integration Integrations WitFoo Conductor collects security log data from cloud platforms, endpoints, identity providers, email security, network infrastructure, and more through pull-based API integrations . The Signal Client service polls each vendor's API on a configurable schedule and publishes artifacts to the processing pipeline.
Quick Start Ensure you have the required vendor license and API access (see each guide's Prerequisites section) Create API credentials in the vendor console Open the Conductor UI → Integrations page Select the vendor from the Add Integration dropdown Enter your credentials and enable the integration Validate data flow within 1–2 polling cycles Integration Catalog Endpoint Security Integration Auth Method Guide Cisco AMP Client ID + API Key Enable → CrowdStrike Falcon OAuth2 Client Credentials Enable → Deep Instinct API Key Enable → SentinelOne API Token Enable → Sophos Central OAuth2 Client Credentials Enable → Carbon Black API Key Enable → Halcyon Username / Password Enable →
Cloud Security Integration Auth Method Guide Azure Security OAuth2 (Azure AD) Enable → AWS GuardDuty IAM Access Key Enable → AWS Security Hub IAM Access Key Enable → Google Cloud SCC Service Account JSON Enable → Wiz OAuth2 Client Credentials Enable → Oracle Cloud (OCI) API Key (RSA Signing) Enable →
Network Security Integration Auth Method Guide Cisco Meraki API Key Enable → Cisco Umbrella API Key + Secret Enable → Stealthwatch Username / Password Enable → Palo Alto Cortex API Key Enable → Fortinet FortiAnalyzer Session Token Enable → Zscaler ZIA API Key + Session Cookie Enable → Darktrace HMAC Token Enable →
Identity & Access Email Security Integration Auth Method Guide Mimecast OAuth2 Client Credentials Enable → Proofpoint CASB Client ID + Secret Enable → Proofpoint Protect Client ID + Secret Enable → Abnormal Security API Token Enable →
SIEM Integration Auth Method Guide Splunk Token / Username + Password Enable → Rapid7 InsightIDR API Key Enable →
Infrastructure Integration Auth Method Guide DNS Zone Transfer None (AXFR) Enable → Druva Client ID + Secret Enable → LimaCharlie API Key Enable → Netskope API Token (v1/v2) Enable →
Vulnerability Management Integration Auth Method Guide Tenable Access Key + Secret Key Enable → Qualys Username / Password Enable →
Common Configuration All integrations share these common behaviors:
Polling Interval — Configurable per integration (default varies by vendor). Lower intervals mean fresher data but higher API usageCheckpoint Tracking — Signal Client resumes from the last successful position after restarts, avoiding duplicate collectionRate Limiting — Built-in respect for vendor API quotas with exponential backoff on HTTP 429 responsesEnable/Disable — Each integration can be toggled without removing its configuration Configuration changes propagate within seconds via the NATS KV watch mechanism. No container restart is required.
See also: Integration Management · Signal Client · Common Troubleshooting