SIEM Integration
Forward Aurva events to Splunk, Elastic, Datadog, Coralogix, QRadar, and Microsoft Sentinel for centralised security monitoring.
Aurva can push policy violations, risk findings, DAM events, and audit logs to your SIEM or log analytics platform. This keeps Aurva data alongside the rest of your security telemetry for correlation, investigation, and compliance reporting.
Supported SIEMs
| Platform | Method | Status |
|---|---|---|
| Splunk | HTTP Event Collector (HEC) | GA |
| Elastic | Elasticsearch API | GA |
| Datadog | Log API | GA |
| Coralogix | REST API | GA |
| IBM QRadar | Syslog (CEF) | Beta |
| Microsoft Sentinel | Log Analytics API | Planned |
Configuration
Splunk (HEC)
- In Splunk, create an HTTP Event Collector token (Settings -> Data Inputs -> HTTP Event Collector).
- In Aurva, navigate to Settings -> Integrations -> SIEM and select Splunk.
- Provide:
- HEC endpoint URL (e.g.
https://splunk.example.com:8088/services/collector) - HEC token
- Index name (optional, defaults to
main) - Source type (recommended:
aurva:events)
- HEC endpoint URL (e.g.
- Click Test Connection, then Save.
Elastic
- Generate an API key in Kibana (Stack Management -> API Keys).
- In Aurva, select Elastic and provide:
- Elasticsearch endpoint (e.g.
https://elastic.example.com:9200) - API key
- Index prefix (default:
aurva-events)
- Elasticsearch endpoint (e.g.
- Click Test Connection, then Save.
Datadog
- Create a Datadog API key (Organisation Settings -> API Keys).
- In Aurva, select Datadog and provide:
- Datadog site (
datadoghq.comordatadoghq.eu) - API key
- Service tag (default:
aurva)
- Datadog site (
- Click Test Connection, then Save.
Event Schema
All events are delivered as JSON. Below is a representative example:
{
"event_id": "evt_abc123",
"event_type": "policy_violation",
"severity": "high",
"timestamp": "2026-04-13T10:15:30Z",
"source": {
"service": "payment-api",
"namespace": "production",
"data_asset": "payments-db"
},
"policy": {
"id": "pol_456",
"name": "PII access outside business hours",
"category": "internal_activity"
},
"details": {
"user": "svc-batch-processor",
"query_hash": "a1b2c3d4",
"rows_accessed": 15000,
"classifiers": ["PAN", "Aadhaar", "Email"]
}
}
Event Types
| Type | Description |
|---|---|
policy_violation | A policy rule was triggered |
risk_finding | A new risk was discovered during DSPM scan |
dam_event | A database query captured by DAM |
audit_event | An administrative action in the Aurva console |
Related Pages
- Alert Routes -- configure where alerts are sent
- Slack Integration -- real-time alerts to Slack channels
- Email & S3 -- email digests and S3 archival