SIEM

Forward authentication events to your SIEM platform

The SIEM integration forwards SendAuth authentication events to your Security Information and Event Management (SIEM) platform for centralized security monitoring, analysis, and alerting.

Prerequisites

Active SIEM platform (Splunk, Elastic, Sumo Logic, etc.)
HTTP endpoint in your SIEM for receiving events
Authentication credentials for the endpoint

Configuration

SIEM configuration is limited to users with the admin role.

Navigate to Settings → SIEM

Required Fields

Enable SIEM Integration

Check this box to activate SIEM forwarding

SIEM URL

The HTTP/HTTPS endpoint for your SIEM
Example: https://siem.yourcompany.com/collector
Must be accessible from SendAuth servers

Authentication Options

Choose one authentication method:

Basic Authentication

Username - Basic auth username
Password - Basic auth password

Header Authentication

Custom Header - Full header for authentication
Format: Authorization: Bearer YOUR_TOKEN
Example: X-API-Key: abc123

Supported SIEM Platforms

Splunk

Use Splunk HTTP Event Collector (HEC)
URL format: https://splunk.company.com:8088/services/collector
Authentication: Authorization: Splunk YOUR_HEC_TOKEN

Elastic/Elasticsearch

Use Elasticsearch HTTP API endpoint
URL format: https://elastic.company.com:9200/sendauth/_doc
Authentication: Basic auth or API key header

Sumo Logic

Use HTTP Source collector
URL format: Provided by Sumo Logic HTTP Source
Authentication: Included in URL

Generic SIEM

Any SIEM accepting JSON over HTTP/HTTPS
Custom authentication header support
Configurable endpoint

Event Types

SendAuth forwards these authentication events to your SIEM:

Transaction Created

{
  "event_type": "transaction.created",
  "timestamp": "2025-01-28T10:30:00Z",
  "transaction_id": "tx-uuid",
  "requestor": "admin@company.com",
  "subject": "user@company.com",
  "context": "AWS Console Access",
  "org_id": "org-uuid"
}

Transaction Verified

{
  "event_type": "transaction.verified",
  "timestamp": "2025-01-28T10:31:00Z",
  "transaction_id": "tx-uuid",
  "subject": "user@company.com",
  "ip_address": "203.0.113.42",
  "location": {
    "city": "San Francisco",
    "region": "California",
    "country": "US"
  },
  "org_id": "org-uuid"
}

Transaction Denied

{
  "event_type": "transaction.denied",
  "timestamp": "2025-01-28T10:31:00Z",
  "transaction_id": "tx-uuid",
  "subject": "user@company.com",
  "ip_address": "203.0.113.42",
  "org_id": "org-uuid"
}

Transaction Expired

{
  "event_type": "transaction.expired",
  "timestamp": "2025-01-28T10:35:00Z",
  "transaction_id": "tx-uuid",
  "org_id": "org-uuid"
}

Payload Format

All events are sent as JSON with these common fields:

Field	Type	Description
`event_type`	string	Type of authentication event
`timestamp`	string	ISO 8601 timestamp
`org_id`	string	Organization identifier
`transaction_id`	string	Unique transaction ID

Additional fields vary by event type.

Event Delivery

Timing

Events are sent in real-time as they occur
Typically delivered within seconds
Async processing to avoid blocking authentication flow

Reliability

Failed deliveries are retried with exponential backoff
Maximum 3 retry attempts
Events may be lost after retry exhaustion

Ordering

Events are sent in occurrence order
Network delays may cause reordering
Use timestamp field for accurate sequencing

Use Cases

Security Monitoring

Real-time authentication event monitoring
Anomaly detection on authentication patterns
Geographic access analysis
Failed authentication alerting

Compliance

Audit trail for authentication events
Access review documentation
Regulatory reporting
Retention policy enforcement

Incident Response

Authentication timeline reconstruction
Suspicious access investigation
Forensic analysis
Correlation with other security events

Alerting Examples

Splunk Alert: Failed Authentications

index=sendauth event_type="transaction.denied"
| stats count by subject
| where count > 5

Elastic Query: Foreign Country Access

{
  "query": {
    "bool": {
      "must": [
        { "term": { "event_type": "transaction.verified" }},
        { "term": { "location.country": "CN" }}
      ]
    }
  }
}

Status Monitoring

The integration status indicator shows:

Success - Last event was delivered successfully
Error - Recent delivery failure with error details
Not yet invoked - Integration configured but no events sent

Troubleshooting

Events not appearing in SIEM

Verify SIEM URL is correct and accessible
Check authentication credentials are valid
Ensure SIEM endpoint is accepting JSON POST requests
Review SIEM ingestion logs for errors
Test endpoint with curl:

curl -X POST https://siem.company.com/collector \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"test": "event"}'

Authentication failures

Verify username/password for basic auth
Check custom header format includes field name
Ensure API keys or tokens are not expired
Review SIEM access logs for authentication attempts

Missing fields in SIEM

Check SIEM field extraction configuration
Verify JSON parsing is enabled
Review field mapping in SIEM
Ensure all JSON fields are being indexed

Event delivery delays

Check network connectivity to SIEM endpoint
Review SIEM ingestion rate limits
Monitor SendAuth SIEM status for errors
Verify SIEM processing capacity

Security Considerations

Data Privacy

Authentication events contain user identifiers
IP addresses and location data included
Review data retention policies
Consider GDPR and privacy regulations

Network Security

Use HTTPS for SIEM endpoints
Implement IP allowlisting if possible
Use strong authentication credentials
Rotate API keys/tokens regularly

Access Control

Restrict SIEM access to security team
Implement role-based access in SIEM
Monitor SIEM access logs
Review permissions regularly

Disabling SIEM Integration

To stop forwarding events to your SIEM:

Navigate to Settings → SIEM
Uncheck Enable SIEM Integration
Click Save

Events will stop being forwarded immediately. Historical events remain in your SIEM per its retention policy.