write: investigation context, enrichment, response triggers. Host containment is performed through the EDR's own API, not replicated in Secure.

Top integrations

CrowdStrike Falcon

CrowdStrike

Ingest: Detections, process telemetry, quarantine events, IOC hits
Auth: OAuth client credentials
Context: Host-level context, asset attribution, policy data
Action: Host containment, process termination

Works with Falcon Insight, Falcon Prevent, Falcon OverWatch.

Cortex XDR

IVI Partner

Palo Alto Networks

Ingest: Incidents, alerts, endpoint telemetry, causality chains
Auth: Advanced API keys (role-scoped)
Context: XDR behavioral analytics, identity correlation
Action: Isolate endpoint, kill process, update incident

Works with Cortex XDR Pro tier.

Microsoft Defender for Endpoint

IVI Partner

Microsoft

Ingest: Alerts, incidents, machine actions, behavior blades
Auth: Azure AD app registration, delegated or application permissions
Context: Microsoft Graph, Entra ID, device compliance state
Action: Isolate machine, run live response commands, update incident

Also surfaces to Microsoft 365 Defender for unified view.

Also integrated

SentinelOne Cisco Secure Endpoint Trellix Trend Micro Vision One

Identity and access

Every investigation should start with who, not what.

Identity is the most common pivot in a security investigation. Secure integrates with your IdP and privileged access tools to resolve user identity, group membership, session context, and access anomalies in real time.

Data flow

Read: authentication events, session context, group membership, MFA outcomes, privileged access logs. Write: query enrichment, session correlation. Secure does not provision or deprovision identities.

Top integrations

Okta

IVI Partner

Okta

Ingest: Authentication events, session context, risk signals, group membership
Auth: OAuth, API token, SCIM
Context: User attributes, application assignments, group policies
Action: Terminate session (via Okta Workflows), step-up MFA

Works with Okta Workforce Identity and Okta Customer Identity.

Microsoft Entra ID

IVI Partner

Microsoft

Ingest: Sign-in logs, audit logs, risk events, Conditional Access outcomes
Auth: Azure AD app registration, Microsoft Graph
Context: Group membership, Conditional Access policies, risk score
Action: Revoke session, reset risk, terminate tokens via Graph

Formerly Azure Active Directory, unified with Microsoft Graph.

Cisco Duo

IVI Partner

Cisco

Ingest: Authentication events, MFA outcomes, device trust signals
Auth: Duo Admin API, hashed token authentication
Context: Device trust score, endpoint health
Action: Enforce step-up MFA, deny authentication

Works with Duo MFA, Duo Access, Duo Beyond.

Also integrated

Ping Identity OneLogin JumpCloud CyberArk BeyondTrust

Cloud security and posture

Security in the cloud is security across three planes at once.

Cloud security tools surface misconfigurations, runtime threats, and identity exposure. Secure consolidates findings from CSPM, CNAPP, and workload-level tools, de-duplicates across them, and correlates with the rest of your security telemetry.

Data flow

Read: findings, misconfiguration alerts, vulnerability signals, runtime detections. Write: enriched finding context, investigation state, closed-finding reasoning. Secure does not remediate cloud infrastructure directly.

Top integrations

Prisma Cloud

IVI Partner

Palo Alto Networks

Ingest: Findings, vulnerabilities, runtime alerts, IAM findings
Auth: Prisma Cloud access key and secret
Context: Cloud posture score, resource tagging
Action: Finding acknowledgment, risk override

Works with Prisma Cloud Enterprise and Compute editions.

Wiz

Ingest: Issues, findings, exposure graph paths, runtime events
Auth: Wiz API service accounts, OAuth
Context: Cloud resource graph, attack path analysis
Action: Update issue status, apply exceptions

Cloud security platform for AWS, Azure, GCP.

AWS Security Hub

IVI Partner

Amazon Web Services

Ingest: ASFF-formatted findings from all integrated AWS security services
Auth: IAM role assumption (cross-account)
Context: AWS resource metadata, account and OU context
Action: Update finding workflow status

Native AWS integration with GuardDuty, Inspector, Macie, and more.

