Docs
HomeGitHubSign Up
Start typing to search…

SIEM

Event Streaming Details

Once a SIEM integration (for example, Microsoft Sentinel, Splunk, Sumo Logic or Webhook) is configured in the ARMO Platform, the following events are automatically streamed in real time.

This integration provides full observability, audit trail, and incident correlation across your runtime, compliance, and policy changes, helping SOC and SecOps teams respond faster and with context.

SIEM Streaming Trigger Events

The ARMO Platform streams events whenever key system, policy, or runtime actions occur.

Incident Lifecycle Events

EventDescription
Incident CreatedA new runtime incident is detected and opened.
Incident UpdatedThe incident status or details are updated (for example, status change or new alert added).

Policy & Rule Changes

EventDescription
Runtime Policy CreatedA new threat detection policy is created.
Runtime Policy UpdatedAn existing policy is modified (for example, rule conditions, scope, criteria, or response).
Runtime Policy DeletedA threat detection policy is deleted.

Response Action Events

EventDescription
Response Action TriggeredA response (for example, container kill, pause, network policy, or seccomp profile) is executed.

Risk Acceptance Events

EventDescription
Risk Acceptance CreatedA new risk acceptance rule is defined to suppress specific incidents.
Risk Acceptance UpdatedAn existing risk acceptance is modified (for example, scope, justification, or expiration date).
Risk Acceptance DeletedA risk acceptance rule is removed.

Data Schema: Fields Streamed to SIEM

Each event type includes structured fields that can be mapped to your SIEM data model for search, correlation, and reporting.

Incident Created / Updated

CategoryFieldDescriptionExample
Core Metadataevent_typeFixed valueincident_created
firstSeenTime the incident was generated (UTC)2025-09-08T12:30:15Z
lastSeenTime the incident was last updated (UTC)2025-09-08T12:30:15Z
armoAccountIdCustomer account identifierf1d2d2f924e986ac86fdf7b36c94bcdf
Incident DetailsincidentNameShort titleSuspicious process execution detected
incidentIdUnique identifier for the incidentINC-10382
statusCurrent statusopen
ruleIdID of the triggering rule
ruleNameName of the triggering rule
ruleDescriptionDetailed description of the incidentA process attempted to connect to a known malicious domain
severityIncident severitycritical
detectionTypeDetection method (policy, anomaly, malware signature)anomaly
Policy ContextpolicyIdID of triggered policyPOL-3421
policyNamePolicy nameOutbound Connection to Known Malicious Domain
MITRE ATT&CK ContextmitreTacticATT&CK tacticCommand and Control
mitreTechniqueATT&CK technique IDT1071.001
Environment ContextcloudProviderCloud providerAWS
cloudAccountIdCloud account ID123456789012
cloudRegionCloud regionus-east-1
clusterCluster nameprod-cluster-1
namespaceNamespacepayments
workloadWorkload namebilling-service
workloadKindWorkload kindDeployment
containerContainer namebilling-api
container_ImageContainer imagedocker.io/nginx:latest
nodeNode hostnameip-10-0-12-45.ec2.internal
nodeInstanceIdInstance IDi-0e74577cae6f9cccd
nodeInstanceTypeInstance typem5a.large
nodeInstanceZoneAvailability zoneeu-west-3a
podPod name

Alert Added

CategoryFieldDescriptionExample
Core Metadataevent_typeFixed valuealert_added
ruleIdRule ID linked to alert
ruleNameRule name linked to alert
ruleDescriptionDescription of the alertA process attempted to connect to a known malicious domain
severityAlert severitycritical
timestampTime the alert was generated (UTC)2025-09-08T12:30:15Z
armoAccountIdCustomer identifierf1d2d2f924e986ac86fdf7b36c94bcdf
incident_guidRelated incident ID
alert_raw_objectComplete alert JSON{...}

Policy Created / Updated / Deleted

FieldDescription
event_typeType of event (policy_created, policy_updated, policy_deleted)
timestampTime of the change
policyIdUnique policy ID
policyNamePolicy name
policyDescriptionPolicy description
policyTypemanaged or custom
created_by / updated_by / deleted_byUser responsible for the change
scopePolicy scope (cluster, namespace, workload, label)
criteriaRisk factors, CVEs
responseActionsResponse actions (report, kill, pause, etc.)
responseQuarantineApplied controls (network policy, seccomp profile)
notificationsAlerting channels (Slack, SIEM, email, etc.)
rulesList of rule IDs/names included
enabledBoolean flag indicating if the policy is active

Incident Response Triggered

CategoryFieldDescriptionExample
Core Metadataevent_typeFixed valueresponse_action_triggered
timestampTime executed (UTC)2025-09-08T12:45:30Z
incidentIdRelated incident IDINC-99821
incidentNameIncident name
incidentSeveritySeveritycritical
mitreTacticATT&CK tacticExecution
mitreTechniqueATT&CK techniqueT1059.004
responseIdUnique response IDRESP-77651
Response Action DetailsactionTypeResponse typekill_process, pause_container, etc.
statusResponse outcometrue/false
executedByActorsystem, [email protected]
policyIdTriggering policy ID
policyNamePolicy nameDetect CryptoMiner Execution
Target ContextclusterCluster nameprod-cluster-1
namespaceNamespacepayments
workloadWorkload namebilling-service
podPod namefrontend-5556f5b46b-qfp
containerNameContainer namebilling-api
containerIdContainer runtime ID9a23bc445dfe
nodeNode namenode-7
imageImage nameregistry.company.com/billing:1.2

Risk Acceptance Created / Updated / Deleted

CategoryFieldDescriptionExample
Core Metadataevent_typeEvent type (risk_acceptance_created, risk_acceptance_updated, risk_acceptance_deleted)
timestampTime the event occurred (UTC)2025-09-08T14:12:10Z
riskAcceptanceIdUnique record IDRA-4567
ruleIdRule ID linked to riskrule-99821
ruleNameRule nameUnexpected process
ruleSeveritySeverity of the rulecritical
createdByUser who created the change[email protected]
scopeAffected scope (cluster, namespace, workload, entity)
reasonJustificationFalse positive - benign process
expirationDateOptional expiration date2025-10-31T00:00:00Z

Updated 10 days ago