API Reference
SIEM Export API

SIEM Export API

SIEM webhooks deliver governance and security events to your Security Information and Event Management (SIEM) platform. Choose from CEF, Syslog, or JSON formats to match your SIEM's ingestion requirements.

SIEM Webhook Object

{
  "id": "siem_01HXYZ",
  "name": "Splunk ingestion",
  "url": "https://splunk.company.com:8088/services/collector",
  "format": "cef",
  "event_types": ["restriction.triggered", "audit.query", "auth.failed"],
  "is_active": true,
  "created_at": "2025-01-15T10:30:00Z",
  "updated_at": "2025-01-15T10:30:00Z"
}

Endpoints

MethodPathDescription
GET/siemList all SIEM webhooks
POST/siemCreate a new SIEM webhook
PUT/siem/{id}Update an existing SIEM webhook
DELETE/siem/{id}Delete a SIEM webhook

List SIEM Webhooks

GET /api/v1/siem

cURL

curl https://api.xilos.ai/api/v1/siem \
  -H "Authorization: Bearer YOUR_X..._KEY"

Response

Returns an array of SIEM Webhook Objects.


Create SIEM Webhook

POST /api/v1/siem

Request Body

FieldTypeRequiredDescription
namestringYesHuman-readable name for the SIEM webhook.
urlstringYesHTTPS URL of your SIEM ingestion endpoint.
formatstringYesOutput format: cef, syslog, or json.
event_typesarrayYesList of governance event types to forward.
is_activebooleanNoWhether the webhook is active. Default: true.

Format Options

FormatDescription
cefCommon Event Format — used by Splunk, ArcSight, and similar SIEMs.
syslogStandard syslog messages, suitable for rsyslog or syslog-ng collectors.
jsonStructured JSON payloads for custom ingestion pipelines.

Available Event Types

Event TypeDescription
restriction.triggeredA restriction rule blocked, masked, or flagged a query.
audit.queryA query was processed through the governance pipeline.
audit.routingA routing decision was made.
auth.failedAn authentication attempt failed.
config.changedA configuration change was made (rules, webhooks, keys).
key.exceeded_budgetA virtual key exceeded its budget limit.
key.exceeded_rate_limitA virtual key exceeded its rate limit.

cURL

curl -X POST https://api.xilos.ai/api/v1/siem \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_X..._KEY" \
  -d '{
    "name": "Splunk ingestion",
    "url": "https://splunk.company.com:8088/services/collector",
    "format": "cef",
    "event_types": ["restriction.triggered", "audit.query", "auth.failed"],
    "is_active": true
  }'

Response

Returns the created SIEM Webhook Object.


Update SIEM Webhook

PUT /api/v1/siem/{id}

Updates an existing SIEM webhook. All fields are optional.

Request Body

FieldTypeRequiredDescription
namestringNoUpdated name.
urlstringNoUpdated URL.
formatstringNoUpdated format.
event_typesarrayNoUpdated event types.
is_activebooleanNoToggle active state.

cURL

curl -X PUT https://api.xilos.ai/api/v1/siem/siem_01HXYZ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_X..._KEY" \
  -d '{
    "format": "json",
    "event_types": ["restriction.triggered", "audit.query", "config.changed"]
  }'

Response

Returns the updated SIEM webhook object.


Delete SIEM Webhook

DELETE /api/v1/siem/{id}

cURL

curl -X DELETE https://api.xilos.ai/api/v1/siem/siem_01HXYZ \
  -H "Authorization: Bearer YOUR_X..._KEY"

Response

{
  "id": "siem_01HXYZ",
  "deleted": true
}

Setting Up SIEM Integration

Choose a Format

Select the format that matches your SIEM platform. Use cef for Splunk or ArcSight, syslog for standard log collectors, and json for custom pipelines.

Select Event Types

Subscribe to the governance events your security team needs. Start with restriction.triggered and audit.query, then expand as needed.

Configure Your SIEM

Point your SIEM's HTTP collector at the webhook URL. Ensure it can accept POST requests with the chosen format.

Verify Delivery

Trigger a test event (e.g., a flagged query) and confirm it appears in your SIEM. Check the audit trail in the dashboard for delivery status.

Info: For more on audit logging and governance events, see Audit Trail and SIEM Integration.