Connectors¶

Connectors bridge external security tools into Salient's digital twin. They pull verified telemetry — users, MFA status, privileged roles, security logs — and enrich the twin with data that carries the highest confidence level.

Available Connectors¶

Connector	Status	Data Provided
Okta	Active	Users, MFA factors, SSO applications, security logs
Entra ID	Active	Users, MFA, groups, privileged roles, CA policies, sign-in logs, apps
CrowdStrike	Planned	Endpoint inventory, detection events, sensor coverage
Splunk	Planned	SIEM alerts, correlation events, saved search results

The Connector Pattern¶

Every connector follows the same architecture:

External API ──► Client (API wrapper)
                    │
                    ▼
                Router (HTTP endpoints)
                    │
                    ▼
                Enrichment (fact mining, event creation)
                    │
                    ▼
                Intelligence Loop (reindex, recompile twin)

Client — handles authentication, pagination, rate limiting, and data normalization for the external API
Router — exposes configure, test, sync, and status endpoints
Enrichment — transforms raw API data into twin facts, security events, and profile updates
Intelligence loop — triggers reindexing and recompilation after every sync

Setup Flow¶

All connectors use a 3-step setup wizard available in the browser UI:

Configure — enter API credentials (domain, client ID, client secret, API token)
Test — verify connectivity and permissions
Sync — pull data and enrich the twin

The same flow is available via MCP tools for CLI-driven setup.

Smart Discovery¶

Salient recommends connectors based on what the twin already knows:

Intelligent recommendations

If your team mentions CrowdStrike in three different exercises, the integrations page highlights the CrowdStrike connector and explains what verified endpoint data would add to your posture assessment.

The twin_coverage MCP tool analyzes configured connectors vs. detected tools and shows exactly where visibility gaps exist.

Verified vs. Declared Data¶

Connector data is special because it is verified — it comes directly from the source system, not from human description. This distinction matters:

Source	Confidence	Example
Exercise answer	Declared	"We use Okta for SSO"
Multiple exercises	Observed	Team consistently references Okta
Connector sync	Verified	Okta API confirms 40 SSO apps, 87% MFA coverage

When connector data contradicts declared facts, the twin flags the contradiction. These are often the most valuable findings.

Okta · Entra ID · Custom Connectors