SIEM Integration
SyVault can stream audit events in real time to your Security Information and Event Management (SIEM) platform via webhooks. This enables centralized security monitoring, long-term log retention beyond the default 90-day window, and correlation of SyVault events with activity from other systems in your infrastructure.
SIEM integration is available on Enterprise plans only.
Supported Targets
SyVault has been tested with and provides configuration guides for the following SIEM platforms:
| Platform | Ingestion Method |
|---|---|
| Splunk | HTTP Event Collector (HEC) |
| Microsoft Sentinel (Azure) | Data Collector API / Log Analytics workspace |
| Datadog | Log Management HTTP intake |
| Elastic (ELK Stack) | Elasticsearch HTTP endpoint or Logstash HTTP input |
| Custom | Any HTTPS endpoint that accepts JSON POST requests |
The webhook delivery mechanism is platform-agnostic. If your SIEM can receive JSON payloads via HTTPS POST, it can integrate with SyVault.
Setting Up a Webhook
- Navigate to Admin Console > Settings > SIEM Integration.
- Click Add Webhook.
- Enter the Target URL -- the HTTPS endpoint where events should be delivered.
- Select which Event Types to stream (all events, or a filtered subset such as authentication events only).
- Click Generate Secret to create an HMAC signing key.
- Copy the HMAC secret and store it securely -- it is shown only once.
- Click Save & Test. SyVault will send a test event to verify connectivity.
The HMAC signing secret is displayed only once at creation time. If you lose it, you must rotate the secret and update your SIEM's verification configuration.
Webhook Payload Format
Each webhook delivery is an HTTPS POST request with a JSON body containing a single audit event:
{
"event_id": "evt_8f3a1b2c4d5e6f70",
"event_type": "user.login.failed",
"timestamp": "2026-04-06T14:32:01.847Z",
"actor": {
"user_id": "usr_a1b2c3d4e5f6",
"email": "alice@acme.com"
},
"target": {
"type": "session",
"id": "sess_x1y2z3w4v5u6"
},
"context": {
"ip_address": "203.0.113.42",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"org_id": "org_m3n4o5p6q7r8"
}
}
The Content-Type header is always application/json. The payload schema is stable and versioned -- breaking changes will be communicated via the X-VF-Webhook-Version header.
HMAC Signature Verification
Every webhook request includes an X-VF-Signature-256 header containing an HMAC-SHA256 signature of the raw request body, computed using the secret you generated during setup. Always verify this signature before processing the event to ensure the request originated from SyVault and was not tampered with in transit.
To verify:
import hmac
import hashlib
def verify_signature(payload_body: bytes, secret: str, signature_header: str) -> bool:
expected = "sha256=" + hmac.new(
secret.encode("utf-8"),
payload_body,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(expected, signature_header)
Never skip signature verification. Without it, an attacker could send forged events to your SIEM, polluting your security data and potentially triggering false alerts or masking real incidents.
Delivery Guarantees and Retries
SyVault uses at-least-once delivery with exponential backoff. If your endpoint returns a non-2xx status code or times out (30-second threshold), SyVault retries the delivery up to 5 times with increasing delays (1s, 5s, 30s, 2m, 10m). After all retries are exhausted, the event is marked as failed and appears in the Failed Deliveries tab of the SIEM Integration settings.
Events are delivered in order per organization, but if a delivery fails and is retried, later events may arrive before the retried event. Use the timestamp and event_id fields to reconstruct the correct ordering in your SIEM.
Platform-Specific Configuration
Splunk
Set the Target URL to your Splunk HEC endpoint (e.g., https://splunk.example.com:8088/services/collector/event). Add the HEC token in a custom header Authorization: Splunk <token> under Advanced > Custom Headers.
Microsoft Sentinel
Use the Azure Log Analytics Data Collector API endpoint. Set the Target URL to https://<workspace-id>.ods.opinsights.azure.com/api/logs?api-version=2016-04-01 and configure the shared key in custom headers.
Datadog
Set the Target URL to https://http-intake.logs.datadoghq.com/api/v2/logs and add the DD-API-KEY header under Advanced > Custom Headers.