SIEM Integration¶

Security Information and Event Management (SIEM) platforms are a central component of most enterprise security operations. Integrating the Zaita platform with your organisation's SIEM enables real-time visibility into certificate lifecycle events, supports automated alerting and incident response workflows, and provides the audit evidence required for compliance reporting.

This page describes the integration methods available for exporting Zaita audit data to external SIEM platforms.

What Is Exported¶

Zaita audit logs capture all significant operations across the platform. The following event categories are available for SIEM export:

Event Category	Examples
Authentication	User login and logout, SSO assertions, failed authentication attempts, session expiry
Machine account activity	API authentication, federated identity token exchange, IP whitelist enforcement
Certificate lifecycle	Certificate issuance, renewal, revocation, expiry, and download events
PKI operations	Root and intermediate CA creation, policy changes, key lifecycle events
Certificate discovery	Scan execution, new certificate detection, certificate inventory changes
Deployment operations	Certificate installation on target systems, Bridge job dispatch and completion
Administrative changes	User creation and deactivation, role assignments, group membership changes, account configuration updates
Security events	Permission denied errors, IP whitelist violations, anomalous access patterns

Each audit event includes a timestamp, the identity of the actor (user or machine account), the action performed, the affected resource, and the outcome (success or failure). Events are structured in JSON format to support automated parsing and field extraction by downstream SIEM platforms.

Integration Methods¶

Zaita supports multiple integration patterns to accommodate the range of SIEM platforms and ingestion architectures used across enterprise environments. The available methods are described below.

Webhook Delivery¶

Zaita can push audit events to a customer-specified HTTPS endpoint in near real-time. Webhook delivery is the most responsive integration method, enabling SIEM platforms to receive events within seconds of occurrence.

How it works:

The customer configures a webhook endpoint URL and optional authentication headers within the Zaita platform
As audit events are generated, the platform delivers each event as an HTTPS POST request containing a JSON-formatted event payload
The receiving endpoint acknowledges receipt with a 2xx response

Characteristics:

Near real-time event delivery
Suitable for SIEM platforms with native webhook ingestion (e.g., Splunk HTTP Event Collector, Microsoft Sentinel, Elastic, Sumo Logic)
Supports custom HTTP headers for authentication (bearer tokens, API keys)
Automatic retry with exponential backoff on delivery failure
Events are queued and delivered in order; persistent endpoint unavailability triggers an alert to the customer

Cloud Storage Export¶

For organisations using single-tenant deployments and prefer batch-oriented ingestion or use a data lake as an intermediate layer, Zaita can export audit logs to cloud storage buckets at configurable intervals.

How it works:

The customer provides access credentials or a cross-account role for a cloud storage destination (e.g., Amazon S3, Azure Blob Storage, or Google Cloud Storage)
Zaita writes audit log files in JSON or JSON Lines format to the designated bucket on a scheduled basis
The customer's SIEM or log pipeline ingests files from the storage location

Characteristics:

Batch delivery at configurable intervals (e.g., every 5 minutes, hourly, daily)
Well suited to architectures that use cloud storage as an ingestion source (e.g., AWS S3 with Splunk, Azure Blob with Microsoft Sentinel, GCS with Chronicle)
Files are written with consistent naming conventions and partitioned by date for straightforward ingestion rule configuration
Supports customer-managed encryption on the destination bucket

REST API¶

The Zaita REST API provides programmatic access to audit log data, enabling customers to build custom integrations or pull events on demand.

How it works:

The customer authenticates to the Zaita REST API using a machine account with appropriate permissions
Audit events are queried using filter parameters such as time range, event type, actor, and resource
Results are returned as paginated JSON responses

Characteristics:

Pull-based model — the customer controls when and how frequently data is retrieved
Supports filtering, pagination, and time-range queries for targeted extraction
Suitable for custom ingestion pipelines, scheduled scripts, or SIEM platforms that support API-based data collection (e.g., Splunk scripted inputs, Elastic HTTP input, QRadar REST API connectors)
Ideal for ad-hoc investigation and forensic queries alongside ongoing ingestion

Syslog Forwarding¶

For organisations with established syslog-based log aggregation infrastructure, Zaita supports forwarding audit events over syslog.

