# AirMDR ## Docs - [Amazon Web Services](https://docs.airmdr.com/Integrations/AWS.md): AirMDR integrates with Amazon Web Services (AWS) to ingest security data and automate enrichment using AWS services like GuardDuty, CloudTrail, EC2, and IAM. This guide helps you set up the required AWS integration with appropriate access permissions. - [AbuseIPDB](https://docs.airmdr.com/Integrations/AbuseIPDB.md): AbuseIPDB API allows you to integrate AbuseIPDB's data into applications, check the reputation of IP addresses and report abusive IPs. This API is useful for applications that need to prevent malicious activities such as hacking attempts, DDoS attacks, and spam. - [Active Directory (AD) Microsoft](https://docs.airmdr.com/Integrations/ActiveDirectory.md): The Microsoft Active Directory (AD) integration enables AirMDR to query directory services using LDAP to retrieve user, group, and organisational information from Active Directory. This allows AirMDR to enrich alerts with identity context, validate user attributes during investigations, and automate… - [Astrix](https://docs.airmdr.com/Integrations/Astrix.md): Astrix Networks is a non-human identity security platform supports on securing non-human identities (NHIs). NHIs include service accounts, API keys, and other machine-to-machine credentials that often have extensive access permissions and can pose significant security risks if not properly managed.​ - [Microsoft Sentinel (Azure Sentinel)](https://docs.airmdr.com/Integrations/Azure-Sentinel.md): Microsoft Sentinel is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that runs in the Azure cloud. - [Checkpoint Harmony Email](https://docs.airmdr.com/Integrations/Checkpoint-Harmony-Email.md): Check Point Harmony Email is a cloud-based email and collaboration security solution that protects against phishing, malware, account compromise, and data loss across platforms like Microsoft 365 and Google Workspace. It provides advanced threat detection, real-time prevention, and visibility into e… - [Cisco Advanced Malware Protection (AMP)](https://docs.airmdr.com/Integrations/Cisco-AMP.md): Cisco AMP is an intelligence-powered, integrated, enterprise-class advanced malware analysis and protection solution. - [Cloudflare](https://docs.airmdr.com/Integrations/Cloudflare.md): Cloudflare is used to enhance the performance, security, and reliability of websites and applications. It acts as a content delivery network (CDN), providing services like load balancing, DDoS protection, and caching to improve website speed and protect against cyber threats. - [CrowdStrike ](https://docs.airmdr.com/Integrations/Crowdstrike.md): CrowdStrike is a cloud-delivered security solution that detects, investigates, and mitigates threats on endpoints in real-time. - [Datadog ](https://docs.airmdr.com/Integrations/Datadog.md): Datadog is a cloud-based monitoring, security, and analytics platform that provides real-time visibility into applications, infrastructure, logs, and security metrics. It helps organizations detect issues, optimize performance, and enhance security. - [Duo Security](https://docs.airmdr.com/Integrations/Duo.md): Duo Security is a cloud-based multi-factor authentication (MFA) and access security platform that helps protect applications and networks by requiring users to verify their identity using multiple authentication methods before granting access. - [Exabeam ](https://docs.airmdr.com/Integrations/Exabeam.md): The Exabeam integration enables AirMDR to ingest incidents, behavioural analytics, and user context from Exabeam’s SIEM and UEBA platform. This allows security teams to automate investigations, enrich cases with risk scores and user timelines, and trigger workflows based on Exabeam detections—direct… - [Google Cloud Platform - Security Command Center](https://docs.airmdr.com/Integrations/GCP-SCC.md): Security Command Center (SCC) is Google Cloud’s centralized security and risk management platform. It helps detect, investigate, and remediate security threats, vulnerabilities, and misconfigurations across Google Cloud resources. - [GitHub](https://docs.airmdr.com/Integrations/GitHub.md): A GitHub Personal Access Token (PAT) is a secure authentication method used to access GitHub's API, repositories, and other services without using a password. It acts as a substitute for your password when performing operations like cloning repositories, pushing code, or accessing GitHub APIs from s… - [GitHub App ](https://docs.airmdr.com/Integrations/GitHubApp.md): The GitHub App integration enables