SIEM Integration¶
Security Information and Event Management (SIEM) platforms are a central component of most enterprise security operations. Integrating the Zaita platform with your organisation's SIEM enables real-time visibility into certificate lifecycle events, supports automated alerting and incident response workflows, and provides the audit evidence required for compliance reporting.
This page describes the integration methods available for exporting Zaita audit data to external SIEM platforms.
What Is Exported¶
Zaita audit logs capture all significant operations across the platform. The following event categories are available for SIEM export:
| Event Category | Examples |
|---|---|
| Authentication | User login and logout, SSO assertions, failed authentication attempts, session expiry |
| Machine account activity | API authentication, federated identity token exchange, IP whitelist enforcement |
| Certificate lifecycle | Certificate issuance, renewal, revocation, expiry, and download events |
| PKI operations | Root and intermediate CA creation, policy changes, key lifecycle events |
| Certificate discovery | Scan execution, new certificate detection, certificate inventory changes |
| Deployment operations | Certificate installation on target systems, Bridge job dispatch and completion |
| Administrative changes | User creation and deactivation, role assignments, group membership changes, account configuration updates |
| Security events | Permission denied errors, IP whitelist violations, anomalous access patterns |
Each audit event includes a timestamp, the identity of the actor (user or machine account), the action performed, the affected resource, and the outcome (success or failure). Events are structured in JSON format to support automated parsing and field extraction by downstream SIEM platforms.
Integration Methods¶
REST API¶
The Zaita REST API provides programmatic access to audit log data, enabling customers to build custom integrations or pull events on demand.
How it works:
- The customer authenticates to the Zaita REST API using a machine account with appropriate permissions
- Audit events are queried using filter parameters such as time range, event type, actor, and resource
- Results are returned as paginated JSON responses
Characteristics:
- Pull-based model — the customer controls when and how frequently data is retrieved
- Supports filtering, pagination, and time-range queries for targeted extraction
- Suitable for custom ingestion pipelines, scheduled scripts, or SIEM platforms that support API-based data collection (e.g., Splunk scripted inputs, Elastic HTTP input, QRadar REST API connectors)
- Ideal for ad-hoc investigation and forensic queries alongside ongoing ingestion
Event Format¶
All integration methods deliver audit events in a consistent JSON structure. The following is a representative example:
{
"event_id": "evt_a1b2c3d4e5f6",
"timestamp": "2026-03-15T08:42:17.003Z",
"tenant_id": "tnt_7g8h9i0j",
"actor": {
"type": "user",
"id": "usr_k1l2m3n4",
"email": "[email protected]"
},
"action": "certificate.issue",
"resource": {
"type": "certificate",
"id": "crt_o5p6q7r8",
"name": "api.example.com"
},
"outcome": "success",
"metadata": {
"ca_id": "ca_s9t0u1v2",
"algorithm": "ECDSA-P384",
"validity_days": 365
},
"source_ip": "203.0.113.42"
}
Field definitions:
| Field | Description |
|---|---|
event_id |
Unique identifier for the audit event |
timestamp |
ISO 8601 timestamp in UTC |
tenant_id |
Identifier of the tenant that generated the event |
actor |
The user or machine account that performed the action |
action |
The operation performed, expressed as a dot-separated category and verb |
resource |
The platform resource affected by the action |
outcome |
Result of the operation — success, failure, or denied |
metadata |
Additional context specific to the event type |
source_ip |
IP address from which the request originated |
Security Considerations¶
- Access control — SIEM export configuration is restricted to users with administrative roles. Changes to export configuration are captured in the audit log.
- Data sensitivity — Audit events may contain personal information such as email addresses and IP addresses. Ensure that your SIEM platform's access controls and retention policies are consistent with your organisation's privacy and data handling requirements.
Next Steps¶
- Configure your preferred integration method in the Zaita web portal under Admin → Integrations → SIEM Export
- For details on the audit events generated by specific platform operations, see the relevant documentation for PKI, Bridges, and Certificate Discovery
- For information on how audit data is retained, see the Data Retention policy