Connecting SATIS to Your SIEM: A Practical Guide
One of the most common questions from security teams evaluating SATIS is: "How does this fit into our existing SIEM?" The answer: natively.
SATIS exports threat intelligence in the native formats of all four major SIEM platforms. No custom parsers, no log transformation pipelines, no middleware. Just hit the API endpoint with the right format parameter and feed the output directly into your SIEM.
Supported Formats
| Format | Platform | Content-Type |
|---|---|---|
cef |
ArcSight, any CEF-compatible SIEM | text/plain |
leef |
IBM QRadar | text/plain |
splunk |
Splunk (HEC JSON) | application/json |
sentinel |
Microsoft Sentinel | application/json |
The API Endpoint
GET /api/v1/siem/{format}
Authorization: Bearer tck_your_key
Optional parameters:
- count — maximum events (default: 500, max: 10,000)
- severity — filter by severity (low, medium, high, critical)
Splunk Integration
The fastest path is direct HEC (HTTP Event Collector) forwarding. SATIS returns pre-formatted HEC JSON with epoch timestamps, sourcetype metadata, and structured event fields:
#!/bin/bash
SATIS_KEY="tck_your_key"
SPLUNK_HEC="https://splunk.example.com:8088/services/collector/event"
SPLUNK_TOKEN="your-hec-token"
curl -s -H "Authorization: Bearer $SATIS_KEY" \
"https://setecastronomyinc.com/api/v1/siem/splunk?severity=high" \
| jq -c '.[]' \
| while read event; do
curl -s -k -X POST "$SPLUNK_HEC" \
-H "Authorization: Splunk $SPLUNK_TOKEN" \
-d "$event"
done
Each event arrives in Splunk with sourcetype satis:threat, including fields for threat ID, target, severity, confidence, ASN, and country. You can build Splunk dashboards and alerts directly on these fields.
IBM QRadar
QRadar supports both LEEF (native) and CEF. For LEEF, fetch from the SATIS API and forward via syslog:
curl -s -H "Authorization: Bearer tck_your_key" \
"https://setecastronomyinc.com/api/v1/siem/leef" \
| while read line; do
logger -p local0.info -t SATIS "$line"
done
QRadar automatically parses LEEF fields (src, sev, cat, action, confidence) without custom DSM configuration.
Microsoft Sentinel
For Sentinel, the output is pre-formatted for the Log Analytics Data Collector API with proper field naming conventions (ThreatID_s, Severity_s, Confidence_d):
import requests
threats = requests.get(
"https://setecastronomyinc.com/api/v1/siem/sentinel",
headers={"Authorization": "Bearer tck_your_key"}
).json()
# POST to Log Analytics Data Collector API
# (see Microsoft docs for HMAC signature generation)
Automation
Set up a cron job to poll every 5 minutes:
*/5 * * * * /opt/satis/siem-forwarder.sh
Or use the SSE real-time stream for instant, zero-latency updates:
curl -N -H "Authorization: Bearer tck_your_key" \
"https://setecastronomyinc.com/api/v1/events"
Beyond SIEM: STIX/TAXII
If your threat intelligence platform supports STIX/TAXII (Splunk ES, MISP, OpenCTI, ThreatConnect), you can also pull from our TAXII 2.1 server at /taxii2/. This provides standardized collection-based access with temporal filtering — perfect for scheduled pulls.
The full SIEM integration guide is available at setecastronomyinc.com/siem.
Back to Blog