ZaunDocs

SIEM / XDR

Integration setup guides for SIEM and XDR platforms.

Connect your SIEM or XDR platform to Zaun for log ingestion, alert correlation, and threat detection.

CrowdStrike Falcon LogScale

Category: SIEM (formerly Humio) | Auth: API Key

Required Credentials

FieldDescription
Personal API TokenFor querying/searching data (inherits user role permissions)
LogScale URLYour LogScale instance base URL

Capabilities

FeatureDescription
Repository DiscoveryEnumerate all repositories and views via GraphQL
Streaming SearchReal-time queries with field statistics
Async Query JobsCreate background queries with paginated results (JSON, CSV, NDJSON)

Supports LogScale query language: filtering, pipe operators, groupBy, fieldstats, timechart. Relative time ranges: 36hours, 7days, etc.

Setup Steps

  1. In LogScale, click user icon > Manage your account.
  2. Go to Personal API Token > Reset Token > copy the token.
  3. Ensure the user has read access to the repositories you want Zaun to query.
  4. Paste Token and URL into Zaun. Auth: Authorization: Bearer <token>

Large aggregation queries block until complete. For big datasets, enable allowEventSkipping for faster results.

Devo

Category: SIEM / Log Analytics | Auth: Token Auth

Required Credentials

FieldDescription
Authentication TokenScoped to specific tables
Devo Domain URLYour Devo instance endpoint (e.g. https://apiv2-us.devo.com)

Capabilities

FeatureDescription
LINQ QueriesExecute queries against Devo tables with epoch or ISO 8601 timestamps
Table DiscoveryDiscover available tables and their field definitions
Query JobsList and monitor scheduled/running query jobs

Response formats: json/compact, json/simple, csv, tsv. Table names use domain.table format.

Setup Steps

  1. Log in to Devo > Administration > Credentials > Tokens.
  2. Click New Token. Set Name, Authorized User, and Target Table(s) (e.g. siem.logtrust.*).
  3. Copy the token and paste into Zaun along with your domain URL.

Token must include access to siem.logtrust.alert.info for health checks to pass.

Rapid7 InsightIDR

Category: SIEM / XDR | Auth: API Key

Required Credentials

FieldDescription
API KeyPlatform API key (User Key or Org Key)
RegionSelect from the regional endpoints below

Auth header: X-Api-Key: <key>

Regional Endpoints

RegionAPI Base URL
US-1us.api.insight.rapid7.com
US-2us2.api.insight.rapid7.com
US-3us3.api.insight.rapid7.com
EUeu.api.insight.rapid7.com
CAca.api.insight.rapid7.com
AUau.api.insight.rapid7.com
APap.api.insight.rapid7.com

Capabilities

FeatureDescription
InvestigationsSearch, view, update investigations (status, priority, disposition, assignee)
AlertsList alerts and Rapid7 product alerts per investigation
CommentsCreate, list, manage investigation comments (PUBLIC/PRIVATE visibility)
DiscoveryEnumerate investigation sources, alert types, detection rules

Investigation statuses: OPEN, INVESTIGATING, WAITING, CLOSED. Priorities: LOW, MEDIUM, HIGH, CRITICAL.

Setup Steps

  1. Log in to the Rapid7 Insight Platform.
  2. Create a dedicated service user with read-only access to InsightIDR.
  3. Administration > API Key Management > Generate New User Key.
  4. Copy the key immediately (cannot be retrieved later).
  5. Select your Region and paste the API Key into Zaun.

Use an Org Key for organization-wide access, or a User Key scoped to a single user's permissions.

Splunk

Category: SIEM / Log Analytics | Auth: Token Auth

Required Credentials

FieldDescription
Authentication TokenJWT token generated in Splunk
Splunk Host URLe.g. https://splunk-host:8089 (management port)

Required Role Capabilities

CapabilityPurpose
searchExecute SPL search queries
list_settingsView server and index info (optional, for discovery)

Zaun executes search queries via POST /services/search/v2/jobs/export. The service account needs search access to relevant indexes.

Setup Steps

  1. Enable token auth: Settings > Tokens > Enable Token Authentication.
  2. Create a service account role with search capability and limit it to relevant indexes.
  3. Create a user with that role. Settings > Tokens > New Token, select the user, set expiration.
  4. Paste Token and Host URL into Zaun.

Ensure the management port (8089 by default) is accessible from Zaun's IP range. For Splunk Cloud, use the REST API endpoint provided in your Splunk Cloud admin panel.

Stellar Cyber

Category: Open XDR | Auth: API Key / JWT

Required Credentials

FieldDescription
API KeyGenerated per user in Stellar Cyber UI
DP HostnameData Processor hostname

Only local user accounts can access the API. SSO-authenticated users cannot generate API keys.

Capabilities

FeatureDescription
Case ManagementList, view, update cases (status, severity, assignee, tags)
Alerts & ObservablesView alerts, IPs, users, hosts, files linked to cases
Data SearchElasticsearch DSL queries against indices (aella-ser-*, aella-assets-*, aella-users-*)
Activity AuditCase activity history, score history, computed summaries

Case statuses: New, In Progress, Resolved, Cancelled. Severity: Critical, High, Medium, Low.

Setup Steps

  1. Create a dedicated local service account in System > Users (do not use SSO).
  2. In the user's profile > API Keys tab, generate an API Key.
  3. Paste API Key and DP Hostname into Zaun.

Trend Micro Vision One

Category: XDR Platform | Auth: API Key

Required Credentials

FieldDescription
API TokenBearer token from Vision One console
Region Base URLRegional API endpoint

Capabilities

FeatureDescription
Workbench AlertsList, view, update XDR alert status and investigation results
OAT DetectionsQuery Observed Attack Techniques with time range filters
Endpoint InventoryList and view endpoint details by agent GUID
Response ActionsIsolate and restore endpoints (requires appropriate role)

Investigation statuses: New, Investigating, Resolved. Results: True Positive, False Positive, Informational.

Setup Steps

  1. In Vision One > Administration > API Keys > Add API Key.
  2. Name it, select Analyst role (or Auditor for read-only). Set expiration.
  3. Copy the token (shown only once) and paste into Zaun with the correct regional URL.

Use Auditor role for read-only access. Analyst or higher is needed for response actions (endpoint isolation).

EDR / Endpoint Protection

Integration setup guides for endpoint detection and response platforms.

Email Security

Integration setup guides for email security platforms.

On this page

CrowdStrike Falcon LogScaleRequired CredentialsCapabilitiesSetup StepsDevoRequired CredentialsCapabilitiesSetup StepsRapid7 InsightIDRRequired CredentialsRegional EndpointsCapabilitiesSetup StepsSplunkRequired CredentialsRequired Role CapabilitiesSetup StepsStellar CyberRequired CredentialsCapabilitiesSetup StepsTrend Micro Vision OneRequired CredentialsCapabilitiesSetup Steps