Skip to main content

SIEM Integration

Surface Security supports forwarding security events to external SIEM platforms for centralized monitoring and compliance.

Supported Destinations

DestinationProtocolAuthenticationFormat
Splunk HECHTTPSHEC TokenJSON
WebhookHTTPSCustom HeadersJSON
SyslogTCP/UDP/TLSCertificate (optional)RFC 5424
ElasticsearchHTTPSAPI Key / Basic AuthJSON (Bulk API)
S3HTTPSAccess Key / Secret KeyJSON

Event Types Forwarded

Event CategoryEvents Included
VerificationCode generation, verification attempts, failures, rate limits
AlertsAll security alerts (phishing, credential reuse, breach detection)
CredentialsLogin form interactions, password changes, MFA events
AuthenticationSSO flows, IDP redirects, session events
AdministrativeAdmin actions, policy changes, user management

Severity Levels

LevelCodeDescriptionExample Events
Critical1Immediate action requiredActive phishing, credential compromise
High2Urgent security concernBreach detection, suspicious login
Warning3Potential security issuePolicy violation, unusual activity
Info4Informational eventsSuccessful logins, routine operations

Configuration Options

Each SIEM destination is configured with the following options.

Common Settings

FieldDescriptionDefault
URLTarget URL or host:port(required)
HeadersCustom headers (for webhook destinations)(none)
TLSSkipVerifySkip TLS certificate verificationfalse
TimeoutSecondsRequest timeout30
RetryCountNumber of retries on failure3
BatchSizeEvents per batch(destination-dependent)
FlushIntervalSecsBatch flush interval in seconds(destination-dependent)

Splunk HEC

FieldDescription
SplunkTokenHEC authentication token
SplunkIndexTarget index
SplunkSourceSource identifier
SplunkSourceTypeSource type

Syslog

FieldDescription
SyslogProtocoltcp, udp, or tls
SyslogFacilitySyslog facility code
SyslogHostnameHostname in syslog messages
SyslogAppNameApplication name

Elasticsearch

FieldDescription
ESIndexTarget index name
ESUsernameBasic auth username
ESPasswordBasic auth password
ESAPIKeyAPI key authentication (alternative to basic auth)

S3

FieldDescription
S3BucketTarget bucket
S3PrefixObject key prefix
S3RegionAWS region
S3AccessKeyAWS access key
S3SecretKeyAWS secret key

Setup

SIEM log forwarding is configured in the admin dashboard under Settings > Integrations. You can add multiple destinations and configure which event types are forwarded to each destination.

For API-based configuration, see the Admin API reference.