Quickstart Guide

Connect your first data source and see your first correlated alert within 10 minutes. This guide walks you through connecting CrowdStrike Falcon, AWS CloudTrail, and Okta as a baseline three-source setup.

Prerequisites

A ThretVyn account (free trial — sign up here)
CrowdStrike Falcon API credentials (Client ID + Client Secret)
AWS CloudTrail with S3 delivery configured, plus an IAM role with read permissions
Okta System Log API token with okta.logs.read scope

Step 1: Create your account and workspace

After creating your account, you'll be directed to the workspace setup screen. Each ThretVyn workspace maps to a single monitored environment (e.g., production AWS account + identity provider). You can add more workspaces later.

ThretVyn Setup Wizard

ThretVyn Workspace Setup v1.4.2
─────────────────────────────────
? Workspace name: Production — AWS us-east-1
? Primary cloud provider: AWS
? EDR platform: CrowdStrike Falcon
? Identity provider: Okta

✓ Workspace created: prod-aws-us-east-1
✓ Workspace ID: ws_7f3a1b9e

Step 2: Connect CrowdStrike Falcon

Navigate to Settings → Integrations → EDR and select CrowdStrike Falcon. You'll need an API client with the following permissions:

Detections: Read
Incidents: Read
Event Streams: Read
Hosts: Read

CrowdStrike Integration Config

Integration: CrowdStrike Falcon
──────────────────────────────
Client ID:     f7c3a9b2d1e4...
Client Secret: ••••••••••••••••
Cloud Region:  US-1 (api.crowdstrike.com)

$ tvn integrations test crowdstrike
✓ Authentication: OK
✓ Event streams: 3 streams available
✓ Detection backfill: 24h available
Integration active — streaming detections

Step 3: Add AWS CloudTrail

ThretVyn reads CloudTrail events via S3 polling (for historical backfill) and optionally via EventBridge for near-real-time streaming. Create an IAM role with the following trust policy:

iam-trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::381492067143:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": "tvn-ws_7f3a1b9e"
      }
    }
  }]
}

Note: The external ID is unique to your workspace. Find yours under Settings → Integrations → AWS CloudTrail → Setup Instructions.

Step 4: Connect Okta

ThretVyn ingests Okta's System Log in real-time via the Okta Events API. You'll need a service app with an API token:

Okta Integration Config

Integration: Okta
─────────────────
Okta Domain:  your-org.okta.com
API Token:    00Zf3a9b2c1d4e5...
Scope:        okta.logs.read

$ tvn integrations test okta
✓ Authentication: OK
✓ System Log access: confirmed
✓ Event volume: ~3,200 events/day
Integration active — streaming logs

Step 5: Review your first correlated alerts

ThretVyn begins correlating events immediately. Within an hour of connecting all three sources, you should see your first cross-source detections. Navigate to Alerts and filter by Correlated to see only incidents that span multiple sources.

You're live. ThretVyn is now correlating events across your EDR, cloud trail, and identity logs. Average time to first correlated detection: under 4 hours after connecting all three sources.

Next steps

API Reference Query alerts and incidents programmatically All Integrations Add more data sources to your workspace