Skip to content
TokenForgeDocs
SIEM

SIEM Integration

Forward TokenForge security events to your SOC/SIEM. Events include CEF format for automatic parsing.

Event Payload Format

Every webhook alert includes structured fields plus a CEF string for SIEM compatibility:

json
{
  "source": "tokenforge",
  "version": "1.0",
  "timestamp": "2026-03-22T15:30:00.000Z",
  "severity": 9,
  "severityLabel": "critical",
  "category": "session_security",
  "tenantId": "tenant_abc",
  "ruleName": "Hijack Detection",
  "event": {
    "type": "session.hijack_attempt",
    "reason": "nonce_replay",
    "trustScore": 12,
    "deviceId": "dk_8f3a2b1c",
    "ip": "198.51.100.42",
    "country": "RU"
  },
  "cef": "CEF:0|OpenSyber|TokenForge|1.0|session.hijack_attempt|nonce_replay|9|src=198.51.100.42 dvc=dk_8f3a2b1c cs1=tenant_abc cs1Label=tenantId cn1=12 cn1Label=trustScore"
}

Platform Guides

Splunk

bash
# Splunk HTTP Event Collector
# 1. In Splunk: Settings → Data Inputs → HTTP Event Collector → New Token
# 2. Copy the token
# 3. In TokenForge Dashboard → Alerts → Create Rule:
#    Channel: Webhook
#    URL: https://your-splunk:8088/services/collector/event
#    (Add HEC token as query param or use Splunk's auto-auth)

Microsoft Sentinel

bash
# Microsoft Sentinel (Log Analytics)
# 1. Azure Portal → Log Analytics Workspace → Agents → Data Collection
# 2. Create a Data Collection Endpoint
# 3. In TokenForge Dashboard → Alerts → Create Rule:
#    Channel: Webhook
#    URL: https://<workspace-id>.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
#
# The payload includes CEF format in the "cef" field for automatic parsing.

Elastic / Kibana

bash
# Elastic / Kibana
# 1. Create an index: PUT /tokenforge-events
# 2. In TokenForge Dashboard → Alerts → Create Rule:
#    Channel: Webhook
#    URL: https://elastic.company.com:9200/tokenforge-events/_doc
#
# Events are JSON — Elastic auto-maps all fields.

Datadog

bash
# Datadog
# 1. Get your API key from Datadog → Organization Settings → API Keys
# 2. In TokenForge Dashboard → Alerts → Create Rule:
#    Channel: Webhook
#    URL: https://http-intake.logs.datadoghq.com/api/v2/logs
#    (Include DD-API-KEY header via custom webhook config)

Trellix (McAfee/FireEye)

bash
# Trellix (formerly McAfee/FireEye) — Helix
# 1. In Trellix Helix: Admin → Data Sources → Add Source → HTTP/JSON
# 2. Create an API connector with your Helix endpoint URL
# 3. In TokenForge Dashboard → Alerts → Create Rule:
#    Channel: Webhook
#    URL: https://<helix-instance>.helix.apps.fireeye.com/api/v1/alerts
#
# The "cef" field in each event is auto-parsed by Helix.
# Map severity levels: 9=Critical, 7-8=High, 5=Medium, 3=Low

Cyrebro SOC

bash
# Cyrebro SOC Platform
# 1. Contact your Cyrebro SOC team to set up a webhook data source
# 2. They will provide an ingest URL like:
#    https://ingest.cyrebro.io/api/v1/events/<your-org-id>
# 3. In TokenForge Dashboard → Alerts → Create Rule:
#    Channel: Webhook
#    URL: https://ingest.cyrebro.io/api/v1/events/<your-org-id>
#
# Cyrebro auto-parses CEF format from the "cef" field.
# Events appear in your Cyrebro dashboard under "Session Security" category.
# Severity mapping aligns with Cyrebro's alert levels automatically.

Any other SIEM

TokenForge webhooks POST JSON to any HTTPS endpoint. The cef field contains a CEF-formatted string that most SIEMs auto-parse. Set up a webhook alert rule in Dashboard → Alertsand point it at your SIEM's HTTP ingest endpoint.