Knogin
[Developers]

SIEM Connector Domain

A security analyst investigating a suspected intrusion has alerts in her SIEM showing lateral movement attempts on Thursday evening. She needs those events alongside the investigation timeline in the platform, not in a s

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaicompliance

Overview#

A security analyst investigating a suspected intrusion has alerts in her SIEM showing lateral movement attempts on Thursday evening. She needs those events alongside the investigation timeline in the platform, not in a separate tool. The SIEM Connector domain pulls the relevant events directly into the investigation record, maps each one to the corresponding MITRE ATT&CK technique, and correlates related alerts into a single coherent picture. AI analysis flags the pattern as consistent with a credential-harvesting chain. From one screen, the analyst can see the technical event sequence, the investigation context, and the threat classification, without switching systems.

Key Features#

  • Multi-Platform Connectivity: Connect to leading SIEM platforms through a standardised integration layer that normalises data formats and communication protocols across different vendors.

  • Real-Time Event Streaming: Stream security events from connected SIEM platforms into the investigation workflow in real time, ensuring analysts have immediate access to the latest security intelligence.

  • MITRE ATT&CK Mapping: Automatically map detected security events to MITRE ATT&CK tactics, techniques, and procedures for standardised threat classification and pattern recognition.

  • Alert Correlation: Correlate security alerts from SIEM platforms with investigation data to identify patterns, link related events, and provide context for security investigations.

  • AI-Enhanced Analysis: Apply AI-powered analysis to security events to detect anomalies, identify potential attack chains, and generate actionable intelligence for analysts.

  • Event Normalisation: Transform events from different SIEM platforms into a consistent format with standardised fields, enabling unified analysis regardless of the source platform.

  • Routing Rules: Configure event routing rules based on match conditions, priority levels, and action types to ensure the right events reach the right analysts and investigations.

  • Connection Testing: Validate SIEM connections before going live to ensure proper authentication, connectivity, and data flow between platforms.

Use Cases#

SIEM integration into investigation workflows is most valuable where technical security events must be correlated with broader threat intelligence and case records. Key industries include financial services, defence and government, and enterprise technology.

  • Security Investigation: Pull relevant security events from SIEM platforms directly into active investigations to provide technical context for threat analysis.

  • Threat Detection: Monitor SIEM event streams for patterns that match known attack techniques, generating alerts when suspicious activity is detected.

  • Incident Response: Correlate SIEM alerts with investigation timelines to understand the scope and progression of security incidents.

  • Compliance Monitoring: Stream security events into the platform for regulatory compliance monitoring and automated reporting.

Integration#

The SIEM Connector domain bridges security monitoring with investigative workflows:

  • Investigation Management: SIEM events link directly to active investigations
  • Threat Intelligence: Attack patterns enrich threat intelligence analysis
  • Alert System: SIEM alerts feed into the platform notification framework
  • Timeline: Security events populate investigative timelines

Open Standards#

  • MITRE ATT&CK: Detected security events are automatically classified using MITRE ATT&CK tactic and technique identifiers (e.g. T1021, T1041, T1059), which are stored against each attack pattern and surfaced in investigation timelines.
  • OAuth 2.0 (RFC 6749): The Microsoft Sentinel integration authenticates via the OAuth 2.0 client credentials flow, acquiring scoped Azure AD access tokens for both the Resource Manager and Log Analytics APIs.
  • CEF (ArcSight Common Event Format): Ingested events may arrive in CEF encoding; the normalisation layer accepts CEF as a named source format alongside JSON, syslog, LEEF, XML, and CSV.
  • Syslog (RFC 5424 / RFC 3164): Syslog is supported as a native source format for event ingestion, enabling direct connectivity to network devices and legacy SIEM forwarders that emit syslog streams.
  • LEEF (IBM Log Event Extended Format): LEEF is recognised as a distinct source format in the normalisation pipeline, allowing QRadar and other IBM-origin log feeds to be ingested without prior conversion.
  • HTTP Basic Authentication (RFC 7617): All three vendor clients (Splunk, Elasticsearch, Sentinel) implement HTTP Basic Authentication as a supported credential mode, transmitting Base64-encoded username and password in the Authorization header.
  • GraphQL: The entire management and query surface for SIEM connections, event streams, routing rules, and attack patterns is exposed through a GraphQL API, with strongly-typed inputs and responses defined via the Strawberry schema library.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.