SIEM

Event Streaming Details

Once a SIEM integration (for example, Microsoft Sentinel, Splunk, Sumo Logic or Webhook) is configured in the ARMO Platform, the following events are automatically streamed in real time.

This integration provides full observability, audit trail, and incident correlation across your runtime, compliance, and policy changes, helping SOC and SecOps teams respond faster and with context.

SIEM Streaming Trigger Events

The ARMO Platform streams events whenever key system, policy, or runtime actions occur.

Incident Lifecycle Events

Event	Description
Incident Created	A new runtime incident is detected and opened.
Incident Updated	The incident status or details are updated (for example, status change or new alert added).

Policy & Rule Changes

Event	Description
Runtime Policy Created	A new threat detection policy is created.
Runtime Policy Updated	An existing policy is modified (for example, rule conditions, scope, criteria, or response).
Runtime Policy Deleted	A threat detection policy is deleted.

Response Action Events

Event	Description
Response Action Triggered	A response (for example, container kill, pause, network policy, or seccomp profile) is executed.

Risk Acceptance Events

Event	Description
Risk Acceptance Created	A new risk acceptance rule is defined to suppress specific incidents.
Risk Acceptance Updated	An existing risk acceptance is modified (for example, scope, justification, or expiration date).
Risk Acceptance Deleted	A risk acceptance rule is removed.

Data Schema: Fields Streamed to SIEM

Each event type includes structured fields that can be mapped to your SIEM data model for search, correlation, and reporting.

Incident Created / Updated

Category	Field	Description	Example
Core Metadata	`event_type`	Fixed value	`incident_created`
	`first_seen`	Time the incident was generated (UTC)	`2025-09-08T12:30:15Z`
	`last_seen`	Time the incident was last updated (UTC)	`2025-09-08T12:30:15Z`
	`armo_account_id`	Customer account identifier	`f1d2d2f924e986ac86fdf7b36c94bcdf`
	`armo_account_name`	Customer account name	`ACME Corp`
	`incident_id`	Unique identifier for the incident	`INC-10382`
	`status`	Current status	`open`
Incident Details	`incident_name`	Short title	`Suspicious process execution detected`
	`rule_id`	ID of the triggering rule
	`rule_name`	Name of the triggering rule
	`description`	Detailed description of the incident	`A process attempted to connect to a known malicious domain`
	`severity`	Incident severity	`critical`
	`detection_type`	Detection method (policy, anomaly, malware signature)	`anomaly`
Policy Context	`policy_id`	ID of triggered policy	`POL-3421`
	`policy_name`	Policy name	`Outbound Connection to Known Malicious Domain`
MITRE ATT&CK Context	`mitre_tactic`	ATT&CK tactic	`Command and Control`
	`mitre_technique`	ATT&CK technique ID	`T1071.001`
Environment Context	`cloud_provider`	Cloud provider	`AWS`
	`cloud_account_id`	Cloud account ID	`123456789012`
	`cloud_region`	Cloud region	`us-east-1`
	`cluster`	Cluster name	`prod-cluster-1`
	`namespace`	Namespace	`payments`
	`workload`	Workload name	`billing-service`
	`workload_kind`	Workload kind	`Deployment`
	`container`	Container name	`billing-api`
	`container_image`	Container image	`docker.io/nginx:latest`
	`node`	Node hostname	`ip-10-0-12-45.ec2.internal`
	`node_instance_id`	Instance ID	`i-0e74577cae6f9cccd`
	`node_instance_type`	Instance type	`m5a.large`
	`node_instance_zone`	Availability zone	`eu-west-3a`
	`pod`	Pod name

Alert Added

Category	Field	Description	Example
Core Metadata	`event_type`	Fixed value	`alert_added`
	`rule_id`	Rule ID linked to alert
	`rule_name`	Rule name linked to alert
	`description`	Description of the alert	`A process attempted to connect to a known malicious domain`
	`severity`	Alert severity	`critical`
	`timestamp`	Time the alert was generated (UTC)	`2025-09-08T12:30:15Z`
	`armo_account_id`	Customer identifier
	`armo_account_name`	Customer name
	`incident_guid`	Related incident ID
	`alert_raw_object`	Complete alert JSON	`{...}`

Policy Created / Updated / Deleted

Field	Description
`event_type`	Type of event (`policy_created`, `policy_updated`, `policy_deleted`)
`timestamp`	Time of the change
`policy_id`	Unique policy ID
`policy_name`	Policy name
`policy_description`	Policy description
`policy_type`	`managed` or `custom`
`created_by` / `updated_by` / `deleted_by`	User responsible for the change
`scope`	Policy scope (cluster, namespace, workload, label)
`criteria`	Risk factors, CVEs
`response_actions`	Response actions (`report`, `kill`, `pause`, etc.)
`response_quarantine`	Applied controls (network policy, seccomp profile)
`notifications`	Alerting channels (Slack, SIEM, email, etc.)
`rules`	List of rule IDs/names included
`enabled`	Boolean flag indicating if the policy is active

Incident Response Triggered

Category	Field	Description	Example
Core Metadata	`event_type`	Fixed value	`response_action_triggered`
	`timestamp`	Time executed (UTC)	`2025-09-08T12:45:30Z`
	`incident_id`	Related incident ID	`INC-99821`
	`incident_name`	Incident name
	`incident_severity`	Severity	`critical`
	`mitre_tactic`	ATT&CK tactic	`Execution`
	`mitre_technique`	ATT&CK technique	`T1059.004`
	`response_id`	Unique response ID	`RESP-77651`
Response Action Details	`action_type`	Response type	`kill_process`, `pause_container`, etc.
	`status`	Response outcome	`success`
	`executed_by`	Actor	`system`, `[email protected]`
	`policy_id`	Triggering policy ID
	`policy_name`	Policy name	`Detect CryptoMiner Execution`
Target Context	`cluster`	Cluster name	`prod-cluster-1`
	`namespace`	Namespace	`payments`
	`workload`	Workload name	`billing-service`
	`pod`	Pod name	`frontend-5556f5b46b-qfp`
	`container_name`	Container name	`billing-api`
	`container_id`	Container runtime ID	`9a23bc445dfe`
	`node`	Node name	`node-7`
	`image`	Image name	`registry.company.com/billing:1.2`

Risk Acceptance Created / Updated / Deleted

Category	Field	Description	Example
Core Metadata	`event_type`	Event type (`risk_acceptance_created`, `risk_acceptance_updated`, `risk_acceptance_deleted`)
	`timestamp`	Time the event occurred (UTC)	`2025-09-08T14:12:10Z`
	`risk_acceptance_id`	Unique record ID	`RA-4567`
	`rule_id`	Rule ID linked to risk	`rule-99821`
	`rule_name`	Rule name	`Unexpected process`
	`rule_severity`	Severity of the rule	`critical`
	`created_by` / `updated_by` / `deleted_by`	User who made the change	`[email protected]`
	`scope`	Affected scope (cluster, namespace, workload, entity)
	`reason`	Justification	`False positive - benign process`
	`expiration_date`	Optional expiration date	`2025-10-31T00:00:00Z`

Updated about 3 hours ago