SIEM Integration

Stream Flowstate security events to your SIEM (Security Information and Event Management) platform in real time. Monitor authentication activity, configuration changes, API usage, and data access patterns from your central security console.

Overview

Flowstate generates structured security events for key activities across the platform. When you configure a SIEM integration, these events are delivered as JSON payloads to your SIEM endpoint via HTTPS webhooks.

Each event includes:

• Event type and category for filtering and alerting
• Actor identity (user ID, email, API key identifier)
• Timestamp in ISO 8601 format
• Resource details (what was accessed or changed)
• Severity level for prioritization

Step 1: Configure an Endpoint

1. Navigate to Settings > Security > SIEM Integration
2. Click Add Endpoint
3. Enter the following:

Field	Description
Name	A descriptive name (e.g., "Splunk HEC", "Sentinel Webhook")
Endpoint URL	The HTTPS URL where events should be sent
Auth Type	Bearer Token, Header, or None
Auth Value	The token or header value (depends on auth type)

4. Click Save

Authentication Types

Auth Type	Configuration
Bearer Token	Sends Authorization: Bearer {token} header with each request
Header	Sends a custom header (e.g., X-API-Key: {value})
None	No authentication header (use only with network-level controls)

WARNING

Always use HTTPS endpoints. Flowstate will reject HTTP URLs for SIEM endpoints to protect event data in transit.

Event Categories

Events are organized into five categories. You can enable or disable each category per endpoint.

Category	Description	Example Events
authentication	Sign-in, sign-out, and session activity	Login success, login failure, magic link sent, SSO redirect
audit	Configuration and settings changes	Auth provider created, role mapping updated, user role changed
api_activity	REST API usage	API key created, API request, rate limit exceeded
data_access	Reads and writes to workforce planning data	Employee created, plan published, report exported
infrastructure	System-level events	SCIM sync completed, webhook delivery failed

Configuring Categories

In the endpoint settings, toggle the categories you want to receive:

1. Navigate to Settings > Security > SIEM Integration
2. Click on your endpoint
3. Under Event Categories, enable or disable each category
4. Click Save

TIP

Start with authentication and audit categories for security monitoring. Add api_activity and data_access if you need visibility into data-level operations.

Severity Levels

Each event has a severity level. You can set a minimum severity threshold per endpoint to reduce noise.

Severity	Description	Examples
critical	Immediate attention required	Multiple failed login attempts, API key compromised
high	Significant security event	Auth provider deleted, admin role granted
medium	Notable activity worth tracking	New API key created, user deactivated
low	Routine operational events	Successful login, API request, data export
info	Informational, low-priority events	Magic link sent, session refreshed

Set the minimum severity in the endpoint configuration. For example, setting the threshold to medium will deliver critical, high, and medium events but suppress low and info.

Event Payload Format

All events follow a consistent JSON structure:

{
  "id": "evt_x7k9m2p4q1w3e5r8",
  "timestamp": "2026-03-11T14:32:07.123Z",
  "category": "authentication",
  "type": "login.success",
  "severity": "low",
  "actor": {
    "userId": "clx1a2b3c4d5e6f7g8h9",
    "email": "jane.chen@acme.com",
    "ipAddress": "203.0.113.42",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"
  },
  "resource": {
    "type": "session",
    "id": "ses_r8t3l1m1t9a2b3c4"
  },
  "details": {
    "method": "saml",
    "provider": "Okta SSO",
    "domain": "acme.com"
  },
  "organization": {
    "id": "clx9o8r7g6i5d4",
    "name": "Acme Corp"
  },
  "tenant": "acme"
}

Payload Fields

Field	Type	Description
id	string	Unique event identifier
timestamp	string	ISO 8601 timestamp with millisecond precision
category	string	Event category (see table above)
type	string	Specific event type (e.g., login.success)
severity	string	Event severity level
actor.userId	string	ID of the user who triggered the event
actor.email	string	Email of the actor
actor.ipAddress	string	Source IP address
actor.userAgent	string	Browser or client user agent string
resource.type	string	Type of resource affected
resource.id	string	ID of the affected resource
details	object	Event-specific metadata
organization.id	string	Organization ID
organization.name	string	Organization display name
tenant	string	Tenant subdomain

