ir.mlab.sh ir.mlab.sh
Overview
Features
Workflow
Pricing
Docs
Changelog
  Sign in
Docs / Core

Integrations

Pipe your existing security tools into ir.mlab.sh. One endpoint, one schema.

Approach

There's no integration marketplace and no proprietary plugin format. Every upstream tool POSTs JSON to /api/v1/alerts — whether through a native webhook, a SOAR connector, or a 30-line script you wrote in 10 minutes.

SIEM — Splunk

Use a saved search with the Webhook alert action. Payload template:

splunk webhook payload
{
  "source": "splunk",
  "external_id": "$result.sid$",
  "severity": "$result.severity$",
  "title": "$name$",
  "detected_at": "$result._time$",
  "asset": { "hostname": "$result.host$" },
  "raw": $result$
}

EDR — CrowdStrike Falcon

Use the Falcon Streaming API or the SOAR connector. Map DetectIdexternal_id, Severityseverity, Hostnameasset.hostname. Observables extracted from FileName, SHA256, RemoteIP.

EDR — SentinelOne / Microsoft Defender

Both support webhook notifications on threat creation. Same shape as above — map the native severity scale (Informational/Low/Medium/High/Critical) onto ir.mlab.sh severities (low, medium, high, critical).

Email gateway — Proofpoint / Mimecast

Most gateways can email alert digests. Two patterns:

  • SMTP → ingestion mailbox: have the gateway send to an inbox, run a small script polling IMAP and posting to /api/v1/alerts.
  • API pull: schedule a cron that queries the gateway API every N minutes and posts new threats.

Generic — a 30-line script

Anything that produces JSON can feed ir.mlab.sh. Example with jq turning Suricata eve.json alerts into ingest calls:

suricata-to-ir.sh
tail -F /var/log/suricata/eve.json | \
  jq -c 'select(.event_type=="alert") | {
    source: "suricata",
    external_id: (.alert.signature_id|tostring) + "-" + (.timestamp|tostring),
    severity: (if .alert.severity==1 then "high" elif .alert.severity==2 then "medium" else "low" end),
    title: .alert.signature,
    detected_at: .timestamp,
    asset: { hostname: .src_ip },
    observables: [
      { type: "ip", value: .src_ip },
      { type: "ip", value: .dest_ip }
    ],
    raw: .
  }' | \
  while read alert; do
    curl -s -XPOST -H "Authorization: Bearer $IR_API_KEY" \
         -H "Content-Type: application/json" \
         -d "$alert" \
         "$PUBLIC_URL/api/v1/alerts"
  done

Outbound — webhooks

Fire on case transitions (created, updated, resolved). Wire them into ticketing (Jira, ServiceNow), chat (Slack, Teams), or your incident commander runbook. See the API reference for payloads and signing.

Threat intel — STIX / MISP

Confirmed-bad observables from resolved cases can be pushed to a MISP instance or exported as STIX 2.1 bundles. Configure under Settings > Intel feeds.