Also integrated

Orca Security Lacework Microsoft Defender for Cloud Tenable Cloud Security

Network security and SASE

Boundaries still matter. They just got smaller, further apart, and more numerous.

Network security now spans edge firewalls, cloud firewalls, SASE fabric, and secure browsing. Secure ingests from all of these to give investigators a single view of what traversed your network and what was blocked.

Data flow

Read: traffic logs, blocked and allowed events, URL filtering, IPS detections, sandbox verdicts. Write: enrichment, investigation context. Network policy changes happen at the source tool.

Top integrations

Palo Alto Networks Firewalls

IVI Partner

Palo Alto Networks

Ingest: Traffic logs, threat logs, URL filtering, WildFire verdicts
Auth: Panorama API key, XML API
Context: App-ID classification, User-ID identity attribution
Action: Rule modification via Panorama, through an approval workflow

Works with Panorama, Cortex Data Lake, next-generation firewalls.

Zscaler

IVI Partner

Zscaler

Ingest: Transaction logs, threat detections, DLP events, sandbox verdicts
Auth: API key with HMAC, OAuth
Context: User identity, tenant policies, location context
Action: URL category adjustment, through an approval workflow

Works with Zscaler Internet Access and Private Access.

CATO Networks

IVI Partner

CATO Networks

Ingest: Events, flow logs, threat detections, ZTNA session data
Auth: CATO API key
Context: Global SASE fabric context, site-level attribution
Action: Policy updates, through an approval workflow

SASE platform; single integration covers SSE and SD-WAN visibility.

Also integrated

Cisco Secure Firewall Fortinet Check Point DefensX

Asset and context

Every alert needs an owner, a business role, and a blast radius.

Security tools show what happened. CMDB and asset inventory tools show what matters. Secure pulls context from these systems to give every investigation asset ownership, business criticality, and downstream dependency information.

Data flow

Read: asset records, configuration items, ownership, business services, dependency maps. Write: investigation tags, flagged assets. No changes to the CMDB from Secure.

Top integrations

ServiceNow CMDB

ServiceNow

Ingest: Configuration items, relationships, business services, assignment groups
Auth: OAuth, basic auth, HMAC signing
Context: CI classification, dependency graph, service maps
Action: Flag CIs for review, through an approval workflow

Works with the ITOM CMDB module.

Axonius

Ingest: Assets, users, software inventory, policy compliance
Auth: API key
Context: Aggregated source-of-truth asset data, normalized across tools
Action: Flag assets, trigger enforcement actions in source tools

Asset management platform.

Tanium

Ingest: Endpoint inventory, patch state, software inventory, sensor data
Auth: API tokens (role-scoped)
Context: Real-time endpoint state, configuration drift
Action: Action execution, through an approval workflow

Works with Tanium Platform, Interact, Comply, Patch.

Also integrated

Lansweeper Device42 Qualys VMDR JamfPro

Data lake and long-term storage

For the data you can't afford to pay the SIEM to keep.

Security data that's too voluminous or too rarely accessed for hot SIEM storage still needs to be searchable during investigations. Secure queries your data lake directly when deep historical analysis is required.

Data flow

Read: event records, long-term audit logs, CloudTrail archives, any schema-compliant query target. Write: nothing. Secure reads without mutating.

Top integrations

AWS S3 and OpenSearch

IVI Partner

Amazon Web Services

Ingest: S3 bucket content (Parquet, JSON), OpenSearch Serverless indices
Auth: IAM role assumption (cross-account)
Context: Bucket-level ACL respect, KMS-encrypted access
Action: Read-only; no writes to customer S3 or OpenSearch from Secure

Native to the Secure architecture using your own S3 and OpenSearch.

Snowflake

Ingest: Tabular security data, long-term audit logs
Auth: Service account with SSO, key-pair authentication
Context: Warehouse-scoped access, role-based data masking
Action: Read-only

Enterprise edition or higher recommended for role-based access.