Common Event Types

Type	Category	Severity	Description
login.success	authentication	low	User signed in successfully
login.failure	authentication	medium	Failed sign-in attempt
login.failure.repeated	authentication	critical	Multiple failed attempts for one account
magic_link.sent	authentication	info	Magic link email dispatched
sso.redirect	authentication	info	User redirected to SSO provider
session.expired	authentication	info	User session expired
auth_provider.created	audit	high	New auth provider configured
auth_provider.updated	audit	high	Auth provider settings changed
auth_provider.deleted	audit	high	Auth provider removed
role_mapping.updated	audit	high	Group-to-role mapping changed
user.role_changed	audit	high	User's role was changed
user.deactivated	audit	medium	User account deactivated
api_key.created	api_activity	medium	New API key generated
api_key.revoked	api_activity	medium	API key revoked
api_key.expired	api_activity	medium	API key reached expiration
api.request	api_activity	low	API endpoint called
api.rate_limited	api_activity	high	Rate limit exceeded
employee.created	data_access	low	Employee record created
employee.updated	data_access	low	Employee record modified
employee.deleted	data_access	medium	Employee record deleted
plan.published	data_access	medium	Scenario plan published
report.exported	data_access	low	Report or data export generated
scim.sync_completed	infrastructure	info	SCIM provisioning sync completed
siem.delivery_failed	infrastructure	high	Failed to deliver events to SIEM endpoint

Platform-Specific Guides

Splunk (HTTP Event Collector)

1. In Splunk, go to Settings > Data Inputs > HTTP Event Collector
2. Click New Token and configure it:
   • Name: "Flowstate Security Events"
   • Source Type: _json
   • Index: your security index (e.g., security_events)
3. Copy the HEC token
4. In Flowstate, create a SIEM endpoint:

Field	Value
Endpoint URL	https://splunk.acme.com:8088/services/collector/event
Auth Type	Bearer Token
Auth Value	Your Splunk HEC token

TIP

Splunk HEC expects events wrapped in an event field. Flowstate automatically formats the payload for Splunk when the endpoint URL contains /services/collector.

Microsoft Sentinel

1. In the Azure portal, go to Microsoft Sentinel > Data connectors
2. Search for Custom Logs via API or use a Logic App / Azure Function as an ingestion layer
3. Create an HTTP trigger that accepts JSON payloads
4. In Flowstate, create a SIEM endpoint:

Field	Value
Endpoint URL	Your Logic App / Azure Function HTTP trigger URL
Auth Type	Header
Auth Value	Configure the header name and value per your trigger's auth

5. In your Logic App, parse the Flowstate event JSON and forward it to the Log Analytics Workspace using the Send Data action

Datadog (Log Management)

1. In Datadog, go to Logs > Configuration > Log Collection
2. Copy your Datadog API Key from Organization Settings > API Keys
3. In Flowstate, create a SIEM endpoint:

Field	Value
Endpoint URL	https://http-intake.logs.datadoghq.com/api/v2/logs
Auth Type	Header
Auth Value	Header name: DD-API-KEY, value: your Datadog API key

TIP

For Datadog EU, use https://http-intake.logs.datadoghq.eu/api/v2/logs as the endpoint URL.

API Key Management for SIEM

If your SIEM endpoint uses an API key or bearer token for authentication, rotate it on a regular schedule:

1. Generate a new token in your SIEM platform
2. Update the Auth Value in Flowstate's SIEM endpoint settings
3. Click Save
4. Verify events are still being delivered (see Testing below)
5. Revoke the old token in your SIEM platform

WARNING

Update the token in Flowstate before revoking the old one in your SIEM platform. If you revoke first, events will fail to deliver until the new token is configured.

Testing Connectivity

After configuring an endpoint, verify that events are being delivered:

1. Navigate to Settings > Security > SIEM Integration
2. Click on your endpoint
3. Click Send Test Event
4. Flowstate sends a test event with category infrastructure and type siem.test:

{
  "id": "evt_test_t3s7e9v2n4t1",
  "timestamp": "2026-03-11T14:45:00.000Z",
  "category": "infrastructure",
  "type": "siem.test",
  "severity": "info",
  "actor": {
    "userId": "clx1a2b3c4d5e6f7g8h9",
    "email": "admin@acme.com",
    "ipAddress": "203.0.113.42",
    "userAgent": "Flowstate Admin UI"
  },
  "resource": {
    "type": "siem_endpoint",
    "id": "clx9s8i7e6m5"
  },
  "details": {
    "message": "SIEM integration test event"
  },
  "organization": {
    "id": "clx9o8r7g6i5d4",
    "name": "Acme Corp"
  },
  "tenant": "acme"
}

5. Verify the event appears in your SIEM platform
6. If delivery fails, check the Delivery Log in the endpoint settings for error details

Delivery Retries

Flowstate retries failed deliveries with exponential backoff:

Attempt	Delay
1	Immediate
2	30 seconds
3	2 minutes
4	10 minutes
5	1 hour

After 5 failed attempts, the event is marked as failed and logged in the Delivery Log. Flowstate does not discard failed events -- you can view them in the delivery log and trigger manual re-delivery.

DANGER

If an endpoint fails consistently for 24 hours, Flowstate disables the endpoint and sends an email notification to tenant administrators. Re-enable the endpoint in settings after resolving the issue.