SIEM integration

ScaiDrive can push audit events to your SIEM (Splunk, Sentinel, Elastic, Datadog, Sumo Logic, etc.) in near-real-time. Events arrive seconds after they're generated, in your SIEM's preferred format, with the same fields and IDs you see in the Audit Log.

Supported destinations#

Out of the box ScaiDrive ships connectors for:

Destination	Transport
Splunk	HTTP Event Collector (HEC)
Microsoft Sentinel	Log Analytics workspace API
Elastic / OpenSearch	Bulk index API
Datadog	Logs intake API
Sumo Logic	HTTP Source URL
Generic syslog	RFC 5424 over TCP or UDP, optional TLS
Generic HTTPS	POST JSON to any URL, customizable headers and body shape

If your SIEM isn't in the list, the generic HTTPS or syslog destinations cover almost everything.

Setting up#

Compliance → SIEM → New destination. Pick a connector type, supply credentials, save. Each destination has a Test button — sends a synthetic event so you can verify it shows up in your SIEM before going live.

You can configure multiple destinations simultaneously. They're independent: a failure in one doesn't affect the others.

Event filtering#

Each destination can be scoped:

Categories — only ship SECURITY + AUTHENTICATION, or everything.
Severities — only warning and critical, useful when SIEM ingest is metered.
Excluded users — useful for excluding noisy service accounts.
Excluded paths — useful when an integration generates lots of low-value events.

Filtering happens at the source — filtered events aren't sent over the wire.

Event format#

The canonical event payload (CEF/ECS-like, plus ScaiDrive-specifics):

json
{
  "event_id": "evt_01HE8...",
  "timestamp": "2026-05-12T14:23:01.453Z",
  "tenant_id": "tnt_...",
  "category": "FILE_ACCESS",
  "action": "file.download",
  "severity": "info",
  "user_id": "usr_...",
  "user_email": "alice@example.com",
  "service_account": "svc_ci_pipeline",      // present when delegated via OAuth act claim
  "resource_id": "fil_...",
  "resource_path": "/engineering/specs/v2.pdf",
  "ip": "203.0.113.42",
  "user_agent": "ScaiDrive-Desktop/1.4.2 (macOS)",
  "session_id": "ses_...",
  "payload": { ... action-specific fields ... }
}

Connectors translate this into your SIEM's native shape (e.g., for Splunk HEC, sourcetype=scaidrive:audit and the payload becomes event).

Reliability#

Events are buffered locally in a small queue (default 30 minutes, configurable). Transient destination outages cause buffering, not loss. If a destination is down for longer than the buffer window, events overflow and a SECURITY event is generated noting the drop. The buffer state and recent send rate are visible at Compliance → SIEM → destination detail.

For high-volume environments, consider running a destination per shard (e.g., one Splunk HEC token per tenant) so a single high-traffic tenant doesn't backpressure the others.

Searching in your SIEM#

A starter set of dashboards/queries for the major SIEMs lives in Enterprise compliance. The most common ones:

Failed sign-ins by user, last 24h — spot brute-force or stolen credentials.
External link creations by user, last 7d — see who's sharing outside the org.
Files downloaded by IP, last 1h — spot data-exfiltration patterns.
Service account activity — verify automation is doing what's expected; group by service_account field.

Compliance considerations#

For SOX, PCI, and SOC 2 audits the SIEM integration is usually the easiest control to demonstrate — events get to a tamper-resistant store quickly. Pair with a retention policy on the SIEM side that matches your compliance commitments.

For GDPR Article 30 (record of processing activities), the service_account field is the key — it identifies the system that initiated each access, distinct from the human on whose behalf it acted.

What's next#

Audit and activity — same events, viewed in the admin UI.
Compliance policies — legal holds, retention, DLP.