# Integrations — TandemTrace Plugs into the stack you already run. TandemTrace reads from your SIEM, EDR, identity provider, cloud, and ticketing tools — reasons over them in one ontology — and writes verdicts and actions back where your analysts already work. Connectors are adapter-based, so most sources are live in days, not quarters. No new console to live in, no data migration. ## How it connects 1. **Read-only by default.** We start with scoped, read-only API access to your alert and log sources. Nothing in your environment changes on day one — no agents to roll out, no detections to rewrite. 2. **Normalize to the ontology.** Each adapter maps its source into the TandemTrace ontology — one common model of entities, events, and relationships. That is what lets the agents reason across tools, not just within one. 3. **Write back where you work.** Verdicts, enrichments, and recommended actions flow back into your SIEM, ticket queue, or chat. Response actions in EDR, identity, email, and firewalls stay gated behind your approval until you choose otherwise. ## Security posture - **Read-only by default** — scoped read access; nothing changes on day one. - **Least-privilege scopes** — narrow, per-connector credentials, never a standing admin key. - **Actions stay gated** — response steps require your approval until you decide otherwise. - **Cloud or on-prem** — deploy where your data must live; logs stay in your tenant and are reasoned over in place. - **Every action audit-logged** — a full, exportable trail of what was read, decided, and written back, per connector. ## Connector catalog Status legend: **GA** (generally available) · **Beta** · **Roadmap** (planned). Statuses are indicative and change every release — confirm current availability with us. ### SIEM & log platforms (read) Splunk (GA), Microsoft Sentinel (GA), Elastic Security (GA), IBM QRadar (GA), OpenSearch (GA), CrowdStrike LogScale (Beta), Palo Alto Cortex (GA), Coralogix (Beta). ### EDR & XDR (read + gated response) CrowdStrike Falcon (GA), Microsoft Defender (GA), SentinelOne (Beta), Darktrace (Beta). ### Response & SOAR (orchestrate) Cortex XSOAR (GA), Splunk SOAR (GA), Tines (Beta), Torq (Beta), Swimlane (Roadmap). ### Identity & directory (read + gated response) Okta (GA), Microsoft Entra ID (GA), Active Directory (GA). ### Cloud platforms (read) AWS CloudTrail (GA), Microsoft Azure (GA), Google Cloud (Beta). ### Email security (read + gated response) Proofpoint (Beta), Mimecast (Beta), Abnormal Security (Roadmap), Microsoft 365 (GA), Google Workspace (Beta). ### Cloud security & vulnerability (read) Wiz (Beta), Tenable (Beta), Qualys (Beta), Netskope (Beta). ### Network & firewall (read + gated response) Fortinet (Beta), Cisco (Beta), Palo Alto NGFW (Roadmap). ### Data lakes & storage (read) Snowflake (Beta), Amazon S3 (GA), Google BigQuery (Roadmap). ### Workflow & ticketing (write-back) ServiceNow (GA), Jira (GA), Slack (GA), Microsoft Teams (GA), PagerDuty (Beta). ### Threat intelligence (enrich) Recorded Future (GA), VirusTotal (Roadmap), MISP (Roadmap), AbuseIPDB (GA), urlscan.io (GA), Shodan (Beta), OpenCTI (Beta). ## Bring your own source No connector for your tool yet? The adapter framework normalizes any structured source — syslog, JSON over HTTP, an S3 bucket, a SQL table, or a custom API — into the TandemTrace ontology. Point it at the data and map a few fields. If it emits a log, we can reason over it. Request a connector at [hello@TandemTrace.ai](mailto:hello@TandemTrace.ai?subject=Connector%20request). --- *Canonical URL: https://tandemtrace.ai/integrations* *Last updated: 2026-06-23*