Siem integration
This guide explains how to forward S4E security events to your SIEM platform for centralized monitoring, correlation, and alerting.
Overview
S4E can push security events --- new findings, scan completions, action results, and system alerts --- to external SIEM solutions in real time. Integration is achieved through webhooks, syslog forwarding, or direct API-based connectors.
Step 1 --- Configure a Webhook Endpoint
Create a webhook that forwards events to your SIEM ingestion endpoint.
curl -X POST "https://api.s4e.io/api/webhooks" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "SIEM Forwarder",
"url": "https://siem.example.com/api/events",
"events": ["finding.new", "scan.completed", "action.completed"],
"secret": "your-hmac-secret",
"active": true
}'
Step 2 --- Understand the Event Format
Every webhook payload follows a consistent JSON structure:
{
"event": "finding.new",
"timestamp": "2026-04-28T12:00:00Z",
"data": {
"finding_id": "f-91827",
"title": "SQL Injection in /api/login",
"severity": "critical",
"cvss": 9.8,
"asset": {
"id": "a-1001",
"name": "api.example.com",
"type": "domain"
},
"scan_id": "sc-44021",
"description": "User input is passed directly to SQL query without parameterization.",
"remediation": "Use parameterized queries or an ORM."
}
}
Splunk Integration (HEC)
Splunk HTTP Event Collector (HEC) accepts JSON events over HTTPS. Point your S4E webhook at the HEC endpoint.
Splunk HEC Setup
- In Splunk, navigate to Settings > Data Inputs > HTTP Event Collector.
- Create a new token. Note the token value.
- Set the source type to
_jsonand choose your target index. - Configure the S4E webhook URL as your HEC endpoint.
curl -X POST "https://api.s4e.io/api/webhooks" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Splunk HEC",
"url": "https://splunk.example.com:8088/services/collector/event",
"headers": {
"Authorization": "Splunk YOUR_HEC_TOKEN"
},
"events": ["finding.new", "scan.completed"],
"transform": "splunk_hec",
"active": true
}'
The splunk_hec transform wraps payloads in the Splunk HEC envelope:
{
"event": { "...S4E event data..." },
"sourcetype": "_json",
"source": "s4e",
"index": "security"
}
Tip
Use a dedicated Splunk index for S4E events to simplify searches and retention policies.
ELK / Elasticsearch Integration
Option A --- Logstash Input
Configure Logstash to receive S4E webhook payloads via an HTTP input:
input {
http {
port => 5044
codec => json
}
}
filter {
mutate {
add_field => { "source" => "s4e" }
}
date {
match => [ "timestamp", "ISO8601" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["https://elasticsearch.example.com:9200"]
index => "s4e-events-%{+YYYY.MM}"
user => "elastic"
password => "changeme"
}
}
Set your S4E webhook URL to https://logstash.example.com:5044.
Option B --- Direct Elasticsearch
For simpler setups, point the webhook directly at the Elasticsearch _bulk or document API. Use a lightweight proxy or S4E's built-in elasticsearch transform.
Kibana Dashboard
After data flows into Elasticsearch, create a Kibana dashboard with:
- Finding count by severity (pie chart)
- New findings over time (line chart)
- Top affected assets (bar chart)
- Scan completion timeline (event timeline)
Syslog Forwarding
S4E supports syslog output in RFC 5424 and CEF (Common Event Format) for integration with QRadar, ArcSight, and other SIEM platforms.
Configure Syslog Output
curl -X POST "https://api.s4e.io/api/integrations/siem" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "syslog",
"protocol": "tcp_tls",
"host": "siem.example.com",
"port": 6514,
"format": "cef",
"events": ["finding.new", "scan.completed"]
}'
CEF Format Example
CEF:0|S4E|Platform|2.4.0|finding.new|SQL Injection Detected|9|
src=api.example.com dst=192.168.1.10 msg=SQL Injection in /api/login
cs1Label=severity cs1=critical cs2Label=cvss cs2=9.8
cs3Label=finding_id cs3=f-91827
Filtering Events
Not all events need to reach your SIEM. Configure event filters to reduce noise:
| Filter Field | Description | Example |
|---|---|---|
events |
Event types to forward | ["finding.new"] |
min_severity |
Minimum severity level | high |
asset_tags |
Only forward events for tagged assets | ["production"] |
exclude |
Exclude specific event subtypes | ["finding.info"] |
curl -X POST "https://api.s4e.io/api/webhooks" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Critical Only SIEM",
"url": "https://siem.example.com/api/events",
"events": ["finding.new"],
"filters": {
"min_severity": "high"
},
"active": true
}'
Verifying the Integration
- Trigger a test event using the webhook test endpoint:
curl -X POST "https://api.s4e.io/api/webhooks/wh-001/test" \
-H "Authorization: Bearer YOUR_API_KEY"
- Check your SIEM for the test event.
- Run a scan and confirm that
finding.newevents arrive in your SIEM.
Warning
Ensure your SIEM endpoint is reachable from S4E's outbound network. If you use IP allowlisting, add S4E's egress IP ranges listed in your account settings.
Security Considerations
- Use HTTPS endpoints for webhook delivery whenever possible.
- Configure an HMAC secret to verify that payloads originate from S4E.
- Rotate webhook secrets periodically.
- Monitor webhook delivery logs in Settings > Integrations > Webhooks for failures.
Next Steps
- Webhooks reference for detailed webhook API documentation.
- Event Streaming for real-time SSE-based integration.
- SIEM API reference for the full SIEM configuration API.