SIEM Integration

SIEM Integration

DataShield exports alerts to a SIEM/SOAR in two complementary ways: a pull feed your collector polls, and a push delivery the scheduler POSTs on a fixed interval. Both share the formatters in src/lib/integrations/ and the serialization in formatAlerts. Pull/push logic lives in src/lib/siem.ts.

Formats

Format	Output	Content type
json	Single JSON array of alert records	application/json
cef	Newline-delimited ArcSight CEF, one event per line	text/plain
syslog	Newline-delimited syslog, one event per line	text/plain

Each alert carries id, severity, status, message, employee email, breach name, and timestamp. Raw UDP/TCP syslog sockets are not used; this targets HTTP collectors (Splunk HEC, Microsoft Sentinel, generic).

Pull feed

Endpoint	Method	Auth	Description
/api/integrations/siem/[companyId]	GET	Bearer token	Export recent alerts

• Query params: format (json default, cef, syslog) and optional since (ISO timestamp) to fetch only newer alerts.
• Authenticated by a per-company bearer token: the stored token is encrypted (AES-256-GCM) and compared in constant time (authenticateSiem). A missing or unreadable token returns 401.
• Rate limited to 60 requests per company per minute, and capped at 1000 alerts per response for a bounded payload.

Configure the token via PATCH /api/company (siemToken); only siemTokenHint is shown in settings.

Push delivery

runDueSiemPush (invoked from the cron endpoint) POSTs each company's new alerts to its configured HTTPS collector:

• Targets are configured via PATCH /api/company (siemPush): an encrypted URL (siemPushUrlEnc / siemPushHint) and a format (siemPushFormat).
• A watermark (siemPushSince) advances only after a successful POST, so a failed delivery is retried on the next tick with no gaps and no duplicates.

See Configuration for CRON_SECRET and the scheduler, and Security for token handling.