Frequently Asked Questions

Metron is focused on building integrations for the security ecosystem. We have worked with leading Security information and Event Management (SIEMs) and UEBA; Security Orchestration, Automation and Response (SOARs); exchanges and security technologies such as firewalls, intrusion detection systems – Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), ITSM technologies – and many other security related applications.

We have built several integrations including custom applications for security companies.

Here are a sample list of integrations we have built: QRadar, ServiceNow - ITSM, Secops, Splunk, Phantom, Resilient, Crowdstrike, Mindmeld, VMRay, Netskope, Google Chronicle, Zinbox, Cylera, Digital Shadows, JIRA and many more.

We have built a number of connectors (or integrations) to share data between security products. We have built several on-prem and cloud connectors. Below is a list of a few sample connectors.

These connectors run within an application framework provided by the SIEM/SOAR software. Examples of SIEM/SOAR softwares are:

1. Splunk: The app package is installed on the Splunk server and can provide knowledge objects, dashboards and scripts (Python/Javascript/Java)
2. IBM QRadar: The app package can provide a DSM (parsing rules for log events) as well as dashboards and scripts for fetching data from an API gateway.
3. IBM Resilient: The app package typically runs on an integration server that is installed on the customers premises, and which can interface directly with the Resilient server.
4. ServiceNow: We use the ServiceNow Studio to build applications, which can be installed on a customer's ServiceNow instance.
5. Splunk Phantom: The app package runs on the Splunk Phantom server and uses the Phantom framework to poll for incidents, as well as execute actions via API calls.

In addition, we have built several custom connectors and parsers for clients to enable SOC automation. Please contact us for more details.

Sometimes, the security products that are being integrated do not have an application framework that can run the integration. Typically, both products only provide API access. In these cases, we have built a middleware connector that can be run on either the customer side, the provider side, or even on another system that acts as a broker between the security products.

Please read more details in our Connector and Parser section.

Metron labs has extensive experience building parsers to extract data from external log sources. Most of our work has been in transforming data between formats as per customer requirements. We can work with pretty much any format and below is a sample list:

1. Syslog
2. JSON
3. CEF
4. Key-Value pairs
5. NetFlow
6. Regex

Metron has built a process. We use an in-house built framework for data parsing, scripts for generating events and an engineering team aligned to build integration faster. There are integrations we have ready in days to weeks depending on the customization required. Our average integration timeline is 4-6 weeks which includes building the integration and user acceptance testing (UAT).

Please note each app exchange (e.g. XForce, Splunkbase, NOW store, etc.) has its validation process. We work with them to ensure all the criteria is met and your app is published at the earliest. We have seen anywhere from 4-8 weeks for an exchange validation process to be completed.