SIEM Integration Overview
Arbitex generates a structured audit event for every request processed through the gateway, every DLP trigger, every authentication event, and every account change. These events can be streamed in real time to your SIEM using one or more SIEM connectors running inside the Arbitex platform.
Architecture
Section titled “Architecture” ┌──────────────────────────────────────────┐ │ Arbitex Platform │ │ │ Requests ─────────►│ Gateway → Policy Engine → DLP → Audit │ │ │ │ │ Event Publisher │ │ │ │ │ ┌─────────────┼──────────────┐ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ Splunk Sentinel Elastic │ │ HEC (DCR/DCE) Bulk API │ │ │ │ │ │ │ Datadog Sumo Logic │ │ Logs API HTTP Source │ └──────────────────────────────────────────┘When an audit event is generated, it is dispatched to every configured and healthy SIEM connector. Connectors operate independently — a failure in one connector does not affect delivery to others. Each connector maintains its own in-memory buffer, retry queue, and dead letter file.
OCSF v1.1 event format
Section titled “OCSF v1.1 event format”All events are formatted as Open Cybersecurity Schema Framework (OCSF) v1.1 JSON. OCSF provides a vendor-neutral, normalized schema that allows events from different systems to be correlated and analyzed in a consistent structure without per-source parsing rules.
Why OCSF matters
Section titled “Why OCSF matters”Most SIEM platforms require custom parsers or mapping rules for each log source they ingest. OCSF removes this step by providing a schema that maps directly to common SIEM data models. When Arbitex events arrive in OCSF format, your SIEM can apply standard detection rules and dashboards designed for OCSF-compliant sources without additional transformation.
Core OCSF fields present in every Arbitex event
Section titled “Core OCSF fields present in every Arbitex event”| Field | Description |
|---|---|
class_uid | OCSF event class integer identifier |
class_name | Human-readable event class name |
category_uid | OCSF category integer identifier |
category_name | Human-readable category name |
activity_id | Activity type within the class |
activity_name | Human-readable activity name |
severity_id | Severity integer (0=Unknown, 1=Informational, 2=Low, 3=Medium, 4=High, 5=Critical) |
severity | Human-readable severity |
status_id | Outcome integer (0=Unknown, 1=Success, 2=Failure) |
status | Human-readable outcome |
time | Event timestamp, epoch milliseconds |
message | Human-readable event description |
metadata.version | OCSF schema version (1.1.0) |
metadata.product.name | Always Arbitex |
Actor and principal fields
Section titled “Actor and principal fields”| Field | Description |
|---|---|
actor.user.uid | Internal user ID |
actor.user.email_addr | User email address |
actor.user.name | User display name |
actor.org.uid | Organization ID |
actor.org.name | Organization name |
Source endpoint and geo fields
Section titled “Source endpoint and geo fields”| Field | Description |
|---|---|
src_endpoint.ip | Source IP address of the request |
src_endpoint.location.country | ISO 3166-1 alpha-2 country code |
src_endpoint.location.city | City name (GeoIP enrichment) |
src_endpoint.location.lat | Latitude (GeoIP enrichment) |
src_endpoint.location.long | Longitude (GeoIP enrichment) |
src_endpoint.is_anonymous | True if the IP is a known VPN/proxy/Tor exit |
Event types streamed
Section titled “Event types streamed”| OCSF class | class_uid | Trigger |
|---|---|---|
| API Activity | 6003 | Every request proxied through the gateway |
| Security Finding | 2001 | DLP rule trigger — BLOCK, REDACT, CANCEL, or SKIP |
| Authentication | 3002 | Login, SSO callback, token exchange, logout |
| Account Change | 3001 | User invite, group membership change, role assignment |
Available connectors
Section titled “Available connectors”| Connector | Protocol | Authentication | Format | Status |
|---|---|---|---|---|
| Splunk HEC | HTTPS POST | HEC token | OCSF JSON in HEC envelope | Available |
| Microsoft Sentinel | HTTPS POST (DCR Log Ingestion API) | Azure AD client credentials | OCSF JSON array | Available |
| Elasticsearch | HTTPS Bulk API | API key or basic auth | OCSF NDJSON | Available |
| Datadog | HTTPS Logs Intake API v2 | API key | OCSF JSON in log envelope | Available |
| Sumo Logic | HTTPS HTTP Source | URL-embedded auth | OCSF NDJSON | Available |
| IBM QRadar | Syslog CEF over TLS | TLS client cert | CEF | Coming soon |
| Palo Alto Cortex XSIAM | HTTPS | API key | OCSF JSON | Coming soon |
Multiple connectors can be active simultaneously. Events are delivered to all healthy connectors.
Global vs. per-org SIEM configuration
Section titled “Global vs. per-org SIEM configuration”Global connectors
Section titled “Global connectors”Global connectors are configured at the platform level using environment variables on the Arbitex platform deployment. They receive events from all organizations. This is the default and most common configuration — set once, stream everything.
Configure global connectors by setting the connector-specific environment variables described in each connector guide.
Per-org connectors
Section titled “Per-org connectors”Any organization can configure dedicated SIEM connectors that receive only that org’s audit events, independently of the global connector configuration. Per-org connectors are stored in the siem_configs database table with Fernet-encrypted credential payloads.
Per-org connectors support all seven connector types: Splunk HEC, Microsoft Sentinel, Elasticsearch, Datadog, Sumo Logic, Cortex XSIAM, and IBM QRadar.
For full configuration reference including config schema per connector type, Fernet encryption, and delivery status tracking, see the Per-org SIEM configuration guide.
Organizations on dedicated Outpost deployments can also configure connector-level SIEM sinks inside the Outpost. See the Outpost deployment guide.
Delivery guarantees and retry behavior
Section titled “Delivery guarantees and retry behavior”All connectors share the same delivery model:
- Buffering: Events are accumulated in memory and flushed when the buffer reaches the configured batch size (default: 100 events) or the flush interval elapses (default: 5 seconds).
- Retry: On transient HTTP errors (429, 503) or connection failures, the connector retries with exponential backoff: 1s, 2s, 4s, up to the configured maximum retries (default: 3 attempts).
- Dead letter queue: Events that cannot be delivered after all retries are written to a JSONL file on the platform host. Each connector has its own dead letter path. Dead letter events are not automatically replayed — they require manual intervention.
- Independence: Each connector runs independently. A failure in one connector does not affect delivery to other connectors or block request processing.
There is no cross-connector deduplication or ordered delivery guarantee. Events may arrive slightly out of order if a connector retries a batch while a subsequent batch is already delivered.
Connector guides
Section titled “Connector guides”- Splunk HEC — configure the HTTP Event Collector connector
- Microsoft Sentinel — configure the Azure Monitor DCR ingestion connector
- Elasticsearch — configure the Elastic Bulk API connector
- Datadog — configure the Datadog Logs Intake connector
- Sumo Logic — configure the Sumo Logic HTTP Source connector
- Per-org SIEM configuration — configure per-organization connectors stored in the database