SIEM
Ship WASViking findings, audit events, and supply chain alerts into your SIEM.
WASViking® integrates with any SIEM through the same webhook event model used by everything else. There is no SIEM-specific plugin layer because there is no need for one.
Pattern
- Create a WASViking API key with
webhooks:manage. - Register a webhook pointing at your SIEM's HTTP collector.
- Subscribe to the right event set (recommendations below).
- Verify signatures in your SIEM's collector.
- Index.
For event payload schemas and signature verification, see Webhook events.
Recommended subscriptions
For a general security operations SIEM index:
| Event | Why |
|---|---|
finding.created |
New attack surface findings. |
finding.escalated |
Risk score jumped to a higher band. |
finding.sla_breached |
Past SLA, needs immediate attention. |
secret.verified_live |
Active leaked credential. |
sbom.intel_match |
KEV-listed component just identified. |
posture_share.accessed |
A third party accessed a shared artifact. |
posture_share.revoked |
Operator revoked a shared artifact. |
audit.event |
Generic audit trail event. |
SIEM-specific notes
Splunk HTTP Event Collector (HEC)
The webhook URL is the HEC endpoint with the token:
https://splunk.example.com:8088/services/collector/event
Header to add on the WASViking side: Authorization: Splunk <token>.
WASViking lets you add static headers per webhook under
Integrations → Webhooks → Headers.
Signature verification: implement as a Splunk pre-collector script or use HEC's authentication-only mode and verify with a downstream search.
Elastic Common Schema (ECS)
WASViking does not emit ECS-shaped events natively. The simplest adapter is a Logstash or a Fluent Bit filter that maps WASViking event fields to ECS fields:
| WASViking | ECS |
|---|---|
type |
event.action |
created_at |
@timestamp |
data.finding_id |
vulnerability.id |
data.cwe |
vulnerability.classification |
data.risk_score |
vulnerability.score.base |
data.severity |
event.severity |
Datadog
Use Datadog's webhook integration as a receiver:
- Pass the WASViking signature header through.
- Verify in a small Lambda or in a Datadog Forwarder rewrite rule.
- Tag the event with
source:wasviking.
Microsoft Sentinel
Land WASViking events into a Log Analytics workspace via the HTTP Data Collector API:
- Use an Azure Function as the receiver.
- Verify the signature.
- Forward to Log Analytics with
WASViking_CLas the custom log name.
Audit log shipping
The customer-facing audit log can be pushed to SIEM as a stream too,
via the same webhook event audit.event. The audit feed covers:
- Operator sign-ins and MFA challenges.
- RBAC changes.
- API key issuance and revocation.
- Posture Share and Evidence Bundle lifecycle.
- Finding status transitions.
For pull-based audit shipping, the REST endpoint GET /audit-log
supports since for incremental fetch.
Compliance
For PCI DSS v4.0, BACEN, and ISO 27001:2022, shipping security events into a SIEM and retaining them for the required window is an explicit control. Verify retention on the SIEM side; WASViking's own audit retention is configurable per plan and is not a substitute for SIEM retention.
What this is not
WASViking does not include a SIEM. Findings are designed to be ingested into yours.