AirMDR to securely connect with GitHub using app-based authentication, allowing it to access repository and organization data. This helps enrich alerts with code and activity context, and automate investigation and response workflows within AirMDR playbooks. - [Google Security Operations (Chronicle) ](https://docs.airmdr.com/Integrations/Google-Chronicle.md): Google Security Operations (Chronicle) is a cloud-native security analytics and threat intelligence platform developed by Google. Originally known as Chronicle, it is part of Google Cloud’s cybersecurity suite and is designed to help security teams detect, investigate, and respond to cyber threats f… - [Google Workspace](https://docs.airmdr.com/Integrations/Google-Workspace.md): Google Workspace (formerly G Suite) is a cloud-based productivity and collaboration suite developed by Google. It includes a set of business applications designed to help teams work efficiently, communicate, and manage workflows. - [Incident.io](https://docs.airmdr.com/Integrations/Incident.md): Incident.io is a incident management platform designed to help teams respond to, manage, and learn from incidents more effectively—especially within fast-moving tech environments like SaaS companies, DevOps teams, and engineering organizations. - [Jamf (Just Another Management Framework) Protect](https://docs.airmdr.com/Integrations/Jamf.md): Jamf Protect is a macOS-focused security solution developed by Jamf, and it provides endpoint protection, security visibility, and threat prevention tailored specifically for Apple devices, particularly macOS. - [Jamf (Just Another Management Framework) Pro](https://docs.airmdr.com/Integrations/Jamfpro.md): Jamf Pro is an enterprise-grade Apple device management solution that streamlines deployment, security, and management of Macs, iPads, iPhones, and Apple TVs—enabling seamless IT operations and a consistent user experience and is widely used by IT administrators in education, enterprise, and healthc… - [JIRA](https://docs.airmdr.com/Integrations/Jira.md): JIRA is a popular project management and issue-tracking tool developed by Atlassian. It is mainly used for bug tracking, agile project management, and workflow automation. - [🔐 M365 Quarantine Emails](https://docs.airmdr.com/Integrations/M365-Quarantine-email.md): AirMDR requires secure, delegated access to your Microsoft 365 tenant to perform automated quarantined email retrieval. The integration leverages a registered Azure AD App with a certificate-based authentication mechanism. - [Microsoft Teams](https://docs.airmdr.com/Integrations/MSTeams.md): Microsoft Teams is a collaboration platform developed by Microsoft, designed to facilitate real-time communication, file sharing, and teamwork within organizations. It integrates seamlessly with Microsoft 365 services and provides centralized workspaces for teams to manage discussions, meetings, tas… - [Microsoft Defender](https://docs.airmdr.com/Integrations/Microsoft-Defender.md): The Microsoft Defender integration enables AirMDR to authenticate to Microsoft Defender APIs and retrieve incident and security context for investigation, enrichment, and workflow automation. - [Microsoft Defender for Endpoint](https://docs.airmdr.com/Integrations/Microsoft-Defender-Endpoint.md): Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security platform that helps prevent, detect, investigate, and respond to advanced threats across endpoints. While MDE primarily focuses on endpoint protection, it also integrates with other Microsoft security solutions to provide… - [Microsoft Graph](https://docs.airmdr.com/Integrations/Microsoft-Graph.md): Microsoft Graph is an API that allows developers to access Microsoft 365 data and services. It provides a unified endpoint (https://graph.microsoft.com) to interact with various Microsoft services. - [Mimecast](https://docs.airmdr.com/Integrations/Mimecast.md): Mimecast provides cloud-based email security, archiving, and continuity services. It is to protect against email-borne threats like phishing, ransomware, impersonation attacks, and data leaks. - [Okta](https://docs.airmdr.com/Integrations/Okta.md): Okta is an integrated identity and mobility management service. - [OpenAI](https://docs.airmdr.com/Integrations/OpenAI.md): Enable secure integration between AirMDR and OpenAI by generating and configuring an Admin Key for OpenAI client authentication. - [OpenCVE](https://docs.airmdr.com/Integrations/OpenCVE.md): OpenCVE is an open-source platform and web service that helps users track and monitor