SIEM Export

ARX supports exporting audit events and security telemetry to external SIEM (Security Information and Event Management) systems. This guide covers configuring each supported SIEM destination, testing connectivity, HMAC signature verification for webhooks, and error tracking.

Supported Destinations

Type integration_type Description
Splunk HEC splunk Splunk HTTP Event Collector
Microsoft Sentinel sentinel Azure Monitor / Log Analytics workspace
Syslog (CEF) syslog Common Event Format over syslog protocol
Generic Webhook webhook Any HTTP endpoint with HMAC signature verification

Managing SIEM Integrations

All SIEM endpoints require the admin role and are accessed under /v1/settings/siem.

List Integrations

GET /v1/settings/siem

Returns all configured SIEM integrations for the organization.

Create an Integration

POST /v1/settings/siem

{
  "integration_type": "splunk",
  "name": "Production Splunk",
  "config": {
    "endpoint": "https://splunk.example.com:8088/services/collector",
    "token": "your-hec-token",
    "index": "arxsec",
    "source": "arxsec-api",
    "sourcetype": "_json"
  },
  "enabled": true
}

Update an Integration

PUT /v1/settings/siem/{integration_id}

Supports partial updates -- only include the fields you want to change.

Delete an Integration

DELETE /v1/settings/siem/{integration_id}

Returns 204 No Content.

Test an Integration

POST /v1/settings/siem/{integration_id}/test

Sends a test event to verify connectivity. Returns:

{
  "success": true,
  "message": "Test event sent successfully"
}

or:

{
  "success": false,
  "message": "Connection test failed: <error details>"
}

Configuring Splunk HEC

Prerequisites

  1. Enable HTTP Event Collector (HEC) on your Splunk instance.
  2. Create a new HEC token with the target index configured.
  3. Ensure the ARX API server can reach the Splunk HEC endpoint.

Configuration

{
  "integration_type": "splunk",
  "name": "Splunk HEC",
  "config": {
    "endpoint": "https://splunk.example.com:8088/services/collector",
    "token": "your-hec-token",
    "index": "arxsec",
    "source": "arxsec-api",
    "sourcetype": "_json"
  }
}
Field Required Description
endpoint Yes Full URL of the Splunk HEC endpoint
token Yes HEC authentication token
index No Target Splunk index (defaults to HEC token's default index)
source No Source identifier for events
sourcetype No Splunk sourcetype (default: _json)

After configuration, events appear in Splunk and can be searched:

index=arxsec source=arxsec-api | stats count by action_type

Configuring Microsoft Sentinel

Prerequisites

  1. Create a Log Analytics workspace in Azure.
  2. Note the Workspace ID and generate a Shared Key (primary or secondary).
  3. Ensure the ARX API server can reach https://<workspace-id>.ods.opinsights.azure.com.

Configuration

{
  "integration_type": "sentinel",
  "name": "Azure Sentinel",
  "config": {
    "workspace_id": "your-workspace-id",
    "shared_key": "your-shared-key",
    "log_type": "ARXSecAudit"
  }
}
Field Required Description
workspace_id Yes Log Analytics workspace ID
shared_key Yes Log Analytics shared key
log_type No Custom log type name (default: ARXSecAudit). Appears as ARXSecAudit_CL in Sentinel.

Querying in Sentinel

ARXSecAudit_CL
| where action_type_s == "agent.deployed"
| summarize count() by user_email_s, bin(TimeGenerated, 1h)

Configuring Syslog (CEF)

Prerequisites

  1. A syslog collector that accepts CEF-formatted messages (e.g., ArcSight, QRadar, rsyslog).
  2. Network connectivity from the ARX API server to the syslog endpoint.

Configuration

{
  "integration_type": "syslog",
  "name": "Syslog CEF",
  "config": {
    "host": "syslog.example.com",
    "port": 514,
    "protocol": "tcp",
    "facility": "local0"
  }
}
Field Required Description
host Yes Syslog server hostname or IP
port No Syslog server port (default: 514)
protocol No tcp or udp (default: tcp)
facility No Syslog facility (default: local0)

Events are formatted in CEF (Common Event Format):

CEF:0|ARXsec|ARX|1.0|agent.deployed|Agent Deployed|5|src=10.0.0.1 ...

Configuring Generic Webhook

Prerequisites

  1. An HTTP endpoint that accepts POST requests with JSON payloads.
  2. A shared secret for HMAC signature verification (recommended).

Configuration

{
  "integration_type": "webhook",
  "name": "Custom SIEM Webhook",
  "config": {
    "endpoint": "https://siem.example.com/api/events",
    "secret": "your-hmac-secret",
    "headers": {
      "X-Custom-Header": "custom-value"
    }
  }
}
Field Required Description
endpoint Yes Target webhook URL
secret No HMAC-SHA256 signing secret for payload verification
headers No Additional HTTP headers to include in requests

HMAC Signature Verification

When a secret is configured, each webhook delivery includes an X-ARX-Signature header containing the HMAC-SHA256 signature of the request body:

X-ARX-Signature: sha256=a1b2c3d4e5f6...

To verify the signature on the receiving end:

import hashlib
import hmac

def verify_signature(payload_body: bytes, signature_header: str, secret: str) -> bool:
    expected = "sha256=" + hmac.new(
        secret.encode(), payload_body, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature_header)

Always use a constant-time comparison function to prevent timing attacks.

Error Tracking

ARX tracks delivery errors for each SIEM integration:

Field Description
error_count Number of consecutive delivery failures
last_error Error message from the most recent failure
last_event_at Timestamp of the last successfully delivered event

When a test or delivery succeeds, the error_count is reset to 0 and last_error is cleared. This allows administrators to monitor integration health.

Audit Logging

All SIEM integration changes are recorded in the audit log:

Event Description
siem.integration.created A new SIEM integration was configured
siem.integration.updated An existing integration was modified
siem.integration.deleted An integration was removed

Sensitive configuration fields (token, shared_key, secret, password, api_key) are redacted in audit log entries.

Best Practices

  1. Test after creation. Always use the test endpoint to verify connectivity before relying on the integration.
  2. Monitor error counts. Set up alerting on error_count increases to catch delivery failures early.
  3. Use HMAC verification for webhook destinations to ensure event integrity.
  4. Rotate credentials (HEC tokens, shared keys) on a regular schedule.
  5. Use TLS for all SIEM endpoints. Avoid sending security telemetry over unencrypted connections.