SIEM Ingest API
Technical reference for the POST /api/siem/ingest webhook — connector setup, HMAC signing, batch format, and normalisation for all 10 supported connectors.
/siemConnector configuration reference
SetupConnector Configuration Reference
All connectors send data to the same endpoint:
POST https://portal.guardfoxsecurity.com/api/siem/ingest
Content-Type: application/json
X-GuardFox-Source: <connector-name>
X-GuardFox-Signature: sha256=<hmac-hex> (optional but recommended)Supported X-GuardFox-Source values
syslog · wazuh · crowdstrike · okta · m365 · azure · aws · cloudtrail · guardduty · paloalto · panorama · generic
If X-GuardFox-Source is not set, the pipeline auto-detects the connector from the payload shape.
Wazuh setup
In /var/ossec/etc/ossec.conf:
<integration>
<name>custom-webhook</name>
<hook_url>https://portal.guardfoxsecurity.com/api/siem/ingest</hook_url>
<alert_format>json</alert_format>
<level>6</level>
</integration>CrowdStrike setup
Falcon Console → Settings → Integrations → SIEM Connector:
- URL:
https://portal.guardfoxsecurity.com/api/siem/ingest - Header:
X-GuardFox-Source: crowdstrike
Okta setup
Okta Admin → Security → Log Streaming → Add:
- Type: HTTPS
- URL:
https://portal.guardfoxsecurity.com/api/siem/ingest - Header:
X-GuardFox-Source: okta
Palo Alto Panorama
Configure a syslog server profile in Panorama pointing to your ingest endpoint on port 443 with HTTPS. Set X-GuardFox-Source: paloalto.
Generic JSON webhook
Any tool that can POST JSON — Zapier, n8n, Make, custom scripts:
curl -X POST https://portal.guardfoxsecurity.com/api/siem/ingest \
-H "Content-Type: application/json" \
-H "X-GuardFox-Source: generic" \
-H "X-GuardFox-Signature: sha256=$(echo -n '$BODY' | openssl dgst -sha256 -hmac '$SECRET' | cut -d' ' -f2)" \
-d '{"message":"Login failure","severity":"high","host":"server01","srcIp":"1.2.3.4"}'Batch format and response
API ReferenceBatch Format
Send a single event or an array of up to 1,000 events per request:
// Single event
{ "message": "...", "severity": "high", "host": "server01" }
// Batch of events
[
{ "message": "Event 1", "severity": "high", "host": "server01" },
{ "message": "Event 2", "severity": "low", "host": "server02" }
]Response
{ "ok": true, "inserted": 47, "duplicates": 2, "errors": 0 }Deduplication
Events with an id / eventId / uuid field are deduplicated against the last 24 hours. If the same eventId arrives twice in 24h, the second is counted as a duplicate and skipped.
Auto-alert creation
Any event with severity critical or high automatically creates an Alert record. The alert appears in Alert Explorer within seconds.
HMAC authentication
Set SIEM_INGEST_SECRET in your .env. Sign each request body with HMAC-SHA256 and send the hex digest as X-GuardFox-Signature: sha256=<hex>. Without the secret env var, the signature check is skipped (dev mode).