Skip to content
English
More support Customer portal Sign in
Contact us
  • There are no suggestions because the search field is empty.

EzyConnect user guide

EzyConnect is Cydarm's simplified integration framework that allows you to quickly connect external services to your security operations workflow.

Overview

With pre-configured templates and a guided setup wizard, you can enable threat intelligence enrichment and real-time notifications in minutes.

EzyConnect supports three types of integrations:

  • Enrichment: Automatically enrich security observables (IP addresses, domains, file hashes) with threat intelligence from external services

  • Notifications: Send real-time alerts to communication platforms when case events occur

  • Data ingestion: Receive security alerts from external systems via webhooks

Accessing EzyConnect

  1. Log in to Cydarm

  2. Navigate to Settings > EzyConnect

  3. If your organization uses multiple tenants, select the appropriate organization from the dropdown

Available integrations

Threat intelligence enrichment

Service

Description

Observable Types

VirusTotal

Malware analysis and threat intelligence

IP addresses, domains, file hashes

AbuseIPDB

IP address reputation and abuse reports

IP addresses

GreyNoise

Internet traffic analysis to identify malicious activity

IP addresses

MISP

Threat intelligence sharing platform

IP addresses, domains, file hashes

http://URLScan.io

URL analysis for malicious content detection

URLs, domains
 Notification services
 

Service

Description

Slack

Send case notifications to Slack channels

Microsoft Teams

Send case notifications to Teams channels

Email

Send notifications via SMTP email
Security platform integrations
 

Service

Description

Microsoft Sentinel

Sync security incidents from Azure Sentinel

Microsoft Defender for Endpoint

Import endpoint security alerts

Microsoft Defender XDR

Cross-domain threat detection integration

AI platform integrations 

Service

Description
ChatGPT AI generated case summaries
 

Setting up an integration

Step 1: Select a service

On the EzyConnect page, you'll see cards for each available integration. Click Set up on the service you want to configure.

Step 2: Enter credentials

Depending on the service type, you'll need to provide:

For Enrichment services:

  • API Key from the service provider (e.g., VirusTotal API key)

For Notification services:

  • Webhook URL from your communication platform

For Microsoft integrations:

  • Tenant ID

  • Client ID

  • Client Secret

Step 3: Select triggers

Choose which events should activate the integration:

For Enrichment services:
Select which observable types to enrich:

  • IP addresses

  • Domains

  • File hashes (MD5, SHA-1, SHA-256)

  • URLs

For Notification services:
Select which case events trigger notifications:

  • Case created

  • Case assigned

  • Case updated

  • Alert received

Step 4: Complete setup

Click Finish set up to create the integration. The system will automatically configure the connector and all selected triggers.

Managing integrations

Editing an integration

  1. Navigate to Settings > EzyConnect

  2. Find the integration card (it will show Edit instead of Set up)

  3. Click Edit to modify credentials or trigger settings

  4. Save your changes

Enabling/disabling an integration

Use the toggle switch on each integration card to quickly enable or disable the connector without deleting it.

Deleting an integration

To remove an integration completely:

  1. Click Edit on the integration

  2. Select the option to delete the connector

  3. Confirm the deletion

How enrichment works?

Once configured, enrichment happens automatically:

  1. When a security observable (IP, domain, hash) is added to a case

  2. Cydarm detects the observable type matches your enrichment configuration

  3. The system queries the configured threat intelligence service

  4. Results are automatically added as enrichment data on the case

Example: VirusTotal IP enrichment

When an IP address is added to a case:

  • VirusTotal is queried for reputation data

  • Results include: malicious score, detection counts, associated threats

  • Data appears in the case activity feed as an enrichment comment

How notifications work?

Once configured, notifications are sent automatically:

  1. A case event occurs (e.g., new case created)

  2. The event matches your notification trigger configuration

  3. A formatted message is sent to your communication platform

  4. Team members receive real-time alerts

Example: Slack case created notification

When a new case is created:

  • Slack receives a formatted message containing:

    • Case ID and description

    • Severity level

    • Assigned analyst

    • Direct link to the case in Cydarm

Obtaining API keys and webhook URLs

VirusTotal

  1. Create an account at virustotal.com

  2. Navigate to your profile settings

  3. Copy your API key from the API Key section

AbuseIPDB

  1. Create an account at abuseipdb.com

  2. Go to Account > API

  3. Generate and copy your API key

GreyNoise

  1. Create an account at greynoise.io

  2. Navigate to Account Settings > API Key

  3. Copy your API key

Slack webhook URL

  1. Go to your Slack workspace settings

  2. Navigate to Apps > Manage > Custom Integrations > Incoming Webhooks

  3. Click Add to Slack and select a channel

  4. Copy the Webhook URL provided

Microsoft Teams webhook URL

  1. In Teams, navigate to the channel where you want notifications

  2. Click the ... menu > Connectors

  3. Find Incoming Webhook and click Configure

  4. Name the webhook and copy the URL provided

Troubleshooting

1. Integration not appearing

Cause: The required connector type is not installed on your Cydarm instance.

Solution: Contact your Cydarm administrator to ensure the necessary actuators are installed.

2. Enrichment not working

Possible causes:

  • Invalid or expired API key

  • Observable type not selected during setup

  • Rate limiting from the service provider

Solutions:

  • Verify your API key is correct and active

  • Edit the integration to confirm the observable types are selected

  • Check the service provider's rate limits for your account tier

3. Notifications not sending

Possible causes:

  • Invalid webhook URL

  • Network connectivity issues

  • Trigger not enabled for the event type

Solutions:

  • Test the webhook URL directly in the external service

  • Verify network connectivity to the external service

  • Edit the integration to confirm the correct triggers are enabled

4. "No actuators found" message

Cause: No actuators are installed on your Cydarm instance.

Solution: Contact your Cydarm administrator to install and configure actuators.

Best practices

  1. Start with essential integrations: Begin with your most-used threat intelligence service and primary notification channel

  2. Test after setup: Create a test case to verify enrichment and notifications are working correctly

  3. Monitor API usage: Some services have rate limits; monitor your usage to avoid service interruptions

  4. Keep credentials secure: Store API keys securely and rotate them according to your organization's security policy

  5. Review trigger selections: Only enable triggers that provide value to avoid notification fatigue

FAQs

Q: Can I configure multiple instances of the same integration?
A: Each organization can have one instance of each integration type. For multi-organization deployments, each organization can have its own configuration.

Q: Are my API keys stored securely?
A: Yes, all credentials are encrypted at rest and in transit.

Q: How quickly do enrichments appear?
A: Enrichment typically completes within seconds of adding an observable to a case, depending on the external service's response time.

Q: Can I customize the notification message format?
A: EzyConnect uses pre-configured templates optimised for each platform. For custom formatting, contact your Cydarm administrator about advanced connector configuration.

Q: What happens if an external service is unavailable?
A: The system will log the failure and continue processing other events. You can view failed operations in the system logs.

Getting help

If you need assistance with EzyConnect:

  • Contact your organization's Cydarm administrator

  • Submit a support ticket through the Cydarm support portal

  • Review the Cydarm Knowledge Base for additional guides

Last updated: January 2025