Surface Security supports forwarding security events to external SIEM platforms for centralized monitoring and compliance.
Supported Destinations
| Destination | Protocol | Authentication | Format |
|---|
| Splunk HEC | HTTPS | HEC Token | JSON |
| Webhook | HTTPS | Custom Headers | JSON |
| Syslog | TCP/UDP/TLS | Certificate (optional) | RFC 5424 |
| Elasticsearch | HTTPS | API Key / Basic Auth | JSON (Bulk API) |
| S3 | HTTPS | Access Key / Secret Key | JSON |
Event Types Forwarded
| Event Category | Events Included |
|---|
| Verification | Code generation, verification attempts, failures, rate limits |
| Alerts | All security alerts (phishing, credential reuse, breach detection) |
| Credentials | Login form interactions, password changes, MFA events |
| Authentication | SSO flows, IDP redirects, session events |
| Administrative | Admin actions, policy changes, user management |
Severity Levels
| Level | Code | Description | Example Events |
|---|
| Critical | 1 | Immediate action required | Active phishing, credential compromise |
| High | 2 | Urgent security concern | Breach detection, suspicious login |
| Warning | 3 | Potential security issue | Policy violation, unusual activity |
| Info | 4 | Informational events | Successful logins, routine operations |
Configuration Options
Each SIEM destination is configured with the following options.
Common Settings
| Field | Description | Default |
|---|
URL | Target URL or host:port | (required) |
Headers | Custom headers (for webhook destinations) | (none) |
TLSSkipVerify | Skip TLS certificate verification | false |
TimeoutSeconds | Request timeout | 30 |
RetryCount | Number of retries on failure | 3 |
BatchSize | Events per batch | (destination-dependent) |
FlushIntervalSecs | Batch flush interval in seconds | (destination-dependent) |
Splunk HEC
| Field | Description |
|---|
SplunkToken | HEC authentication token |
SplunkIndex | Target index |
SplunkSource | Source identifier |
SplunkSourceType | Source type |
Syslog
| Field | Description |
|---|
SyslogProtocol | tcp, udp, or tls |
SyslogFacility | Syslog facility code |
SyslogHostname | Hostname in syslog messages |
SyslogAppName | Application name |
Elasticsearch
| Field | Description |
|---|
ESIndex | Target index name |
ESUsername | Basic auth username |
ESPassword | Basic auth password |
ESAPIKey | API key authentication (alternative to basic auth) |
| Field | Description |
|---|
S3Bucket | Target bucket |
S3Prefix | Object key prefix |
S3Region | AWS region |
S3AccessKey | AWS access key |
S3SecretKey | AWS secret key |
Setup
SIEM log forwarding is configured in the admin dashboard under Settings > Integrations. You can add multiple destinations and configure which event types are forwarded to each destination.
For API-based configuration, see the Admin API reference.