Custom Connectors¶

Beyond the built-in Okta and Entra ID connectors, Salient supports multiple paths for getting external data into the digital twin.

MCP Client as Connector¶

Any MCP server can act as a connector. When Salient connects to an external MCP server (either AI-mediated or via the direct client), the data flows through the same enrichment pipeline as built-in connectors.

This means you can connect Salient to:

Custom internal tools that expose an MCP server
Third-party MCP servers from the growing MCP ecosystem
Vendor-provided MCPs for security products

External MCP Server ──► Salient (ingest_from_mcp) ──► Classification
                                                          │
                                                          ▼
                                                    Fact Extraction ──► Twin

MCP Client details

Artifact Upload as Ad-Hoc Connector¶

For tools that do not have an API or MCP server, artifact upload serves as a manual connector. Export data from your tool and upload it:

Tool Export	Upload Format	What Gets Extracted
Vulnerability scan results	CSV or JSON	Asset inventory, vulnerability counts, severity distribution
Firewall rules	Text/config	Network segmentation posture, exposed services
EDR detection export	CSV or JSON	Endpoint coverage, detection categories, response times
SIEM saved search	JSON	Alert categories, volume trends, triage patterns
Compliance audit report	PDF	Control status, findings, remediation items

Repeatable ingestion

While artifact upload is manual, you can establish a rhythm: export weekly vulnerability scans, upload them, and the twin tracks your remediation trajectory over time.

Future Connector Development¶

The connector architecture is designed for extensibility. Planned connectors follow the same pattern as Okta and Entra ID:

CrowdStrike (Planned)¶

Endpoint inventory and sensor coverage
Detection events and severity breakdown
Response actions and containment history
Unmanaged device identification

Splunk (Planned)¶

Saved search results and alert history
Notable event summaries
Correlation rule inventory
Data source coverage analysis

Building Your Own¶

The connector pattern is consistent:

Client (connectors/your_tool.py) — API wrapper handling auth, pagination, rate limiting
Router (connectors/your_tool_router.py) — FastAPI endpoints for configure, test, sync, status
Registry entry (connectors/registry.py) — declare capabilities, coverage areas, and twin enrichment targets
Enrichment — transform raw API responses into twin facts and security events

The registry is self-aware: once registered, the connector appears in the UI, is discoverable via list_connectors, and participates in twin_coverage analysis.

Connectors Overview · MCP Client