Databricks

Ingest: Delta Lake tables, Parquet archives, SQL Warehouse queries
Auth: Personal access token, service principal, OAuth
Context: Unity Catalog lineage, workspace-level scoping
Action: Read-only

Works with Databricks Data Intelligence Platform on AWS, Azure, GCP.

Also integrated

Google BigQuery IBM Cloud Pak for Data Azure Data Lake

Ticketing and incident coordination

Investigations don't stay in the security team. Neither should their record.

Security incidents become operational problems, and operational problems become tickets. Secure creates, updates, and closes tickets in your ITSM platform so the work done during investigation is reflected in the systems your IT and SecOps teams already use.

Data flow

Read: existing ticket state, queue membership, assignment groups. Write: new tickets, state changes, comments, resolution notes.

Top integrations

ServiceNow

Ingest: Existing ticket context, change request state, problem records
Auth: OAuth, basic auth, HMAC signing
Context: Assignment groups, business services, SLAs
Action: Create and update incidents, add work notes, transition ticket state

Works with ITSM and Security Operations (SecOps) modules.

Jira

IVI Partner

Atlassian

Ingest: Issue state, workflow transitions, comments
Auth: OAuth 2.0, API token
Context: Project context, custom fields, linked issues
Action: Create and update issues, transition workflow, add comments

Works with Jira Software and Jira Service Management.

PagerDuty

Ingest: Incident state, on-call schedules, escalation policies
Auth: REST API key, OAuth
Context: Routing rules, acknowledgment state
Action: Create and update incidents, trigger paging, resolve

Works with PagerDuty Incident Management.

Also integrated

Freshservice Zendesk OpsGenie

Vulnerability management

Vulnerabilities that matter are the ones your attackers actually reach.

Vuln scanners produce findings. Secure consumes those findings, correlates with exploit signals from your EDR and network tools, and prioritizes what actually poses a live risk versus what's a static CVE match.

Data flow

Read: scan results, asset criticality, vulnerability timelines, patch state. Write: enrichment context, investigation flagging. Remediation happens in the tools you already use.

Top integrations

Tenable

Ingest: Scan results, asset data, compliance findings
Auth: API keys (access + secret)
Context: Asset criticality, tag-based scoping
Action: Accept risk, add vulnerability exception

Works with Tenable.io, Tenable.sc, Tenable One.

Qualys

Ingest: Vulnerability findings, asset groups, policy compliance
Auth: API credentials with role scoping
Context: Business unit tags, asset groups
Action: Mark remediation, exception management

Works with Qualys VMDR and related modules.

Wiz

Ingest: Cloud vulnerability findings, exposure paths, toxic combinations
Auth: Wiz API service account
Context: Cloud resource graph, exploit-path scoring
Action: Mark finding state, apply exceptions

Cloud-native vuln management; overlaps with CSPM category.

Also integrated

Rapid7 InsightVM Red Hat Advanced Cluster Security Snyk Orca Security

Tool not listed?

If it has an API, we can probably reach it.

The list on this page covers the tools we integrate with today. It does not cover everything we could integrate with. Custom integrations are scoped during the assessment. If your stack includes something unusual, mention it in your assessment request and we will tell you candidly whether it is a fit.

Any tool with a REST, GraphQL, or syslog-compatible API can be scoped for integration
Internal or home-grown security tools are integrated via custom Cribl Stream workers
The assessment produces an integration feasibility score for every tool in your stack, listed or not
If we determine your tool is not a reasonable fit for Secure, we will tell you during the assessment, not after

Request an Assessment →

Ready to see it mapped to your environment?

The assessment produces an integration feasibility score for every tool you own.

You keep the output whether you move forward or not. Green, yellow, and red scores for every integration, with reasoning. $40,000, credited to your first-year subscription.

Request the Assessment → Trust & Security

Aegis InsightOps + Aegis InsightOps Secure

IT tooling integrations matter too.

Aegis InsightOps covers the IT operations side of integration: observability, ITSM, change management, and infrastructure context. When both products run, the integration fabric is shared and the roadmap is unified.

Learn about Aegis InsightOps →