{"id":"admin_siem_integration","slug":"admin_siem_integration","title":"SIEM Integration","description":"Most security operations teams already have a SIEM investment. The SIEM Integration module connects the platform bidirectionally to those existing systems rather than asking teams to choose between them. Events flow in f","category":"data-integration","tags":["data-integration","real-time","geospatial"],"lastModified":"2026-02-23","source_ref":"content/modules/admin_siem_integration.md","url":"/developers/admin_siem_integration","htmlPath":"/developers/admin_siem_integration","jsonPath":"/api/docs/modules/admin_siem_integration","markdownPath":"/api/docs/modules/admin_siem_integration?format=markdown","checksum":"32d6b66f0ca5bd92cce46a8405c18ea01505ea62f32b609908942ed18152b00c","headings":[{"id":"overview","text":"Overview","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"supported-platforms","text":"Supported Platforms","level":2},{"id":"use-cases","text":"Use Cases","level":2},{"id":"getting-started","text":"Getting Started","level":2},{"id":"availability","text":"Availability","level":2}],"markdown":"# SIEM Integration\n\n## Overview\n\nMost security operations teams already have a SIEM investment. The SIEM Integration module connects the platform bidirectionally to those existing systems rather than asking teams to choose between them. Events flow in from your SIEM to feed investigations; platform alerts and findings flow back out to your SIEM for centralised correlation alongside other organisational data.\n\nManaging multiple SIEM connections simultaneously is supported, which suits organisations with separate enterprise and operational technology environments or those mid-migration between SIEM platforms.\n\n```mermaid\nflowchart LR\n    A[SIEM Platform] -->|Inbound Events| B[Event Normalisation]\n    B --> C[Field Mapping Engine]\n    C --> D[Routing Rules]\n    D -->|Match| E[Investigation Workflow]\n    D -->|No Match / Low Priority| F[Cache / Discard]\n    E --> G[Platform Findings]\n    G -->|Outbound Alerts| H[SIEM Platform]\n```\n\n## Key Features\n\n- **Multi-Platform Support**: Connect to Splunk, IBM QRadar, Microsoft Sentinel, Elastic Security, LogRhythm, ArcSight, Sumo Logic, and Google Chronicle. Manage multiple connections simultaneously with independent configurations per platform.\n\n- **Flexible Connection Types**: Connect via REST API endpoints, message brokers (Kafka, RabbitMQ, Azure Event Hubs), or cloud storage (S3, Azure Blob, GCS). Each connection type is optimised for its use case with appropriate authentication, retry logic, and error handling.\n\n- **Data Normalisation**: Transform events between SIEM-native formats and the platform schema with configurable field mappings and transformation rules. Supports JSON, CEF, SYSLOG, CSV, XML, and LEEF formats with built-in functions for date conversion, IP normalisation, severity mapping, and custom transformations.\n\n- **Event Routing**: Route incoming SIEM events to specific investigations and workflows based on configurable match conditions. Filter by severity, category, source, or custom fields, with actions to cache, notify, or discard events for noise reduction.\n\n- **Bidirectional Event Streaming**: Stream events from your SIEM into the platform (inbound), forward platform alerts to your SIEM (outbound), or synchronise in both directions. Monitor stream health with live status indicators, event counts, and error tracking.\n\n- **Connection Testing**: Validate connections before enabling with tests covering network connectivity, authentication, query execution, data retrieval, and write operations. Review response times and sample data before going live.\n\n## Supported Platforms\n\n| Platform | Query Language | Authentication |\n|----------|---------------|----------------|\n| Splunk | SPL | Token or Basic Auth |\n| Microsoft Sentinel | KQL | OAuth2 / Service Principal |\n| IBM QRadar | AQL | SEC Token |\n| Elastic Security | Elasticsearch DSL | API Key or Basic Auth |\n| LogRhythm | Native | API Token |\n| ArcSight | Native | API Credentials |\n| Sumo Logic | Native | API Key |\n| Google Chronicle | Native | OAuth2 |\n\n## Use Cases\n\n- **Law enforcement agencies** correlating platform investigation findings with broader network events in an existing SIEM without fragmenting the security operations workflow.\n- **Government departments** with separate enterprise and OT environments that feed different SIEM instances, both connecting to the platform through independent configurations.\n- **Intelligence organisations** using routing rules to direct only high-severity events into active investigations while reducing noise from low-priority alerts.\n- **Financial institutions** normalising events from multiple SIEMs into a common schema for unified threat analysis across business units with different tooling.\n\n## Getting Started\n\n1. **Select Your SIEM**: Choose your SIEM platform and gather the required connection credentials.\n2. **Configure Connection**: Enter endpoint details, authentication, and query settings.\n3. **Test Connectivity**: Run connection tests to validate authentication and data access.\n4. **Set Up Normalisation**: Define field mappings to translate between your SIEM format and the platform schema.\n5. **Configure Routing**: Create rules to direct incoming events to the appropriate investigations and workflows.\n\n## Availability\n\n- Enterprise Plan: Included (all platforms, bidirectional streaming, advanced routing)\n- Professional Plan: Single SIEM connection included; additional connections and advanced features available as add-on\n\n**Last Reviewed:** 2026-02-23\n**Last Updated:** 2026-04-14\n"}