--- title: SIEM integration path: administration/siem-integration status: published --- ScaiDrive can push audit events to your SIEM (Splunk, Sentinel, Elastic, Datadog, Sumo Logic, etc.) in near-real-time. Events arrive seconds after they're generated, in your SIEM's preferred format, with the same fields and IDs you see in the [Audit Log](/docs/scaidrive/administration/audit-and-activity). ## Supported destinations Out of the box ScaiDrive ships connectors for: | Destination | Transport | |---|---| | Splunk | HTTP Event Collector (HEC) | | Microsoft Sentinel | Log Analytics workspace API | | Elastic / OpenSearch | Bulk index API | | Datadog | Logs intake API | | Sumo Logic | HTTP Source URL | | Generic syslog | RFC 5424 over TCP or UDP, optional TLS | | Generic HTTPS | POST JSON to any URL, customizable headers and body shape | If your SIEM isn't in the list, the generic HTTPS or syslog destinations cover almost everything. ## Setting up Compliance → SIEM → **New destination**. Pick a connector type, supply credentials, save. Each destination has a **Test** button — sends a synthetic event so you can verify it shows up in your SIEM before going live. You can configure multiple destinations simultaneously. They're independent: a failure in one doesn't affect the others. ## Event filtering Each destination can be scoped: - **Categories** — only ship `SECURITY` + `AUTHENTICATION`, or everything. - **Severities** — only `warning` and `critical`, useful when SIEM ingest is metered. - **Excluded users** — useful for excluding noisy service accounts. - **Excluded paths** — useful when an integration generates lots of low-value events. Filtering happens at the source — filtered events aren't sent over the wire. ## Event format The canonical event payload (CEF/ECS-like, plus ScaiDrive-specifics): ```json { "event_id": "evt_01HE8...", "timestamp": "2026-05-12T14:23:01.453Z", "tenant_id": "tnt_...", "category": "FILE_ACCESS", "action": "file.download", "severity": "info", "user_id": "usr_...", "user_email": "alice@example.com", "service_account": "svc_ci_pipeline", // present when delegated via OAuth act claim "resource_id": "fil_...", "resource_path": "/engineering/specs/v2.pdf", "ip": "203.0.113.42", "user_agent": "ScaiDrive-Desktop/1.4.2 (macOS)", "session_id": "ses_...", "payload": { ... action-specific fields ... } } ``` Connectors translate this into your SIEM's native shape (e.g., for Splunk HEC, `sourcetype=scaidrive:audit` and the payload becomes `event`). ## Reliability Events are buffered locally in a small queue (default 30 minutes, configurable). Transient destination outages cause buffering, not loss. If a destination is down for longer than the buffer window, events overflow and a `SECURITY` event is generated noting the drop. The buffer state and recent send rate are visible at Compliance → SIEM → destination detail. For high-volume environments, consider running a **destination per shard** (e.g., one Splunk HEC token per tenant) so a single high-traffic tenant doesn't backpressure the others. ## Searching in your SIEM A starter set of dashboards/queries for the major SIEMs lives in [Enterprise compliance](/docs/scaidrive/advanced/enterprise-compliance). The most common ones: - **Failed sign-ins by user, last 24h** — spot brute-force or stolen credentials. - **External link creations by user, last 7d** — see who's sharing outside the org. - **Files downloaded by IP, last 1h** — spot data-exfiltration patterns. - **Service account activity** — verify automation is doing what's expected; group by `service_account` field. ## Compliance considerations For SOX, PCI, and SOC 2 audits the SIEM integration is usually the easiest control to demonstrate — events get to a tamper-resistant store quickly. Pair with a retention policy on the SIEM side that matches your compliance commitments. For GDPR Article 30 (record of processing activities), the `service_account` field is the key — it identifies the system that initiated each access, distinct from the human on whose behalf it acted. ## What's next - [Audit and activity](/docs/scaidrive/administration/audit-and-activity) — same events, viewed in the admin UI. - [Compliance policies](/docs/scaidrive/administration/compliance-policies) — legal holds, retention, DLP.