Skip to main content

SIEM/SOAR Integration

Published on:
.
2 min read

By default, Zenconsole organizations benefit from having their session logs securely stored in the cloud-based BigQuery database, providing centralized visibility and reporting capabilities.

For organizations that require integration with existing security operations workflows, Zenconsole also supports forwarding security events to external SIEM and SOAR platforms.

This capability enables security teams to correlate Zenarmor-generated events with data from other security tools, build custom detection rules, automate incident response processes, and maintain security data within their preferred analytics platforms.

By streaming security events to external SIEM/SOAR solutions, organizations can:

  • Export security events in real time
  • Perform advanced traffic analysis
  • Correlate events with other security tools
  • Create custom alerts and automated response workflows
  • Retain logs within their own infrastructure
  • Leverage existing SIEM/SOAR investments for enhanced visibility and threat detection

To access the SIEM/SOAR Integration feature, follow the steps below:

  1. Open your browser and navigate to Zenconsole.

  2. Sign in using your Zenconsole credentials.

  3. Navigate to Settings → Organization Settings → SIEM/SOAR Integration

    Figure 1. SIEM/SOAR Integration Page

The SIEM/SOAR Integration wizard guides administrators through the configuration process, including destination settings, authentication, event selection, and connectivity validation.

Zenconsole currently supports the following SIEM/SOAR integration types:

  • Elastic / OpenSearch – Streams security events directly to Elasticsearch and OpenSearch deployments.
  • Generic Webhook – Forwards security events to any HTTP endpoint capable of receiving webhook requests.

The configuration workflow varies depending on the selected integration type.

Configuring an Elastic / OpenSearch Integration

Complete the following steps to configure event forwarding from Zenconsole to an Elasticsearch or OpenSearch deployment.

Step 1 – Select the Integration Type

From the Destination Type list, select Elastic / OpenSearch and click Next to continue.

Figure 2. Select Integration Type

Step 2 – Configure the Destination Endpoint

Specify the Elasticsearch or OpenSearch endpoint that will receive security events from Zenconsole.

Enter the full URL of your Elasticsearch or OpenSearch deployment in the Endpoint URL field and click Next.

Figure 3. Configure Destination Endpoint

Step 3 – Configure Authentication

Select the authentication method required by your Elasticsearch or OpenSearch deployment.

Zenconsole supports the following authentication methods:

  • Bearer Token
  • Basic Authentication
  • API Key
  • None

Provide the required credentials and click Next to continue.

Figure 4. Configure Authentication

Step 4 – Configure Event Delivery Settings

Configure how Zenconsole delivers security events to your Elasticsearch or OpenSearch deployment.

Specify an Index Prefix, which is used as the base name for the indices created by Zenconsole. The selected event type is automatically appended to the configured prefix.

Under Delivery Settings, configure the following parameters:

  • Batch Size: Number of events included in each delivery request.
  • Max Payload Size: Maximum size of the request payload.
  • Timeout: Maximum time allowed for each delivery attempt.
  • Retry: Enables or disables retry attempts for failed requests.

Under Event Types (Routes), select the event categories that should be forwarded to the destination platform.

Available event types include:

  • Conn
  • HTTP
  • Alert
  • DNS
  • TLS
  • Conn Security Tags

After completing the configuration, click Next.

Figure 5. Configure Event Delivery Settings

Step 5 – Test and Save the Integration

Before enabling event forwarding, verify the configuration by clicking Test Connection.

Figure 6. Test the Integration

Zenconsole validates the configured endpoint, authentication settings, and connectivity to the destination platform. If the validation succeeds, a confirmation message is displayed.

Click Save SIEM Integration to complete the configuration and begin forwarding events to the Elasticsearch or OpenSearch deployment.

Figure 7. Save the Integration

Configuring a Generic Webhook Integration

Complete the following steps to configure event forwarding from Zenconsole to a Webhook endpoint.

Step 1 – Select the Integration Type

From the Destination Type list, select Generic Webhook and click Next to continue.

Figure 8. Select Integration Type

Step 2 – Configure the Destination Endpoint

Specify the destination endpoint that will receive security events from Zenconsole.

Enter the full URL of your Elasticsearch/OpenSearch cluster or webhook receiver and click Next.

Figure 9. Configure Destination Endpoint

Step 3 – Configure Authentication

Configure the authentication method required by the destination platform.

Supported authentication methods include:

  • Bearer Token
  • Basic Authentication
  • API Key
  • None

Provide the required credentials and click Next.

Figure 10. Configure Authentication

Step 4 – Configure Custom Headers and Event Types

Configure any custom HTTP headers that should be included in requests sent to the webhook endpoint.

To add a custom header:

  1. Enter the header name in the Header Name field.
  2. Enter the corresponding value in the Header Value field.
  3. Click Add Header.

Multiple custom headers can be added as required by the destination platform.

Under Event Types (Routes), select the event categories that should be forwarded to the webhook destination.

Available event types include:

  • Conn
  • HTTP
  • Alert
  • DNS
  • TLS
  • Conn Security Tags

After completing the configuration, click Next to continue.

Figure 11. Configure Custom Headers and Event Types

Step 5 – Configure Webhook Settings

Configure the delivery settings used when forwarding events to the webhook destination.

The following parameters can be customized:

  • HTTP Method: HTTP method used for event delivery.
  • Batch Size: Number of events included in each request.
  • Max Payload Size: Maximum size of the request payload.
  • Timeout: Maximum time allowed for each delivery attempt.
  • Retry: Enables or disables retry attempts for failed requests.
  • Retry Count: Number of retry attempts before delivery is considered unsuccessful.
  • Base Delay: Initial delay before the first retry attempt.
  • Max Delay: Maximum delay between retry attempts.

Adjust these settings according to the capacity and requirements of your webhook receiver, then click Next to continue.

Figure 12. Configure Webhook Settings

Step 6 – Test and Save the Integration

Before enabling event forwarding, verify the configuration by clicking Test Connection.

Zenconsole validates the configured endpoint, authentication settings, and connectivity to the destination platform. If the test is successful, a confirmation message is displayed.

After a successful validation, click Save SIEM Integration to complete the configuration and enable event forwarding to the webhook destination.

Figure 13. Test Connection

Figure 14. Connection Successful

Managing the Integration

After the integration is saved, Zenconsole displays a summary of the configured settings, including the destination type, endpoint, authentication method, selected event types, and delivery configuration.

Administrators can also perform the following actions from this page.

Figure 15. Integration Summary for Elastic/OpenSearch

Enabling the Integration

The current status of the integration is displayed in the upper-right corner of the page. When the integration is in the Disabled state, event forwarding is not active.

To enable the integration, follow the steps below.

  1. Click Enable SIEM Configuration.

    Figure 16. Enable SIEM Configuration

  2. In the confirmation dialog, click Enable.

    Figure 17. Enable SIEM Integration Confirmation

Once enabled, Zenconsole begins forwarding the selected security events to the configured SIEM/SOAR destination.

Disabling the Integration

To temporarily stop event forwarding without removing the integration configuration, follow the steps below.

  1. Click Disable SIEM Configuration.

    Figure 18. Disable SIEM Configuration

  2. Confirm the action when prompted.

    Figure 19. Disable SIEM Configuration Confirmation

Once disabled, Zenconsole stops forwarding events to the configured SIEM/SOAR destination. The configuration remains available and can be re-enabled at any time.

Reconfiguring the Integration

To modify an existing SIEM/SOAR integration, follow the steps below.

  1. Click Reconfigure.

    Figure 20 . Reconfigure SIEM Integration

  2. Update the required settings in the configuration wizard.

  3. Complete the configuration process and save the changes.

Zenconsole updates the integration using the new configuration settings.

Deleting the Integration

To permanently remove an existing SIEM/SOAR integration, follow the steps below.

  1. Click Delete SIEM Configuration.

    Figure 21. Delete SIEM Configuration

  2. Confirm the deletion when prompted.

    Figure 22. Delete SIEM Configuration Confirmation

After the integration is deleted, Zenconsole stops forwarding events and removes the saved configuration from the organization.

Last updated on by Zenarmor