CybrIQ
● Engineering reference, for security engineers, SOC analysts, and detection-engineering teams.
Engineering site For your team Integrations
Integrations

Pipe Device DNA into the tools you already run. Two surfaces, same data.

Two integration surfaces: syslog for the push (events into your SIEM as they happen) and REST API for the pull (inventory, drift history, compliance evidence, SOAR actions). Pick whichever fits the pipeline you've already built; the data shape is identical across both. Nothing on this page requires you to use our dashboard.

What we don't ship: webhooks, STIX/TAXII feeds. If a vendor in your evaluation queue is matching CybrIQ on functionality but pitching those, that's a different product.

Output channels

CybrIQ control plane event correlator inventory store evidence-pack export PUSH: syslog (RFC 5424) UDP/514 · TCP/1468 · TCP+TLS/6514 PULL: REST API bearer-token · cursor-paginated · TLS only SIEM Splunk · Sentinel · Chronicle · Elastic · QRadar SOAR / NAC XSOAR · Tines · ServiceNow · Forescout · Cisco ISE Same event payload across both channels. No webhooks. No STIX/TAXII.

1. Syslog (RFC 5424)

Push · UDP/TCP/TLS

Standard CEF or LEEF formatting, configurable per receiver. UDP for low-volume sites, TCP+TLS for production deployments.

<134>1 2026-05-10T17:08:12Z ese-bldg-3 cybriq 4231 device-substituted
  [event@29051 port="sw-bldg-3-fl-2/port-47" previous_dna="dna:7a4f-1c91"
   current_dna="dna:5b8e-2a4f" similarity="0.31" mitre="T1200,T1556"
   controls="PCI-4.0/12.5.1"]
Substituted device on port-47, site NYC-HQ. Severity high.

2. REST API (pull)

Pull · bearer-token auth

For tools that prefer to poll, plus the SOAR-action endpoints (acknowledge, suppress, NAC quarantine). GET endpoints for inventory, events, devices, drift, and compliance evidence. Cursor-paginated.

GET /api/v1/events?since=2026-05-10T00:00:00Z&type=device-substituted
Authorization: Bearer <token>

{
  "events": [ ... ],
  "next_cursor": "eyJ0Ijox..."
}

Full endpoint reference and authentication detail on the Syslog & API page.

Tool-specific patterns

For the platforms most security engineers we talk to are already running.

Splunk Enterprise / Splunk Cloud

Channel: Syslog over TCP+TLS into an HEC-compatible receiver. Pull via the REST API also supported for batch ingest.

Sourcetype: cybriq:event · Index: dedicated cybriq index recommended.

Sample SPL:

index=cybriq event=device-substituted similarity<0.5
| join port [search index=ticketing change_window="open" device_id="*"]
| where NOT match
| stats count by site, port, current_vendor_hint

Correlation rule template surfaces substitutions that don't match an open change ticket.

Microsoft Sentinel

Channel: Syslog into the Azure Monitor Agent (CEF format), or REST-pull via a Logic App into an Azure Monitor Custom Log.

Sample KQL:

CybrIQEvent_CL
| where event_s == "device-substituted" and similarity_d < 0.5
| extend mitre_techniques = parse_json(mitre_s)
| project TimeGenerated, site_s, port_s, previous_vendor_hint_s, current_vendor_hint_s, similarity_d

Pre-built analytic rule template available; ARM bicep on request.

Google Chronicle / SecOps

Channel: Syslog over TCP+TLS to Chronicle's ingestion endpoint, mapped to the UDM event model.

CybrIQ ships a normalized UDM parser that maps Device DNA events to EVENT_TYPE_GENERIC_EVENT with principal.asset.attribute.labels carrying the DNA hash and MITRE technique IDs. Sample UDM payload and parser available on request.

Elastic SIEM

Channel: Filebeat reading from the syslog stream, into the Elasticsearch ingest pipeline.

Ingest pipeline template maps to ECS (Elastic Common Schema). event.category = network; event.module = cybriq; threat.technique.id = MITRE IDs. Sample pipeline + dashboard JSON in our public Git repo.

IBM QRadar

Channel: Syslog over TCP+TLS into the QRadar event-collector. CybrIQ ships a DSM-friendly parser; events land as a custom Log Source Type.

ServiceNow ITSM & SecOps

Pattern: ServiceNow polls the CybrIQ REST API at the configured cadence (typically every 5 minutes) and creates a Security Incident for each new high-severity event. Category Hardware Integrity; priority derived from MITRE technique severity; full event payload attached.

Auto-resolve rules suppress when the related Change Request is approved within the lookback window.

CrowdStrike Falcon

Pattern: A small connector polls the CybrIQ REST API and pushes the device's confirmed identity (Device DNA + vendor + port) into Falcon as an external indicator via the Threat Intel API. When Falcon sees a host matching the indicator, the analyst gets the switch-derived context without leaving the Falcon console.

Useful for: validating that an EDR-detected host is the device you think it is (no swap attack pending), or escalating an EDR alert when the Device DNA is also anomalous.

SentinelOne Singularity

Pattern: Same shape as the CrowdStrike pattern, REST API poll, push the resolved identity into SentinelOne as an asset-record annotation. CybrIQ also publishes to SentinelOne's Threat Intelligence module for the high-severity event types (substitution, NDAA, unauthorized switch).

Cisco ISE (or other NAC)

Pattern: Two-way. CybrIQ consumes ISE's 802.1X session log to enrich Device DNA records with authenticated-user-and-VLAN context. ISE consumes CybrIQ events via syslog and can trigger quarantine policy on device-substituted or port-topology-changed using the SOAR-action endpoint in the API reference.

Net result: a device that swaps under a stable session gets isolated before lateral movement starts. The loop is sub-minute.

Reference architecture

The platform sits to the side of your security data pipeline, not in line with it. The External Scan Engine (ESE) polls switches in read-only mode; the control plane fans events out as syslog and exposes the inventory through a REST API. If everything we ship disappeared tomorrow, your other tools would keep running; they'd just stop receiving switch-derived events.

Customer's managed switches (up to 500 per ESE) attached devices: AV, biomed, OT, corporate endpoints, BYOD, contractors read-only management polling External Scan Engine (ESE) CybrIQ software · Linux or Windows · customer-on-prem signs DNA · buffers · emits events mTLS CybrIQ control plane inventory store · 750M+ device reference DB · event correlator syslog emitter · REST API · evidence-pack export syslog REST API SIEM Splunk · Sentinel · Chronicle · Elastic · QRadar SOAR / ITSM / NAC XSOAR · Tines · ServiceNow · ISE analyst console correlation rules · dashboards NAC / EDR action quarantine · enrichment

The integrations on the rest of this page are all variations of the right-hand side of the diagram. Pick the consumer that fits your existing pipeline; the left half stays the same.

Want a working integration with your specific stack?

30-day pilot. We ship the ESE, wire the integration into your SIEM/SOAR/ITSM/EDR of choice, and demonstrate end-to-end on one of your sites. No fee.

Book a working session