SIEM Admin API
Arbitex exposes two SIEM API surfaces. Both require UserRole.ADMIN.
| API | Prefix | Purpose |
|---|---|---|
| Per-org SIEM config CRUD | /v1/org/siem-configs | Create and manage connector credentials for your organisation |
| Connector registry API | /api/admin/siem | Read health and test globally registered connectors |
Per-org SIEM config API — /v1/org/siem-configs
Section titled “Per-org SIEM config API — /v1/org/siem-configs”Connector credentials are Fernet-encrypted at rest. The config field is decrypted in API responses for admin confirmation; it is never stored in plaintext.
Supported connector_type values: splunk_hec, sentinel, elastic, datadog, sumo_logic, cortex_xsiam, qradar.
Create a SIEM config
Section titled “Create a SIEM config”POST /v1/org/siem-configsAuthorization: Bearer <token>Content-Type: application/json
{ "connector_type": "splunk_hec", "config": { "url": "https://splunk.example.com:8088", "token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "index": "arbitex_audit" }, "is_enabled": true}| Field | Type | Required | Description |
|---|---|---|---|
connector_type | string | Yes | One of the supported connector type values above |
config | object | Yes | Connector-specific credentials. See per-connector schemas below |
is_enabled | bool | No | Defaults to true. Pass false to create but not activate |
Returns 422 if connector_type is not a recognised value.
Response — 201 Created
{ "id": "c1a2b3d4-...", "org_id": "b3e2a1c0-...", "connector_type": "splunk_hec", "config": { "url": "https://splunk.example.com:8088", "token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "index": "arbitex_audit" }, "is_enabled": true, "created_at": "2026-03-12T10:00:00Z", "updated_at": "2026-03-12T10:00:00Z", "last_delivery_at": null, "delivery_status": "healthy"}List SIEM configs
Section titled “List SIEM configs”GET /v1/org/siem-configsAuthorization: Bearer <token>Returns all configs for the caller’s organisation, ordered newest-first. Each entry includes the decrypted config dict.
Response
[ { "id": "c1a2b3d4-...", "org_id": "b3e2a1c0-...", "connector_type": "splunk_hec", "config": { ... }, "is_enabled": true, "created_at": "2026-03-12T10:00:00Z", "updated_at": "2026-03-12T10:00:00Z", "last_delivery_at": "2026-03-12T10:01:00Z", "delivery_status": "healthy" }]delivery_status values:
| Value | Meaning |
|---|---|
healthy | Last delivery succeeded |
degraded | Last test or delivery failed |
not_configured | Config exists but connector cannot be instantiated |
Update a SIEM config
Section titled “Update a SIEM config”Only provided (non-null) fields are updated. Re-encrypts the config dict if a new one is supplied.
PUT /v1/org/siem-configs/{config_id}Authorization: Bearer <token>Content-Type: application/json
{ "config": { "url": "https://splunk2.example.com:8088", "token": "new-token-value", "index": "arbitex_audit" }, "is_enabled": true}| Field | Type | Description |
|---|---|---|
config | object | Full replacement config dict (or omit to leave unchanged) |
is_enabled | bool | Set to false to pause delivery without deleting |
Returns 404 if the config ID doesn’t exist or belongs to a different org.
Response — 200 OK — same schema as create.
Delete a SIEM config
Section titled “Delete a SIEM config”DELETE /v1/org/siem-configs/{config_id}Authorization: Bearer <token>Returns 204 No Content on success. Returns 404 if not found or owned by a different org.
The per-org connector cache is invalidated immediately on deletion.
Test a SIEM config
Section titled “Test a SIEM config”Instantiates the connector with the stored (decrypted) config and sends a synthetic OCSF test event. Updates delivery_status and last_delivery_at based on the result.
POST /v1/org/siem-configs/{config_id}/testAuthorization: Bearer <token>No request body required.
Response
{ "config_id": "c1a2b3d4-...", "connector_type": "splunk_hec", "success": true, "events_sent": 1, "error": null}On failure, success is false, events_sent is 0, and error contains the connector error message. The config’s delivery_status is set to "degraded".
Returns 404 if the config is not found. Returns 422 if the connector type cannot be instantiated (e.g. missing required config fields).
Connector registry API — /api/admin/siem
Section titled “Connector registry API — /api/admin/siem”The connector registry tracks globally-configured SIEM connectors (registered programmatically, not via CRUD). This API provides read-only health inspection and fire-and-verify test delivery.
List connectors
Section titled “List connectors”GET /api/admin/siem/connectorsAuthorization: Bearer <token>Response
{ "connectors": [ { "connector_id": "splunk-primary", "display_name": "Splunk HEC (Primary)", "status": "healthy", "connector_type": "SplunkHECConnector", "config_summary": { "url": "https://splunk.example.com:8088", "index": "arbitex_audit" } }, { "connector_id": "elastic-prod", "display_name": "Elasticsearch (Prod)", "status": "degraded", "connector_type": "ElasticsearchConnector", "config_summary": { "host": "https://elastic.example.com:9200", "index": "arbitex-audit" } } ], "total": 2}config_summary contains non-sensitive fields only — credentials are never included.
status values: healthy, degraded, error, not_configured.
SIEM health summary
Section titled “SIEM health summary”GET /api/admin/siem/healthAuthorization: Bearer <token>Returns aggregate health counts across all registered connectors.
Response
{ "healthy": 1, "degraded": 1, "error": 0, "not_configured": 0, "total": 2}Use this endpoint for monitoring dashboard integrations and alerting when error or degraded counts are non-zero.
Test a connector
Section titled “Test a connector”Sends a synthetic OCSF test event to a specific registered connector to verify end-to-end connectivity. For Splunk and Cortex XSIAM connectors, uses send_immediate (bypasses the local buffer).
POST /api/admin/siem/test/{connector_id}Authorization: Bearer <token>No request body required.
Returns 404 if the connector_id is not registered.
Response
{ "connector_id": "splunk-primary", "success": true, "events_sent": 1, "error": null}Connector config schemas
Section titled “Connector config schemas”Each connector type expects specific fields in the config dict:
splunk_hec
Section titled “splunk_hec”{ "url": "https://splunk.example.com:8088", "token": "<HEC token>", "index": "arbitex_audit", "verify_ssl": true}sentinel (Microsoft Sentinel)
Section titled “sentinel (Microsoft Sentinel)”{ "workspace_id": "<workspace UUID>", "shared_key": "<primary or secondary key>", "log_type": "ArbitexAudit"}elastic (Elasticsearch)
Section titled “elastic (Elasticsearch)”{ "host": "https://elastic.example.com:9200", "api_key": "<base64-encoded id:api_key>", "index": "arbitex-audit"}datadog
Section titled “datadog”{ "api_key": "<DD API key>", "site": "datadoghq.com", "service": "arbitex"}sumo_logic
Section titled “sumo_logic”{ "url": "https://endpoint1.collection.sumologic.com/receiver/v1/http/<token>"}cortex_xsiam
Section titled “cortex_xsiam”{ "url": "https://<tenant>.xdr.us.paloaltonetworks.com", "api_key": "<XSIAM API key>", "api_key_id": "<XSIAM API key ID>"}qradar
Section titled “qradar”{ "host": "https://qradar.example.com", "token": "<QRadar API token>", "log_source_id": 12345}SIEM integration guide
Section titled “SIEM integration guide”For step-by-step setup instructions for each connector type, see: