Integrations
Wire Cyber Defence TI straight into your SIEM
Cyber Defence TI is designed to sit alongside your existing logging, monitoring and response tooling, not to replace it. Our Threat Intelligence, dark-web and attack surface data are exposed through a simple, standards-based API so you can enrich events, drive correlation rules and trigger playbooks directly from the platforms you already trust, such as Wazuh, Graylog and other leading SIEM and SOAR solutions.
By integrating Cyber Defence TI with your SIEM, every IP address, domain, hash or email address seen in your logs can be checked in real time against live intelligence from the Hedgehog SOC. This turns raw log data into actionable context: you can distinguish a harmless connection from a known command-and-control host, or a mistyped domain from active phishing infrastructure, and you can act accordingly.
Subscription requirements
SIEM integrations are available to customers on our paid Cyber Defence TI plans.
Detect, Defend and Disrupt all include access to the API and the ability to integrate with SIEM and SOAR platforms. Detect is ideal for smaller teams who want to build and maintain their own integrations; Defend and Disrupt add higher usage limits, more users and enhanced support for integration, tuning and troubleshooting.
A limited free API key is available for sandbox use and evaluation. Free keys are rate-limited and are intended only for low-volume testing in a lab environment. They are not suitable for production SIEM integrations, and we do not provide formal support for them.
Integration patterns
Although every SIEM has its own configuration model, most integrations with Cyber Defence TI follow one of two patterns.
The first is on-demand enrichment. In this pattern, the SIEM identifies an indicator within an event, such as a source IP address, destination domain, URL, file hash or email address, and calls the Cyber Defence TI API with that value. The SIEM then stores the returned intelligence alongside the original event. This makes it possible to search, alert and report on events where Cyber Defence TI has supplied a malicious verdict, a high confidence score, or a particular threat category.
The second pattern is scheduled synchronisation. Here, the SIEM periodically pulls a set of indicators or attack surface findings from Cyber Defence TI and stores them as lookup tables, reference sets or dedicated indices. Local log events are then correlated against these lookups using the SIEM’s own rule engine. This pattern is often used to maintain block lists, to drive watch lists, or to enrich offline reports. Both patterns can be used together. For example, you might maintain a rolling list of “high confidence” indicators in the SIEM and also perform on-demand enrichment when unusual activity is detected. Your account manager can help you choose the most appropriate approach for your environment and subscription tier.
Using Cyber Defence TI with Wazuh
Wazuh is a versatile open-source security platform that combines log analysis, host intrusion detection, vulnerability detection and more. Integrating Cyber Defence TI with Wazuh allows you to enrich Wazuh alerts with external intelligence and to create new rules that fire whenever Wazuh observes an indicator that our SOC has flagged as malicious.
There are two common approaches: using Wazuh to call out to the Cyber Defence TI API during rule evaluation, and having an external process fetch intelligence from Cyber Defence TI and inject it into Wazuh as additional log data.
Prerequisites
To integrate Wazuh with Cyber Defence TI you will need an active Detect, Defend or Disrupt subscription; an API key generated from the Cyber Defence TI portal with permissions to perform indicator lookups; outbound HTTPS connectivity from your Wazuh manager or an intermediary service to the Cyber Defence TI API endpoint; and administrative access to your Wazuh manager configuration, including decoders, rules and, where necessary, active response scripts.
Configuration outline
In an on-demand enrichment pattern, you configure Wazuh decoders and rules to extract indicators from incoming events and then invoke a script or active response that queries Cyber Defence TI. For example, a rule might trigger whenever Wazuh sees an outbound connection to an external IP address. The active response script receives the IP address as a parameter, sends it to the Cyber Defence TI API using your API key, and parses the JSON response. The script then writes a short, structured log message back to Wazuh, including fields such as the indicator, its type, the overall verdict, confidence, threat categories and first and last seen dates. A second rule matches on these enrichment messages and raises an alert if the verdict is malicious or the confidence exceeds a threshold.
In a scheduled synchronisation pattern, you create a lightweight service that periodically queries Cyber Defence TI for the latest malicious indicators relevant to your estate. That service then writes the indicators into a file or log format that Wazuh already ingests, for example as a custom log file on the Wazuh manager. You define a decoder to parse these entries and a set of rules that treat any appearance of those indicators in other logs as suspicious. This method keeps the logic inside Wazuh while relying on Cyber Defence TI as the authoritative source of indicators.
Operational considerations
Whichever pattern you choose, you should ensure that API usage stays within the fair-use expectations of your subscription. For high-volume environments, batched or scheduled enrichment is usually more efficient than making a separate API call for every individual event. It is also good practice to log and monitor the health of the integration itself, so you can detect if the API becomes unreachable or credentials expire. Our team can provide example Wazuh configurations and scripts as part of Defend and Disrupt onboarding, and we are happy to review your proposed rules to help reduce noise while maintaining good coverage.
