SIEM Integration

Stream real-time security events to your SIEM for centralized monitoring and compliance.

Supported Integrations

Platform	Method
Splunk	HTTP Event Collector (HEC)
Custom HTTP	Any HTTP/HTTPS endpoint

Configuration

Go to External Config in the dashboard.
Enable SIEM Integration.
Select your SIEM Type (Splunk HEC or Custom HTTP Endpoint).
Configure the endpoint settings (see below).
Save the configuration.

Splunk HEC Configuration

Field	Description
HEC URL	Your Splunk HEC endpoint (e.g., `https://splunk.example.com:8088/services/collector`)
HEC Token	Authentication token for HEC
Index	Target Splunk index (default: `main`)

Custom HTTP Endpoint Configuration

For non-Splunk SIEM systems or custom integrations:

Field	Description	Default
Endpoint URL	Target HTTP/HTTPS URL to send events to	-
HTTP Method	POST, PUT, or PATCH	POST
Custom Headers	JSON object of HTTP headers (e.g., for authentication)	`{"Content-Type": "application/json"}`
Timeout	Request timeout in seconds	10
Verify SSL	Whether to validate SSL certificates	Enabled
Include Metadata	Wrap events with source/sourcetype/index fields	Enabled

Custom HTTP Payload Format

When Include Metadata is enabled, events are sent as:

{
  "event": {
    "type": "tool_call",
    "timestamp": "2026-01-19T10:30:00.000Z",
    "session_id": "abc-123",
    "tool_name": "filesystem.read_file",
    "parameters": { "path": "/etc/config" },
    "status": "ok",
    "duration_ms": 45.2
  },
  "source": "edison-watch",
  "sourcetype": "cef",
  "index": "main"
}

When Include Metadata is disabled, only the raw event object is sent.

Stream Modes

Mode	Description
All	Streams all tool calls and security events
Security Only	Streams only security-related events (blocks, status changes, lethal trifecta flags)

Event Types

Edison Watch streams per-session activity:

Tool Calls: Metadata for every action (timestamp, user, tool name, duration).
Security Events: Flag changes (Trifecta) and ACL violations.
Approvals: Audit records of human-in-the-loop decisions.
Admin Actions: Configuration changes and user role updates.

Common Event Format (CEF)

Splunk HEC events are sent as CEF strings (Common Event Format):

CEF:0|Edison Watch|Edison Watch|1.0|tool_call|Tool Call|5|[email protected] act=filesystem.read_file outcome=success

Performance & Reliability

Asynchronous: Events are sent in a fire-and-forget task so SIEM streaming is not on the critical path of tool execution.
Best effort: If the SIEM endpoint is unreachable or misconfigured, events may be dropped (Edison Watch logs the error).

Need help setting up SIEM integration? Email [email protected].

On this page