CVEs (Common Vulnerabilities and Exposures) in real time. - [PagerDuty](https://docs.airmdr.com/Integrations/PagerDuty.md): PagerDuty is an incident management and response platform designed to help IT, DevOps, and security teams detect, respond to, and resolve issues in real time. It integrates with monitoring tools, alerting teams when something goes wrong, and helps automate incident workflows. - [Push Security](https://docs.airmdr.com/Integrations/PushSecurity.md): Push Security empowers organizations to extend real-time visibility and enforcement capabilities directly into the browser, safeguarding identities across federated and non-federated SaaS environments. It is designed to assist security administrators and IT professionals in preventing identity-based… - [QRadar](https://docs.airmdr.com/Integrations/QRadar.md): IBM QRadar is a Security Information and Event Management (SIEM) solution that helps organizations detect, investigate, and respond to security threats. It collects and analyzes log data from various sources (network devices, servers, applications, etc.) to identify potential security incidents. - [Rapid7](https://docs.airmdr.com/Integrations/Rapid7.md): Rapid7 provides security solutions for vulnerability management, incident detection, response, and cloud security. Rapid7 platform helps organizations identify and mitigate risks, detect threats, and respond to incidents efficiently. - [Recorded Future](https://docs.airmdr.com/Integrations/RecordedFuture.md): This integration enables AirMDR to connect with Recorded Future, allowing the platform to enrich threat intelligence data by pulling indicators of compromise (IOCs), risk scores, and contextual information. The API key is required for authenticated access to Recorded Future’s Intelligence API. - [AirMDR Remote Agent – Installation Guide](https://docs.airmdr.com/Integrations/RemoteAgent.md): The AirMDR Remote Agent enables secure, controlled connectivity between AirMDR and customer-managed environments. Once installed, the agent runs as a system service and facilitates data collection and task execution as required by enabled AirMDR integrations. - [AirMDR Remote Agent – Architecture & Operational](https://docs.airmdr.com/Integrations/RemoteAgent-Architecture.md): The AirMDR Remote Agent enables secure, controlled connectivity between AirMDR and customer-managed environments. Once installed, the agent runs as a system service and facilitates data collection and task execution as required by enabled AirMDR integrations. - [AirMDR Remote Agent Overview](https://docs.airmdr.com/Integrations/RemoteAgent-Overview.md): The AirMDR Remote Agent enables secure, controlled connectivity between AirMDR and customer-managed environments. - [SOCRadar Extended Threat Intelligence ](https://docs.airmdr.com/Integrations/SOC-Radar.md): SOCRadar Extended Threat Intelligence (XTI) is a comprehensive cybersecurity platform designed to provide organizations with proactive, actionable insights into the evolving threat landscape. By integrating multiple modules, XTI offers a unified approach to threat detection, analysis, and mitigation… - [SentinelOne](https://docs.airmdr.com/Integrations/SentinelOne.md): SentinelOne is a cloud-based cybersecurity platform that helps protect against cyber threats such as malware, ransomware, and advanced persistent threats (APTs). - [Slack](https://docs.airmdr.com/Integrations/Slack.md): Slack is a messaging platform designed for teams and workplaces, offering real-time communication, collaboration tools, and integrations with other apps. Slack API integrations, making it useful for automation and notifications, like using Slack Webhooks to send updates from other systems. - [Splunk](https://docs.airmdr.com/Integrations/Splunk.md): This integration enables AirMDR to connect with the Splunk so we can securely run REST and search queries for alert enrichment, investigation timelines, and historical log lookups.. - [SumoLogic](https://docs.airmdr.com/Integrations/SumoLogic.md): Sumo Logic is a cloud-based log management and analytics platform used for monitoring, troubleshooting, and securing applications and infrastructure. It collects, analyzes, and visualizes machine data (logs, metrics, and traces) to help your organizations gain real-time insights into IT environments… - [Integrations Overview](https://docs.airmdr.com/Integrations/overview.md): Data sharing with third-party apps is possible through integrations. - [Send Alerts via Webhook (API call) to AirMDR](https://docs.airmdr.com/api-reference/WebHook.md): To