SIEM Integration

Stream security events from AuthOS to your Security Information and Event Management (SIEM) platform.

Overview

SIEM integration enables real-time streaming of security events for:

Centralized security monitoring
Threat detection and response
Compliance auditing
Security analytics

Supported Platforms

Platform	Protocol	Configuration
Splunk	HTTP Event Collector	HEC URL + Token
Datadog	HTTP API	API Key + Site
Elastic	HTTP/Beats	Elasticsearch URL + API Key
Sumo Logic	HTTP Source	Collector URL
Generic	Webhook	HTTPS URL

Endpoints

Method	Path	Description
`POST`	`/api/organizations/:slug/siem-configs`	Create SIEM config
`GET`	`/api/organizations/:slug/siem-configs`	List SIEM configs
`GET`	`/api/organizations/:slug/siem-configs/:config_id`	Get SIEM config
`PUT`	`/api/organizations/:slug/siem-configs/:config_id`	Update SIEM config
`DELETE`	`/api/organizations/:slug/siem-configs/:config_id`	Delete SIEM config
`POST`	`/api/organizations/:slug/siem-configs/:config_id/test`	Test connection

POST /api/organizations/:slug/siem-configs

Create a SIEM integration configuration for the organization.

Synopsis

Property	Value
Authentication	Required (JWT)
Authorization	Organization Owner or Admin

Request Body

Field	Type	Required	Description
`provider`	`string`	Yes	SIEM provider: `splunk`, `datadog`, `elastic`, `sumologic`, `generic`
`config`	`object`	Yes	Provider-specific configuration
`event_types`	`array`	No	Event types to stream (default: all)
`enabled`	`boolean`	No	Enable streaming (default: true)

Provider Configurations

Splunk:

{
  "provider": "splunk",
  "config": {
    "hec_url": "https://splunk.example.com:8088/services/collector",
    "hec_token": "your-hec-token",
    "index": "authos_security",
    "source": "authos",
    "sourcetype": "_json"
  }
}

Datadog:

{
  "provider": "datadog",
  "config": {
    "api_key": "your-datadog-api-key",
    "site": "datadoghq.com",
    "service": "authos",
    "tags": ["env:production", "team:security"]
  }
}

Elastic:

{
  "provider": "elastic",
  "config": {
    "url": "https://elastic.example.com:9200",
    "api_key": "your-elastic-api-key",
    "index": "authos-security"
  }
}

Generic Webhook:

{
  "provider": "generic",
  "config": {
    "url": "https://siem.example.com/webhook/authos",
    "headers": {
      "Authorization": "Bearer your-token"
    }
  }
}

Example Request

curl -X POST https://sso.example.com/api/organizations/acme-corp/siem-configs \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "splunk",
    "config": {
      "hec_url": "https://splunk.acme.com:8088/services/collector",
      "hec_token": "abc123-def456-ghi789"
    },
    "event_types": ["user.login.success", "user.login.failed", "security.*"]
  }'

Response (201 Created)

{
  "id": "siem-config-uuid",
  "provider": "splunk",
  "enabled": true,
  "event_types": ["user.login.success", "user.login.failed", "security.*"],
  "created_at": "2025-01-15T10:30:00Z"
}

GET /api/organizations/:slug/siem-configs

List all SIEM configurations for the organization.

Example Request

curl -X GET https://sso.example.com/api/organizations/acme-corp/siem-configs \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

Response (200 OK)

{
  "configs": [
    {
      "id": "siem-config-uuid",
      "provider": "splunk",
      "enabled": true,
      "event_types": ["user.login.success", "user.login.failed", "security.*"],
      "last_event_at": "2025-01-15T10:25:00Z",
      "created_at": "2025-01-15T10:30:00Z"
    }
  ]
}

GET /api/organizations/:slug/siem-configs/:config_id

Retrieve a specific SIEM configuration.

Example Request

curl -X GET https://sso.example.com/api/organizations/acme-corp/siem-configs/siem-config-uuid \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

Response (200 OK)

{
  "id": "siem-config-uuid",
  "provider": "splunk",
  "config": {
    "hec_url": "https://splunk.acme.com:8088/services/collector"
  },
  "enabled": true,
  "event_types": ["user.login.success", "user.login.failed", "security.*"],
  "last_event_at": "2025-01-15T10:25:00Z",
  "events_sent_24h": 1542,
  "created_at": "2025-01-15T10:30:00Z"
}

[!NOTE] Sensitive fields like hec_token and api_key are not returned in GET responses.

PUT /api/organizations/:slug/siem-configs/:config_id

Update an existing SIEM configuration.

Example Request

curl -X PUT https://sso.example.com/api/organizations/acme-corp/siem-configs/siem-config-uuid \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \\
  -H "Content-Type: application/json" \\
  -d '{
    "enabled": false
  }'

DELETE /api/organizations/:slug/siem-configs/:config_id

Remove a SIEM configuration and stop event streaming.

Example Request

curl -X DELETE https://sso.example.com/api/organizations/acme-corp/siem-configs/siem-config-uuid \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

Response (200 OK)

{
  "message": "SIEM configuration removed"
}

POST /api/organizations/:slug/siem-configs/:config_id/test

Send a test event to verify SIEM connectivity.

Example Request

curl -X POST https://sso.example.com/api/organizations/acme-corp/siem-configs/siem-config-uuid/test \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

Response (200 OK)

{
  "success": true,
  "message": "Test event sent successfully",
  "response_time_ms": 145
}

Error Response (400 Bad Request)

{
  "success": false,
  "error": "Connection failed: timeout after 30 seconds"
}

Event Format

Events are sent in Common Event Format (CEF) compatible JSON:

{
  "timestamp": "2025-01-15T10:30:00.123Z",
  "organization_id": "org-uuid",
  "organization_slug": "acme-corp",
  "event_type": "user.login.success",
  "severity": "info",
  "actor": {
    "user_id": "user-uuid",
    "email": "user@example.com",
    "ip_address": "192.168.1.1",
    "user_agent": "Mozilla/5.0..."
  },
  "target": {
    "service_id": "service-uuid",
    "service_slug": "main-app"
  },
  "metadata": {
    "auth_method": "oauth:github",
    "mfa_used": true,
    "device_id": "device-uuid"
  }
}

Event Types

Use wildcards to subscribe to event categories:

Pattern	Matches
`*`	All events
`user.*`	All user events
`security.*`	All security events
`user.login.*`	Login success and failure

See Webhook Events Reference for the complete list.

Security Events

High-priority security events for SIEM:

Event	Severity	Description
`user.login.failed`	Warning	Failed login attempt
`user.mfa.verify.failed`	Warning	Failed MFA verification
`security.password.changed`	Info	Password changed
`security.mfa.disabled`	Warning	MFA disabled
`api_key.created`	Info	New API key created
`api_key.deleted`	Info	API key deleted