Skip to main content
Hiro’s power comes from deep integrations with your security tools. Each integration provides query capabilities for investigations and, where supported, action capabilities for response.

Quick Setup Reference

IntegrationConnection MethodConnect
OktaOAuth 2.0 + Private Key JWTOpen in dashboard
AWSIAM AssumeRoleOpen in dashboard
CrowdStrikeAPI Client credentialsOpen in dashboard
DatadogAPI Key + Application KeyOpen in dashboard
WizOAuth 2.0 Service AccountOpen in dashboard
GitHubGitHub App installationOpen in dashboard
Google WorkspaceOAuth 2.0 (read-only)Open in dashboard
SlackOAuth 2.0Open in dashboard

Supported Integrations

Okta

Full read/write accessQuery users, groups, apps, policies, and logs. Suspend users, clear sessions, manage groups.

AWS

Full read/write accessSearch CloudTrail, analyze IAM roles. Terminate instances, disable users, block IPs in WAF.

CrowdStrike

Full read/write accessQuery detections, ingest alerts. Contain hosts, update alert status.

Datadog

Read-onlySearch logs by user, IP, hostname, or custom query. Correlate with other integrations.

Wiz

Read-only + Deep linkingImport cloud security findings. Deep link from Wiz for instant AI analysis.

GitHub

Mostly read-onlyCheck branch protection, query audit logs. Can enable basic branch protection.

Google Workspace

Read-onlyQuery users, groups, devices, login activity, third-party apps. No actions available.

Slack

Alerts and botSend alerts to channels, respond to @mentions. Reset sessions (Enterprise Grid only).

Integration Capabilities

IntegrationQueryActionsNotes
OktaUsers, groups, apps, logs, policiesSuspend, clear sessions, manage users/groups/appsRequires admin role + OAuth scopes
AWSCloudTrail, IAM analysisTerminate EC2, delete IAM users/keys, WAF blockingUses IAM AssumeRole
CrowdStrikeDetections, host infoContain/uncontain hosts, update alertsAuto-ingests detections
DatadogLog search, correlationNone (read-only)Supports all Datadog sites
WizCloud security issues, CSPMNone (read-only)Deep linking for instant investigation
GitHubBranch protection, audit logsEnable branch protection onlyAudit logs require Enterprise Cloud
Google WorkspaceUsers, groups, devices, reportsNone (read-only)All scopes are read-only
SlackUser infoReset sessions (Enterprise only), send alertsPrimarily for alerts and bot

Connecting Integrations

All integrations are managed from Settings > Integrations.
1

Navigate to Settings

Click Settings in the left sidebar, then select Integrations.
2

Select an integration

Find the integration you want to connect and click Connect.
3

Authorize access

Follow the specific setup flow for that integration (OAuth, API credentials, etc.).
4

Verify connection

Hiro will test the connection and show a success message.
For the best experience, connect integrations in this order:
1

Okta (or Google Workspace)

Identity first. Most investigations involve users, so start with your identity provider.
2

AWS

Cloud infrastructure. CloudTrail provides rich API logs that Hiro correlates with identity data.
3

CrowdStrike

Endpoint detection. Hiro automatically ingests detections and correlates with identity and cloud.
4

GitHub

Source code security. Analyze branch protection and audit repository access.
5

Slack

Alerts and bot. Receive security alerts and interact with Hiro from Slack.

Managing Integrations

View Status

Go to Settings > Integrations to see all connected integrations and their status:
StatusMeaning
ConnectedWorking normally
ErrorConnection issue—click for details
ExpiredCredentials need refresh

Disconnect

To remove an integration:
  1. Go to Settings > Integrations
  2. Click on the integration
  3. Click Disconnect
Disconnecting an integration immediately revokes Hiro’s access. Active investigations using that integration will show errors.

Next Steps

Okta

Connect identity management.

AWS

Connect cloud infrastructure.