send alerts via a Webhook (API call) to AirMDR, you will need to perform a standard HTTP POST request from your system (e.g., Cyberhaven, SIEM, SOAR, or Lambda) to the MDR's provided Webhook URL. - [API Overview](https://docs.airmdr.com/api-reference/apilandingpage.md): Welcome to the official API documentation for AirMDR services. Our RESTful API gives you programmatic access to your data and tools to build powerful integrations, custom workflows, and apps. - [API Authentication with Token](https://docs.airmdr.com/api-reference/apitoken.md): API tokens are used to authenticate requests to our API in a secure and stateless way. - [AirMDR Release Notes](https://docs.airmdr.com/changelog/changelog-milestone.md): A Release Notes is a structured record of changes that provides a chronological list of updates, including new features, improvements, bug fixes, security patches, and deprecated functionalities. - [📦 AirMDR Playbook](https://docs.airmdr.com/essentials/AirMDR-Playbook-Types.md): AirMDR Playbooks enable powerful and flexible automation for security operations. They streamline alert triage, threat detection, and case automation. By combining user-friendly English inputs with AI-assisted automation (via Darryl), security teams can manage workflows confidently and securely. - [AirMDR Product Overview](https://docs.airmdr.com/essentials/AirMDR-Product-Overview.md): An AI-native MDR analyst for your SOC: triages alerts, investigates with Playbooks, automates response across endpoint, cloud, SaaS, and delivering fast, auditable decisions. - [AirMDR RBAC — Organization Requirements](https://docs.airmdr.com/essentials/AirMDR-RBAC-OrgRequirements.md): This document presents a formal, organization-level specification of AirMDR role-based access control (RBAC). It consolidates org-management requirements into a prescriptive model that defines roles, permissions, cross-organization policy flags, inheritance and resolution rules, and supported migrat… - [AirMDR Self‑Serve Integration](https://docs.airmdr.com/essentials/AirMDR-SelfHelp-Integration.md): This documentation explains how to onboard, validate, and troubleshoot alert sources in AirMDR using the Self-Help Integration. - [AirMDR Product Guide](https://docs.airmdr.com/essentials/AirMDRProductGuide.md): The AirMDR Product Guide is your central resource for understanding and implementing the core capabilities of the AirMDR platform. Whether you're a security analyst, system administrator, or developer, this guide helps you unlock the full potential of our features with step-by-step instructions, int… - [SAML Integration with Azure Active Directory](https://docs.airmdr.com/essentials/Azure-AD-SSO-Setup.md): AirMDR supports SAML (Security Assertion Markup Language) integration with Azure AD to enable Single Sign-On (SSO) functionality to authenticate users for access to the AirMDR UI. - [Case Manager — Advanced Search](https://docs.airmdr.com/essentials/CaseManager-AdvancedSearch.md): AirMDR Advanced Case Search allows users to perform structured queries in Case Manager using field-based filters and logical operators to quickly locate relevant cases. - [Google SSO Set-up and Configuration](https://docs.airmdr.com/essentials/Google-SSO.md): AirMDR supports Google single sign-on to authenticate users for access to the AirMDR application. - [Welcome to AirMDR Documentation](https://docs.airmdr.com/essentials/Landingpage.md): Welcome to the AirMDR documentation hub—your centralized resource for understanding and leveraging our Managed Detection and Response platform. Here, you will find step-by-step Integration guides, API references, How-To-Guides, and Product documentation designed to help security teams rapidly deploy… - [Single Sign ON (SSO) Overview](https://docs.airmdr.com/essentials/SSO-Overview.md): AirMDR supports the single sign-on (SSO) methods listed below for authenticating users and granting them access to the user interface. - [Okta SSO Set-up and Configuration](https://docs.airmdr.com/essentials/Single-SignON-SSO-Setup.md): AirMDR supports Okta single sign-on to authenticate users for access to the AirMDR application. - [Vault](https://docs.airmdr.com/essentials/vault.md): AirMDR Vault uses encrypted, one-time email links to securely collect and store sensitive credentials without requiring logins into AirMDR. All uploaded secrets are encrypted, access-controlled, and fully audited to support protected, automated incident response. ## OpenAPI Specs - [openapi](https://docs.airmdr.com/api-reference/openapi.json)