How it works:

The customer configures a syslog destination (hostname, port, and protocol) within the Zaita platform
Audit events are formatted as structured syslog messages (RFC 5424) with JSON payloads in the message body
Events are forwarded to the customer's syslog collector or concentrator

Characteristics:

Supports TCP, UDP, and TLS-encrypted syslog transport
Compatible with traditional log aggregation infrastructure and SIEM platforms with native syslog ingestion (e.g., QRadar, ArcSight, LogRhythm, Graylog)
TLS transport is recommended for production use to protect audit data in transit
Near real-time delivery with queueing and retry on connection failure

Choosing an Integration Method¶

The appropriate integration method depends on your SIEM platform, network architecture, and operational preferences. The following table provides guidance for common scenarios.

Scenario	Recommended Method
SIEM supports native webhook or HTTP ingestion	Webhook delivery
SIEM ingests from cloud storage buckets	Cloud storage export
Custom ingestion pipeline or data lake architecture	Cloud storage export or REST API
Existing syslog infrastructure or on-premises SIEM	Syslog forwarding
Need for ad-hoc queries alongside continuous ingestion	REST API (supplementary)
Lowest latency alerting on security-critical events	Webhook delivery
Air-gapped or restricted network environments	Syslog forwarding (via Bridge network path)

Multiple methods can be configured simultaneously. For example, an organisation might use webhook delivery for real-time alerting while also exporting to cloud storage for long-term archival and compliance.

Event Format¶

All integration methods deliver audit events in a consistent JSON structure. The following is a representative example:

{
  "event_id": "evt_a1b2c3d4e5f6",
  "timestamp": "2026-03-15T08:42:17.003Z",
  "tenant_id": "tnt_7g8h9i0j",
  "actor": {
    "type": "user",
    "id": "usr_k1l2m3n4",
    "email": "[email protected]"
  },
  "action": "certificate.issue",
  "resource": {
    "type": "certificate",
    "id": "crt_o5p6q7r8",
    "name": "api.example.com"
  },
  "outcome": "success",
  "metadata": {
    "ca_id": "ca_s9t0u1v2",
    "algorithm": "ECDSA-P384",
    "validity_days": 365
  },
  "source_ip": "203.0.113.42"
}

Field definitions:

Field	Description
`event_id`	Unique identifier for the audit event
`timestamp`	ISO 8601 timestamp in UTC
`tenant_id`	Identifier of the tenant that generated the event
`actor`	The user or machine account that performed the action
`action`	The operation performed, expressed as a dot-separated category and verb
`resource`	The platform resource affected by the action
`outcome`	Result of the operation — `success`, `failure`, or `denied`
`metadata`	Additional context specific to the event type
`source_ip`	IP address from which the request originated

Security Considerations¶

Authentication — All integration endpoints should be secured with appropriate credentials. Webhook endpoints should validate request authenticity using shared secrets or signature verification. API access requires machine account authentication with scoped permissions.
Transport encryption — All export methods use encrypted transport (HTTPS, TLS). Syslog forwarding should be configured with TLS rather than plain TCP or UDP in production environments.
Access control — SIEM export configuration is restricted to users with administrative roles. Changes to export configuration are captured in the audit log.
Data sensitivity — Audit events may contain personal information such as email addresses and IP addresses. Ensure that your SIEM platform's access controls and retention policies are consistent with your organisation's privacy and data handling requirements.

Next Steps¶

Configure your preferred integration method in the Zaita web portal under Admin → Integrations → SIEM Export
For details on the audit events generated by specific platform operations, see the relevant documentation for PKI, Bridges, and Certificate Discovery
For information on how audit data is retained, see the Data Retention policy