Connects to Your Entire Security Stack
ThretVyn reads from the EDR, cloud-trail, and identity sources you already run — and writes kill-chain escalations back to the SIEM or alerting tools your analysts already use. No new infrastructure. No changes to existing EDR policy or SIEM forwarding rules. Average time to first correlated alert: under 20 minutes from first connector configured.
EDR Sources
ThretVyn ingests EDR telemetry — detections, process events, network connections, and threat classifications — from the four major platforms. Event schemas are normalized to a common format so kill-chain correlation works across vendor boundaries without custom parsing. ThretVyn does not replace your EDR; it reads its output.
Real-time event streaming via Falcon Streaming API. Ingests detections, process events, and network connections.
AvailableAlerts, threats, and activity events via SentinelOne's management API. Supports multi-site deployments.
AvailableCarbon Black Cloud notification webhook ingestion. Enriches with process lineage and threat classification data.
AvailableAlerts, incidents, and advanced hunting events via Microsoft Graph Security API. Includes Device Timeline events.
AvailableCloud Trail Sources
Connect cloud provider audit trails. ThretVyn maps management-plane events to kill-chain stages — spotting unusual API calls that EDR misses.
Management and data events via S3 delivery or real-time EventBridge. Covers all AWS services across multi-account org.
AvailableAzure subscription-level activity logs via Event Hubs. Includes resource management, policy changes, and role assignments.
AvailableAdmin Activity and Data Access audit logs via Cloud Pub/Sub streaming. Covers GCP project and organization scope.
AvailableHTTP request, DNS, and network event logs via Cloudflare Logpush. Enriches perimeter context in kill-chain reconstruction.
BetaIdentity Sources
Identity events are the final piece of the three-source kill-chain. Correlating endpoint + cloud + identity unlocks the attack narrative.
Authentication, MFA, and policy events via Okta System Log API. Identifies impossible-travel, session hijack, and credential spray patterns.
AvailableSign-in logs, audit logs, and risk detections via Microsoft Graph. Includes Entra ID P2 risk signals when licensed.
AvailableOn-premises AD authentication and authorization events forwarded via Windows Event Forwarding or SIEM agent. Covers Kerberoasting and lateral movement signals.
AvailableLogin, admin, and Drive activity events via Google Workspace Admin SDK Reports API. Covers OAuth token abuse and data exfiltration signals.
BetaWhere Correlated Kill-Chain Events Go
ThretVyn is not a SIEM. It surfaces confirmed kill-chain sequences and pushes them — with full source attribution and MITRE ATT&CK technique mapping — to the escalation and SOC workflow tools your analysts already use. Your Splunk instance or Microsoft Sentinel workspace retains its role as the long-term log archive and compliance system of record. ThretVyn feeds it better signal, not raw logs.
Push correlated events to Splunk via HEC. Includes pre-built dashboards for kill-chain visualization within Splunk Enterprise or Cloud.
AvailableForward correlated incidents to Microsoft Sentinel as custom alerts. Includes MITRE ATT&CK technique mapping and kill-chain stage labels.
AvailableEscalate high-confidence kill-chain alerts to PagerDuty with severity mapping, responder routing, and automatic deduplication.
AvailableChannel-based alert notifications with structured kill-chain summaries. Analysts can acknowledge and escalate directly from Slack messages.
AvailableNeed a Custom Integration?
Our REST API lets you push event data from any source. Full API reference in the docs.