Documentacao renderizada
Esta pagina renderiza o Markdown e Mermaid do modulo diretamente da fonte publica de documentacao.
Overview#
The SIEM Integration module enables bidirectional connectivity with your existing Security Information and Event Management platforms. Configure connections, normalize event data, route events to investigations, and monitor real-time event streams, all from a centralized management interface that supports multiple SIEM platforms simultaneously.
Key Features#
-
Multi-Platform Support - Connect to major SIEM platforms including Splunk, IBM QRadar, Microsoft Sentinel, Elastic Security, LogRhythm, ArcSight, Sumo Logic, and Google Chronicle. Manage multiple connections simultaneously with independent configurations.
-
Flexible Connection Types - Connect via REST API endpoints, message brokers (Kafka, RabbitMQ, Azure Event Hubs), or cloud storage (S3, Azure Blob, GCS). Each connection type is optimized for its use case with appropriate authentication, retry logic, and error handling.
-
Data Normalization - Transform events between SIEM-native formats and the platform schema with configurable field mappings and transformation rules. Support for JSON, CEF, SYSLOG, CSV, XML, and LEEF formats with built-in functions for date conversion, IP normalization, severity mapping, and custom transformations.
-
Event Routing - Route incoming SIEM events to specific investigations and workflows based on configurable match conditions. Filter by severity, category, source, or custom fields with actions to cache, notify, or discard events for noise reduction.
-
Bidirectional Event Streaming - Stream events in real time from your SIEM into the platform (inbound), forward platform alerts to your SIEM (outbound), or synchronize events in both directions. Monitor stream health with live status indicators, event counts, and error tracking.
-
Connection Testing - Validate connections before enabling with comprehensive tests covering network connectivity, authentication, query execution, data retrieval, and write operations. Review response times and sample data before going live.
Supported Platforms#
| Platform | Query Language | Authentication |
|---|---|---|
| Splunk | SPL | Token or Basic Auth |
| Microsoft Sentinel | KQL | OAuth2 / Service Principal |
| IBM QRadar | AQL | SEC Token |
| Elastic Security | Elasticsearch DSL | API Key or Basic Auth |
| LogRhythm | Native | API Token |
| ArcSight | Native | API Credentials |
| Sumo Logic | Native | API Key |
| Google Chronicle | Native | OAuth2 |
Use Cases#
- Unified security operations by connecting your existing SIEM investments to the platform for correlated threat analysis and investigation workflows.
- Automated event triage using routing rules to filter high-severity events into active investigations while reducing noise from low-priority alerts.
- Cross-platform correlation by normalizing events from multiple SIEM sources into a common schema for unified analysis and reporting.
- Bidirectional intelligence sharing where platform findings and alerts flow back to your SIEM for centralized security monitoring alongside other organizational data sources.
Getting Started#
- Select Your SIEM - Choose your SIEM platform and gather the required connection credentials.
- Configure Connection - Enter endpoint details, authentication, and query settings.
- Test Connectivity - Run connection tests to validate authentication and data access.
- Set Up Normalization - Define field mappings to translate between your SIEM format and the platform schema.
- Configure Routing - Create rules to direct incoming events to the appropriate investigations and workflows.
Availability#
- Enterprise Plan: Included (all platforms, bidirectional streaming, advanced routing)
- Professional Plan: Single SIEM connection included; additional connections and advanced features available as add-on
Last Reviewed: 2026-02-23