SIEM Integration
MITRITY forwards governance events to your existing security information and event management (SIEM) infrastructure. Every policy decision, behavioral anomaly, and drift alert can be delivered to your SIEM in real-time, giving your security team a single pane of glass across agent governance and traditional security operations.
Supported Destinations
Splunk HTTP Event Collector (HEC)
MITRITY sends events to Splunk via the HTTP Event Collector. Events are formatted as structured JSON and indexed into the source type you configure.
Configuration:
| Field | Value |
|---|---|
| Destination URL | https://your-splunk-instance:8088/services/collector/event |
| Auth token | Your Splunk HEC token |
| Source type | mitrity:governance (recommended) |
| Index | Your designated security index |
Events include all governance context: agent ID, action type, policy decision, drift score, behavioral hash delta, and timestamps. Splunk dashboards and saved searches can correlate MITRITY events with your existing security data.
Syslog CEF (QRadar, ArcSight)
For SIEM platforms that consume Common Event Format (CEF) over syslog, MITRITY formats events as CEF messages and delivers them via TCP or UDP syslog.
Configuration:
| Field | Value |
|---|---|
| Destination | syslog://your-siem:514 (TCP) or syslog+udp://your-siem:514 (UDP) |
| Format | CEF (Common Event Format) |
| Facility | local0 - local7 (configurable) |
| Severity mapping | Deny/Block = High, Alert = Medium, Allow = Low |
CEF field mapping:
| CEF Field | MITRITY Value |
|---|---|
deviceVendor | MITRITY |
deviceProduct | MITRITY Platform |
name | Policy name or behavioral_anomaly |
severity | Mapped from policy type |
src | Agent ID |
act | Action type |
outcome | allow, deny, alert, hold |
cs1 | Drift score |
cs2 | Behavioral hash |
Generic Webhook
For any SIEM or log aggregation platform that accepts HTTP webhooks, MITRITY can POST events as structured JSON to a URL you configure.
Configuration:
| Field | Value |
|---|---|
| Destination URL | https://your-endpoint/webhook |
| Auth | Bearer token, API key header, or no auth |
| Method | POST |
| Content-Type | application/json |
The webhook payload includes the full event object with all governance context. You can configure retry behavior (up to 3 retries with exponential backoff) and filter which event types are forwarded.
Event Types
You can configure which event types are forwarded to each SIEM destination:
| Event Type | Description |
|---|---|
policy.deny | An action was blocked by a deny policy |
policy.alert | An action triggered an alert policy |
policy.hold | An action was held for human approval |
policy.allow | An action was permitted (opt-in, high volume) |
drift.warning | Drift score exceeded the warning threshold |
drift.critical | Drift score exceeded the critical threshold |
agent.connected | An agent connected to the control plane |
agent.disconnected | An agent lost connection to the control plane |
hold.approved | A held action was approved by a human |
hold.denied | A held action was denied by a human |
hold.expired | A held action expired without a decision |
By default, all event types except policy.allow are forwarded. Enable policy.allow forwarding only if you need complete audit coverage — it can generate significant volume.
Setup
Configure SIEM integration in the dashboard at Settings > Integrations or via the API:
# Create a Splunk HEC integration
curl -X POST https://api.mitrity.com/api/v1/integrations/siem \
-H "Authorization: Bearer your-api-key" \
-H "Content-Type: application/json" \
-d '{
"type": "splunk_hec",
"url": "https://your-splunk:8088/services/collector/event",
"token": "your-hec-token",
"source_type": "mitrity:governance",
"event_types": ["policy.deny", "policy.alert", "policy.hold", "drift.warning", "drift.critical"]
}'
You can configure multiple SIEM destinations. For example, send high-severity events to your primary SIEM and all events to a long-term log archive.
Troubleshooting
- Events not arriving: Verify the destination URL is reachable from the MITRITY control plane. Check the integration status in Settings > Integrations — failed deliveries show error details.
- Duplicate events: MITRITY uses at-least-once delivery. Your SIEM should deduplicate on the event
idfield. - High volume: Filter event types to reduce volume. Disable
policy.allowforwarding unless required for compliance.