Integrations Connect your existing security tools and cloud services to Zaun.
Zaun integrates with your existing infrastructure via APIs, webhooks, and the Zaun agent. Your Forward Deployed Engineer (FDE) helps you set up and configure each integration during onboarding, feeding both Reagent (AI Adoption Security) and Ember (Agentic Security Operations).
The full catalog below is the source of truth for what's connectable today. Detailed setup guides for each category live under Integration Setup Guides in the left nav.
Integration What it does Okta Workforce identity provider. Zaun watches sign-ins, MFA changes, OAuth grants, role assignments, and admin actions. Microsoft Graph Tenant-wide events from the Microsoft 365 graph: Entra (Azure AD), conditional access, and risky users. Microsoft Entra ID Identity-side coverage for Entra: directory changes, group membership, privileged role activation. Active Directory On-prem AD events streamed via the Zaun agent: domain authentications, group writes, GPO changes. Cisco Duo Multi-factor auth telemetry: bypass codes, factor enrollment, admin events. Ping Identity PingOne workforce identity events: sign-ins, risk signals, admin actions. Auth0 Customer identity events from Auth0 tenants: logins, anomalous geo / device, tenant config changes. Jamf Pro Apple device management and identity binding: enrollment, profile drift, user binding. 1Password Vault and item events from 1Password Business. Bitwarden Password manager events and admin trail.
See Identity / Access Management for setup steps.
Integration What it does AWS CloudTrail, Config, GuardDuty, IAM, and resource activity across every region. Streamed via Kinesis. Azure Azure Monitor activity logs and Defender for Cloud signals across subscriptions. Google Cloud GCP audit logs, Security Command Center, and IAM events. Cloudflare Zero Trust access logs, WAF events, R2 audit, and account-level activity. Wiz Cloud Security findings, toxic combinations, and exposure paths. Datadog Audit trail and security signals stream into Zaun Lake. Fastly CDN access logs and Next-Gen WAF events. Akamai Akamai SIEM events: WAF, bot manager, and DDoS alerts. Upwind Cloud-native runtime security and CDR events.
See Cloud Security for setup steps.
Integration What it does CrowdStrike Falcon Endpoint detections, host inventory, and real-time response sessions. SentinelOne Singularity threats, host posture, and Storyline activity. Microsoft Defender Defender for Endpoint alerts, vuln status, ASR rules. Trend Micro Vision One XDR alerts and workbench events from Vision One. Bitdefender EDR Bitdefender endpoint detections and incidents. Sophos EDR Endpoint detections and managed threat response signals. ESET Protect ESET endpoint detections and policy events. Fortinet EDR FortiEDR detections and response actions. QRadar EDR IBM Reaqta endpoint events. Webroot EDR Webroot endpoint detections. Cisco Secure Endpoint Cisco AMP for Endpoints events and outbreak controls. Jamf Protect macOS-native EDR signals from Jamf Protect. WatchGuard EDR Panda / WatchGuard EDR detections and isolation. ThreatLocker Application allowlisting and ringfencing events. osquery Open-source host telemetry. The Zaun agent streams osquery results into Zaun Lake. Addigy macOS device management telemetry. Automox Patch and configuration management events. Halcyon Anti-ransomware platform events.
See EDR / Endpoint Protection for setup steps.
Integration What it does Palo Alto Firewall PAN-OS traffic, threat, URL, and config logs. FortiGate Firewall FortiGate event, traffic, and security logs. Cisco Firepower Firepower threat intel, intrusion, and access logs. Cisco Meraki Meraki MX security and event log streams. Cisco Umbrella DNS-layer security events. Sophos Firewall Sophos XGS firewall events. Juniper SRX SRX security and traffic events. WatchGuard Firewall WatchGuard Firebox events. SonicWall SonicOS security and traffic logs. Zscaler ZIA ZIA web access, sandbox, and DLP events. Netskope SASE / CASB events and DLP findings. Cato Networks SASE platform events and threat detection.
See Firewalls / Network Security for setup steps.
Integration What it does Abnormal Security BEC, account takeover, and attack detection signals from Abnormal. Proofpoint TAP Targeted Attack Protection threat events and clicks. Sublime Security Detection-as-code email security events. Exchange Mailbox and transport telemetry from Exchange / EXO.
See Email Security for setup steps.
Integration What it does Google Workspace Drive sharing, admin console, login challenges, OAuth tokens, and audit log. Microsoft 365 Unified audit log: SharePoint, Teams, OneDrive, mailbox. Microsoft Teams Teams admin and message-level events. Slack Slack Enterprise audit log: token leaks, app installs, public channel changes. Zoom Zoom account events and meeting telemetry. Box Box content and admin events. GitHub GitHub org audit log: visibility flips, deploy keys, secret scanning. Atlassian Jira & Confluence audit and Atlassian Guard signals. Salesforce Salesforce admin and API audit telemetry. Workday HRIS events for joiner / mover / leaver context.
