SIEM Integration Guide

Connect SATIS threat intelligence to your SIEM platform in minutes. We support native output formats for all major platforms.

Supported Formats

Format	Platform	Content-Type
`cef`	ArcSight, any CEF-compatible SIEM	`text/plain`
`leef`	IBM QRadar	`text/plain`
`splunk`	Splunk (HEC JSON)	`application/json`
`sentinel`	Microsoft Sentinel	`application/json`

API Endpoint

GET /api/v1/siem/{format}

# Parameters:
#   format   - cef, leef, splunk, or sentinel
#   count    - max events (default: 500, max: 10000)
#   severity - filter by severity (low, medium, high, critical)

# Example: Fetch CEF-formatted critical threats
curl -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/api/v1/siem/cef?severity=critical"

Splunk Integration

Forward SATIS threats to Splunk via the HTTP Event Collector.

Option 1: Direct HEC Forwarding

#!/bin/bash
# Fetch SATIS threats in Splunk HEC format and forward to Splunk
SATIS_KEY="tck_your_key"
SPLUNK_HEC="https://splunk.example.com:8088/services/collector/event"
SPLUNK_TOKEN="your-hec-token"

curl -s -H "Authorization: Bearer $SATIS_KEY" \
     "https://setecastronomyinc.com/api/v1/siem/splunk?severity=high" \
  | jq -c '.[]' \
  | while read event; do
      curl -s -k -X POST "$SPLUNK_HEC" \
           -H "Authorization: Splunk $SPLUNK_TOKEN" \
           -d "$event"
    done

Option 2: STIX/TAXII Feed

Configure Splunk's STIX/TAXII input to poll /api/v1/stix/indicators on a schedule.

IBM QRadar

Two integration options for QRadar:

Option 1: LEEF Log Source

# Poll SATIS LEEF endpoint and send to QRadar syslog
curl -s -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/api/v1/siem/leef" \
  | while read line; do
      logger -p local0.info -t SATIS "$line"
    done

Option 2: CEF via Syslog

QRadar also supports CEF format. Use the /api/v1/siem/cef endpoint with a syslog forwarder.

Microsoft Sentinel

Send SATIS threats to Sentinel via the Log Analytics Data Collector API.

#!/usr/bin/env python3
# Forward SATIS threats to Microsoft Sentinel
import requests, json, hashlib, hmac, base64
from datetime import datetime

SATIS_KEY = "tck_your_key"
WORKSPACE_ID = "your-workspace-id"
SHARED_KEY = "your-shared-key"
LOG_TYPE = "SATISThreats"

# Fetch threats in Sentinel format
threats = requests.get(
    "https://setecastronomyinc.com/api/v1/siem/sentinel",
    headers={"Authorization": f"Bearer {SATIS_KEY}"}
).json()

# POST to Log Analytics (see Microsoft docs for signature generation)
body = json.dumps(threats)
# ... send to Log Analytics Data Collector API

ArcSight / Generic CEF

Any SIEM that supports CEF over syslog can ingest SATIS threats.

# Example CEF output:
CEF:0|Setec Astronomy|SATIS|1.0|threat.block|ssh-brute-force|7|src=203.0.113.45 act=block cs1=TC-8A3F92B1... cs1Label=ThreatID cs2=fail2ban cs2Label=Source cn1=92 cn1Label=Confidence

Automation

Set up a cron job or systemd timer to poll the SIEM endpoint periodically:

# Poll every 5 minutes via cron
*/5 * * * * /opt/satis/siem-forwarder.sh

# Or use the SSE real-time stream for instant updates:
curl -N -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/api/v1/events"