SIEM Integration

Configure security event streaming to SIEM platforms

Updated Apr 12, 2026 Edit this page

SIEM Integration

Manage configurations for streaming security events from AuthOS to your Security Information and Event Management (SIEM) platform.

Overview

SIEM integration allows you to configure endpoints for Datadog, Splunk, Elastic, or Custom HTTP collectors.

[!NOTE] This API currently manages the configuration and connectivity testing. High-volume background streaming is handled by the platform’s event dispatcher.

Endpoints

Method Path Description
POST /api/organizations/:org_slug/siem-configs Create SIEM config
GET /api/organizations/:org_slug/siem-configs List SIEM configs
GET /api/organizations/:org_slug/siem-configs/:config_id Get SIEM config
PUT /api/organizations/:org_slug/siem-configs/:config_id Update SIEM config
DELETE /api/organizations/:org_slug/siem-configs/:config_id Delete SIEM config
POST /api/organizations/:org_slug/siem-configs/:config_id/test Test connection

POST /api/organizations/:org_slug/siem-configs

Create a SIEM integration configuration.

Authorization: Owner or Admin

Request Body

Field Type Required Description
name string Yes Friendly name for this configuration
provider_type string Yes Datadog, Splunk, Elastic, or Custom
endpoint_url string Yes The collector endpoint URL
api_key string No API Key or Token (encrypted at rest)
auth_header string No Custom Header (e.g., X-API-Key: value)
batch_size integer No Number of events per batch (default: 100)

Example Request

curl -X POST https://sso.example.com/api/organizations/acme-corp/siem-configs \
  -H "Authorization: Bearer {jwt}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Datadog",
    "provider_type": "Datadog",
    "endpoint_url": "https://http-intake.logs.datadoghq.com/v1/input",
    "api_key": "dd_api_key_here",
    "batch_size": 100
  }'

Response (201 Created)

{
  "id": "siem-config-uuid",
  "org_id": "org-uuid",
  "name": "Production Datadog",
  "provider_type": "Datadog",
  "endpoint_url": "https://http-intake.logs.datadoghq.com/v1/input",
  "batch_size": 100,
  "enabled": true,
  "last_successful_batch_at": null,
  "failure_count": 0,
  "created_at": "2025-01-15T10:30:00Z"
}

GET /api/organizations/:org_slug/siem-configs

List all SIEM configurations for the organization.

Response (200 OK)

{
  "siem_configs": [
    {
      "id": "siem-config-uuid",
      "name": "Production Datadog",
      "provider_type": "Datadog",
      "endpoint_url": "https://http-intake.logs.datadoghq.com/v1/input",
      "enabled": true,
      "created_at": "2025-01-15T10:30:00Z"
    }
  ],
  "total": 1
}

POST /api/organizations/:org_slug/siem-configs/:config_id/test

Send a test event to verify SIEM connectivity.

Response (200 OK)

{
  "success": true,
  "message": "Successfully connected to SIEM endpoint (status: 200 OK)"
}