Integration What it does Obsidian Security SaaS posture and identity threat detection across third-party apps. Grip Security SaaS Security Posture Management events. KnowBe4 Phishing simulation and training results.
Integration What it does OpenAI Org-level audit log: API key creation, model access, project changes. Anthropic Org admin events, key usage, and model invocation telemetry. Claude Code Coding-agent activity from Claude Code installations. Cursor Cursor IDE telemetry: prompts, agent runs, and shared sessions. Glean Enterprise search and assistant telemetry.
Integration What it does Splunk Forward Zaun investigations to Splunk and pull saved searches on demand. Microsoft Sentinel Sentinel incidents and analytics rules. Azure Sentinel Sentinel incident routing across workspaces. CrowdStrike NG-SIEM Falcon NG-SIEM detections and saved searches. Cortex XSIAM Cortex XSIAM alerts and analytics. IBM QRadar QRadar offenses and search forwarding. Sumo Logic Sumo Cloud SIEM signals. Devo Devo data lake forwarding. Panther Panther alerts and detections. Stellar Cyber Stellar Cyber alerts and case data. Expel Expel alerts forwarded into Zaun investigations. OpenSearch Pull from OpenSearch indices on demand. Elasticsearch Pull from Elasticsearch on demand. AlienVault OTX OTX pulse and indicator data.
See SIEM / XDR for setup steps.
Integration What it does Snowflake Snowflake account usage, login history, and warehouse access. BigQuery BigQuery audit telemetry: job audit, dataset access. ClickHouse ClickHouse query logs and cluster events. PostgreSQL Postgres audit and pgAudit events.
Integration What it does Tenable Tenable Vulnerability Management findings. Rapid7 IDR Rapid7 incident detection and response findings. Qualys Qualys VMDR vulnerabilities and asset posture.
Integration What it does VulnCheck Exploit prioritization and threat intelligence feeds. VirusTotal File and URL reputation lookups during enrichment. Shodan External attack surface and exposed-asset enrichment. DeHashed Credential exposure lookups during identity investigations. Cyware Threat intel sharing and IOC feeds.
See Threat Intelligence for setup steps.
Integration What it does PagerDuty Page on-call when an investigation needs human attention. ServiceNow Open and update ServiceNow tickets from a runbook. Jira Open Jira issues with full investigation context. Zendesk Customer support ticketing integration. Freshservice IT service management ticketing. Freshdesk Customer support ticketing. Swimlane Forward investigations into Swimlane SOAR cases. Workato Trigger Workato recipes from a runbook.
See PSA / Ticketing and SOAR / Incident Response for setup steps.
Integration What it does ConnectWise PSA Multi-tenant ConnectWise PSA telemetry. ConnectWise ASIO ConnectWise ASIO automation events. ConnectWise RMM ConnectWise RMM endpoint events. Datto RMM Datto RMM agent events and policies. Kaseya VSA X Kaseya VSA X endpoint and patch events. N-able N-central N-central monitoring and remediation. N-able N-sight N-sight monitoring events. NinjaOne NinjaOne endpoint management telemetry. Pulseway Pulseway monitoring and automation. SyncroMSP SyncroMSP endpoint and ticket events. SuperOps SuperOps RMM / PSA telemetry. Autotask Datto Autotask PSA telemetry. Atera Atera monitoring events. HaloPSA HaloPSA service desk telemetry.
See RMM / Endpoint Management for setup steps.
Integration What it does Afi Backup SaaS data backup and recovery events.
Integration What it does DFIR-IRIS Open-source incident response case management. Cowork Cowork agent telemetry: tool calls, tasks, and shared sessions.
# Add an AWS integration zaun integrations add aws \ --account-id 123456789012 \ --role-arn arn:aws:iam::123456789012:role/ZaunSecurityAudit \ --regions us-east-1,us-west-2 # Add an Okta integration zaun integrations add okta \ --domain your-company.okta.com \ --api-token $OKTA_API_TOKEN # List all integrations zaun integrations list # Test an integration zaun integrations test aws --account-id 123456789012
Navigate to Settings → Integrations
Click Add Integration
Select your platform and follow the setup wizard
Zaun verifies the connection and begins surfacing findings and detections
Your Infrastructure → Zaun Integration Layer → Zaun Lake → Detection Engine (APIs) (Normalization) (Storage) (Analysis) All data is:
Encrypted in transit (TLS 1.3) and at rest (AES-256)
Stored in your dedicated Zaun Lake instance
Subject to your configured retention policies
Accessible via the investigation console
The catalog grows continuously. If something you rely on isn't listed, we can usually add it via Zaun's generic webhook ingest, syslog forwarder, or a custom collector. Email [email protected]
