Once a SIEM integration (for example, Microsoft Sentinel, Splunk, Sumo Logic or Webhook) is configured in the ARMO Platform, the following events are automatically streamed in real time.
This integration provides full observability, audit trail, and incident correlation across your runtime, compliance, and policy changes, helping SOC and SecOps teams respond faster and with context.
The ARMO Platform streams events whenever key system, policy, or runtime actions occur.
| Event | Description |
|---|
| Incident Created | A new runtime incident is detected and opened. |
| Incident Updated | The incident status or details are updated (for example, status change or new alert added). |
| Event | Description |
|---|
| Runtime Policy Created | A new threat detection policy is created. |
| Runtime Policy Updated | An existing policy is modified (for example, rule conditions, scope, criteria, or response). |
| Runtime Policy Deleted | A threat detection policy is deleted. |
| Event | Description |
|---|
| Response Action Triggered | A response (for example, container kill, pause, network policy, or seccomp profile) is executed. |
| Event | Description |
|---|
| Risk Acceptance Created | A new risk acceptance rule is defined to suppress specific incidents. |
| Risk Acceptance Updated | An existing risk acceptance is modified (for example, scope, justification, or expiration date). |
| Risk Acceptance Deleted | A risk acceptance rule is removed. |
Each event type includes structured fields that can be mapped to your SIEM data model for search, correlation, and reporting.
| Category | Field | Description | Example |
|---|
| Core Metadata | event_type | Fixed value | incident_created |
| firstSeen | Time the incident was generated (UTC) | 2025-09-08T12:30:15Z |
| lastSeen | Time the incident was last updated (UTC) | 2025-09-08T12:30:15Z |
| armoAccountId | Customer account identifier | f1d2d2f924e986ac86fdf7b36c94bcdf |
| Incident Details | incidentName | Short title | Suspicious process execution detected |
| incidentId | Unique identifier for the incident | INC-10382 |
| status | Current status | open |
| ruleId | ID of the triggering rule | |
| ruleName | Name of the triggering rule | |
| ruleDescription | Detailed description of the incident | A process attempted to connect to a known malicious domain |
| severity | Incident severity | critical |
| detectionType | Detection method (policy, anomaly, malware signature) | anomaly |
| Policy Context | policyId | ID of triggered policy | POL-3421 |
| policyName | Policy name | Outbound Connection to Known Malicious Domain |
| MITRE ATT&CK Context | mitreTactic | ATT&CK tactic | Command and Control |
| mitreTechnique | ATT&CK technique ID | T1071.001 |
| Environment Context | cloudProvider | Cloud provider | AWS |
| cloudAccountId | Cloud account ID | 123456789012 |
| cloudRegion | Cloud region | us-east-1 |
| cluster | Cluster name | prod-cluster-1 |
| namespace | Namespace | payments |
| workload | Workload name | billing-service |
| workloadKind | Workload kind | Deployment |
| container | Container name | billing-api |
| container_Image | Container image | docker.io/nginx:latest |
| node | Node hostname | ip-10-0-12-45.ec2.internal |
| nodeInstanceId | Instance ID | i-0e74577cae6f9cccd |
| nodeInstanceType | Instance type | m5a.large |
| nodeInstanceZone | Availability zone | eu-west-3a |
| pod | Pod name | |
| Category | Field | Description | Example |
|---|
| Core Metadata | event_type | Fixed value | alert_added |
| ruleId | Rule ID linked to alert | |
| ruleName | Rule name linked to alert | |
| ruleDescription | Description of the alert | A process attempted to connect to a known malicious domain |
| severity | Alert severity | critical |
| timestamp | Time the alert was generated (UTC) | 2025-09-08T12:30:15Z |
| armoAccountId | Customer identifier | f1d2d2f924e986ac86fdf7b36c94bcdf |
| incident_guid | Related incident ID | |
| alert_raw_object | Complete alert JSON | {...} |
| Field | Description |
|---|
event_type | Type of event (policy_created, policy_updated, policy_deleted) |
timestamp | Time of the change |
policyId | Unique policy ID |
policyName | Policy name |
policyDescription | Policy description |
policyType | managed or custom |
created_by / updated_by / deleted_by | User responsible for the change |
scope | Policy scope (cluster, namespace, workload, label) |
criteria | Risk factors, CVEs |
responseActions | Response actions (report, kill, pause, etc.) |
responseQuarantine | Applied controls (network policy, seccomp profile) |
notifications | Alerting channels (Slack, SIEM, email, etc.) |
rules | List of rule IDs/names included |
enabled | Boolean flag indicating if the policy is active |
| Category | Field | Description | Example |
|---|
| Core Metadata | event_type | Fixed value | response_action_triggered |
| timestamp | Time executed (UTC) | 2025-09-08T12:45:30Z |
| incidentId | Related incident ID | INC-99821 |
| incidentName | Incident name | |
| incidentSeverity | Severity | critical |
| mitreTactic | ATT&CK tactic | Execution |
| mitreTechnique | ATT&CK technique | T1059.004 |
| responseId | Unique response ID | RESP-77651 |
| Response Action Details | actionType | Response type | kill_process, pause_container, etc. |
| status | Response outcome | true/false |
| executedBy | Actor | system, [email protected] |
| policyId | Triggering policy ID | |
| policyName | Policy name | Detect CryptoMiner Execution |
| Target Context | cluster | Cluster name | prod-cluster-1 |
| namespace | Namespace | payments |
| workload | Workload name | billing-service |
| pod | Pod name | frontend-5556f5b46b-qfp |
| containerName | Container name | billing-api |
| containerId | Container runtime ID | 9a23bc445dfe |
| node | Node name | node-7 |
| image | Image name | registry.company.com/billing:1.2 |
| Category | Field | Description | Example |
|---|
| Core Metadata | event_type | Event type (risk_acceptance_created, risk_acceptance_updated, risk_acceptance_deleted) | |
| timestamp | Time the event occurred (UTC) | 2025-09-08T14:12:10Z |
| riskAcceptanceId | Unique record ID | RA-4567 |
| ruleId | Rule ID linked to risk | rule-99821 |
| ruleName | Rule name | Unexpected process |
| ruleSeverity | Severity of the rule | critical |
| createdBy | User who created the change | [email protected] |
| scope | Affected scope (cluster, namespace, workload, entity) | |
| reason | Justification | False positive - benign process |
| expirationDate | Optional expiration date | 2025-10-31T00:00:00Z |