Using Cyber Defence TI with Graylog
Overview
Graylog is a powerful platform for centralised log management and alerting. By integrating Graylog with Cyber Defence TI, you can enrich streams and dashboards with external intelligence, highlight events that involve known bad infrastructure, and simplify hunting by allowing analysts to pivot directly from an event to the associated threat context.
As with Wazuh, you can adopt either a push-style model, in which an external process sends enriched events into Graylog, or a pull-style model where Graylog itself retrieves or receives data from Cyber Defence TI for correlation.
Prerequisites
To integrate with Graylog you will need a Detect, Defend or Disrupt subscription to Cyber Defence TI; an API key with the appropriate lookup permissions; network connectivity from Graylog, or a companion service, to the Cyber Defence TI API; and administrative access to create inputs, streams, extractors and pipeline rules within your Graylog instance.
Configuration outline
One common approach is to create an HTTP input in Graylog dedicated to Cyber Defence TI enrichment messages. An external script or service, triggered by your security tooling, sends JSON payloads to this input whenever it looks up an indicator in Cyber Defence TI. These payloads contain both the original indicator and the intelligence returned by the API, including verdicts, confidence scores and categories. Within Graylog you define extractors for the input to parse the JSON fields into message attributes, route the messages into a dedicated “Cyber Defence TI” stream, and then write pipeline rules that correlate those attributes with existing log sources. For instance, a pipeline rule might match when an authentication log message contains an IP address that appears in the Cyber Defence TI stream with a malicious verdict, and then set a custom field or escalate the severity of the alert.
Alternatively, you can use Graylog’s pipeline functionality to call out to an external enrichment service that wraps the Cyber Defence TI API. In this model, the pipeline stage extracts an indicator from an event, passes it to the enrichment service, and receives a verdict and metadata in return. Those values are then added to the Graylog message as new fields, which can be used in searches, dashboards and alerts. This pattern keeps the integration logic outside Graylog but makes the enriched data fully visible within the platform.
Operational considerations
As with any external integration, you should consider timeouts and error handling so that enrichment failures do not block log ingestion. It is sensible to cache results for a suitable period so that frequently repeated indicators do not generate unnecessary repeated API calls. Defend and Disrupt customers can draw on our support team for guidance on designing Graylog pipelines and dashboards that make best use of the Cyber Defence TI fields without overwhelming analysts with low-value alerts.
Other SIEM and SOAR platforms
Cyber Defence TI can be integrated with most modern SIEM and SOAR platforms that support RESTful HTTP, JSON and basic scripting or pipeline logic.
At a high level, you authenticate to the Cyber Defence TI API using the key issued to your organisation, send indicators of interest to the appropriate lookup endpoint, and parse the JSON response into fields that your platform understands. Those fields typically include the indicator value itself, the type of indicator, a verdict, a confidence score, one or more threat categories, and timestamps indicating when the indicator was first and last observed. You then use your platform’s rule or playbook engine to correlate local logs with indicators that meet particular criteria, such as “malicious with high confidence”, “associated with phishing infrastructure”, or “seen in credential leaks for your monitored domains”.
In Elastic, this usually means enriching documents in an ingest pipeline or using an external enrichment service; in Splunk it may involve a custom search command, a modular input or a lookup table that is populated from Cyber Defence TI; in QRadar it often takes the form of a reference set that holds indicators, combined with custom rules that test for membership of that set. SOAR platforms can take the same intelligence as triggers for automated playbooks, such as blocking IPs at the firewall, disabling accounts, opening tickets or notifying your Hedgehog SOC team.
If you are planning a large-scale or multi-tenant deployment, the Disrupt tier is designed to support more complex integration patterns, including segregated data flows, separate API keys per business unit and tailored playbooks. Our engineers can work with your SOC or MSSP to design and validate these integrations.
Choosing the right plan and getting started
For smaller teams and organisations who want to experiment and build their own integrations at their own pace, Detect provides full access to the Cyber Defence TI API and support for SIEM integration on a self-service basis. Defend is intended for mid-sized organisations with a dedicated security or IT team; it includes higher limits, more users and hands-on help in designing, implementing and tuning integrations with Wazuh, Graylog and other platforms. Disrupt is reserved for larger or more complex environments that require bespoke onboarding, multi-tenant patterns or deeper collaboration between your SOC and ours.
If you are new to Cyber Defence TI, a sensible path is to begin by testing enrichment in a non-production Wazuh or Graylog instance using your Detect or Defend subscription, validate that the data and rules behave as expected, and then roll the integration into production with support from our team. Your account manager will be pleased to provide example configurations and to arrange a short working session with our engineers to review your design before you go live. Better protect the connected world, and let your SIEM see what our SOC sees.