CybrIQ for government · Integrations
CybrIQ
Government/Integrations
Integrations

CybrIQ feeds the tools the agency already runs.

CybrIQ does not replace the agency's NAC, SIEM, EDR, CDM dashboard, or eMASS instance. It supplies device-identification data to each, through the wire formats those tools expect. Syslog (RFC 5424) and REST are the primary transports; specific integrations are described below.

CybrIQ's main instance fans out to existing agency tools. Identity events emit on RFC 5424 syslog and REST. SIEM destinations: Splunk Cloud for Government (FedRAMP-authorized) via syslog plus technology add-on, Microsoft Sentinel for Government via REST or AMA-collected syslog, IBM QRadar via syslog with a DSM extension, and Elastic / ELK via Filebeat with ECS-aligned field mapping. NAC integrations: Cisco ISE via pxGrid topic publish with CoA Reauth and Disconnect actions; Forescout via REST to the policy engine supplementing profiling; Aruba ClearPass via context-server REST populating device-profile attributes. CDM HWAM: field names align with the HWAM schema (MAC, port, VLAN, confidence, last-seen). eMASS: signed CSV and JSON exports with SHA-256 hash for SSP attachments and POA&M references. SOAR: Splunk SOAR for NAC quarantine on covered-entity matches; Cortex XSOAR for ticket creation on authorization-list deviation; Sentinel Logic Apps for USB-protection-event escalation. Event volume: roughly half an event per port per week at default thresholds in stable production. Polling cadence: 30 seconds per switch by default, tunable per VLAN; first identification within hours of install.

SIEM

CybrIQ emits identity events via RFC 5424 syslog with a structured-data element (SD-ID cybriq@99999) and via REST. Sample event payloads are in the Takeaways page.

Splunk & Splunk Cloud for Government

Syslog or REST input. A curated Splunk technology add-on (TA) is available on request — handles event parsing, field extraction, and the CIM mapping. Splunk Cloud for Government (FedRAMP Moderate) is supported as a destination.

Microsoft Sentinel for Government

REST or AMA-collected syslog. A sample KQL detection set is available on request — covers covered-entity matches, authorization-list deviations, and USB-protection events.

IBM QRadar

Syslog input with a DSM extension for the CybrIQ structured-data element. Custom event properties supplied for the device-identification fields.

Elastic / ELK Stack

Syslog or Filebeat ingestion. ECS-aligned field mapping is available on request.

NAC

CybrIQ identifies; the agency's NAC enforces. Integration is direct: device-identification events become input to the NAC's policy decision.

Cisco Identity Services Engine (ISE)

pxGrid integration. CybrIQ publishes device-identification events to the pxGrid topic; ISE consumes them as profiling input or as triggers for policy actions (Authorize, CoA Reauth, CoA Disconnect).

Forescout Platform

REST API integration. CybrIQ events feed Forescout's policy engine; supplements Forescout's own discovery with Layer-1 fingerprint identification — particularly for OT and unmanaged-device classes where Forescout's classification benefits from additional signal.

Aruba ClearPass

Context-server integration via REST. CybrIQ identifications populate device-profile attributes that ClearPass policy can reference.

CDM dashboard feed

CybrIQ output is structured to align with HWAM field expectations — hardware identifier, vendor, model class, MAC, switch port, VLAN, last-seen timestamp, confidence score. Per the CDM page, CybrIQ doesn't replace existing HWAM data sources; it adds rows the existing sources can't reach. CISA's CDM data exchange is the integration point; specific dashboard mappings vary by agency CDM contract.

eMASS & compliance-evidence platforms

CybrIQ ships audit-trail exports in CSV and JSON formats structured for eMASS uploads, POA&M references, and SSP attachments. Output is signed at the control plane with a SHA-256 hash so the assessor can verify the file has not been edited between export and assessment.

SOAR & ticketing

Where the agency runs SOAR (Splunk SOAR, Cortex XSOAR, Sentinel Logic Apps), CybrIQ events drive automated workflows: NAC quarantine on covered-entity detection, ticket creation on authorization-list deviation, escalation on USB-protection events. Event payload includes structured fields (severity, similarity, supports-controls mapping) that drive branching.

Integration shape and rate limits

Default polling cadence: 30 seconds per switch (tunable). Default event volume: roughly half an event per port per week at default thresholds in stable production. Both ends — syslog and REST — handle that volume on standard agency infrastructure; specific rate limits depend on the destination tool's ingestion capacity, not on CybrIQ's emit rate.

Walk an integration architecture

30 minutes: we walk integration with your specific SIEM, NAC, CDM data flow, and eMASS package shape. Sample payloads and integration runbooks shipped after the call.

Request integration call