Skip to content

MazeVault SIEM Integration Guide

Overview

MazeVault supports real-time streaming of audit events to external SIEM platforms and ELK stacks. This guide covers setup for all supported platforms:

  • Elasticsearch / ELK Stack — Bulk API with ECS field mapping
  • Splunk Enterprise Security — HEC (HTTP Event Collector)
  • Microsoft Sentinel — via Syslog/CEF connector
  • IBM QRadar — via Syslog/LEEF connector
  • Generic Syslog — RFC 5424 for any syslog-compatible receiver

1. Elasticsearch / ELK Stack

1.1 Prerequisites

  • Elasticsearch 7.x or 8.x cluster
  • Kibana access for importing detection rules and dashboards
  • API Key or basic auth credentials

1.2 Configure in MazeVault

  1. Navigate to Organization Settings → Audit Streams
  2. Click Add Streaming Destination
  3. Select Elasticsearch / ELK
  4. Configure:
  5. Endpoints: Comma-separated Elasticsearch URLs (e.g., https://es1:9200, https://es2:9200)
  6. Authentication: API Key (recommended) or Basic Auth
  7. Index Pattern: mazevault-audit (date suffix auto-appended)
  8. Ingest Pipeline: Optional — specify if you have a custom pipeline
  9. Click Save Destination

1.3 Import Index Template & ILM Policy

# Import ILM policy (hot→warm→cold→delete lifecycle)
curl -X PUT "https://ES_HOST:9200/_ilm/policy/mazevault-audit-policy" \
  -H "Content-Type: application/json" \
  -d @mazevault-ilm-policy.json

# Import index template
curl -X PUT "https://ES_HOST:9200/_index_template/mazevault-audit" \
  -H "Content-Type: application/json" \
  -d @mazevault-index-template.json

Note: MazeVault auto-creates the ILM policy and index template on first connection. Manual import is only needed if you want to customize settings before first event.

1.4 Import Detection Rules

  1. Open Kibana → Security → Detection Rules
  2. Click Import rules
  3. Upload mazevault-detection-rules.ndjson
  4. Enable the imported rules

1.5 Detection Rules Included

Rule ID Name Severity
MV-AUTH-001 Brute Force Detection HIGH
MV-AUTH-002 Impossible Travel Login CRITICAL
MV-AUTH-003 After-Hours Access MEDIUM
MV-AUTH-004 Privilege Escalation CRITICAL
MV-AUTH-005 MFA Bypass Attempt HIGH
MV-EXFIL-001 Bulk Secret Export CRITICAL
MV-EXFIL-002 Mass Secret Read HIGH
MV-EXFIL-003 Certificate Mass Export HIGH
MV-CERT-001 Unauthorized Cert Issuance CRITICAL
MV-CERT-002 CA Account Tampering HIGH
MV-CERT-003 Mass Certificate Revocation CRITICAL
MV-ACL-001 Mass Permission Change HIGH
MV-ACL-002 Admin Role Granted MEDIUM
MV-ACL-003 Suspicious Project Deletion CRITICAL
MV-SYS-001 Audit Stream Disabled CRITICAL
MV-SYS-002 Chain Hash Integrity Anomaly CRITICAL
MV-SYS-003 Integration Config Change MEDIUM

1.6 Verify

  1. Trigger a test event (e.g., login to MazeVault)
  2. In Kibana → Discover, search index mazevault-audit-*
  3. Verify ECS fields: event.action, user.id, source.ip, mazevault.*

2. Splunk Enterprise Security

2.1 Prerequisites

  • Splunk Enterprise or Cloud with HEC enabled
  • HEC token generated

2.2 Configure in MazeVault

  1. Navigate to Organization Settings → Audit Streams
  2. Click Add Streaming Destination
  3. Select Splunk HEC
  4. Configure:
  5. HEC Endpoint: https://splunk:8088/services/collector
  6. HEC Token: Your generated token
  7. Index: Target index (e.g., main or mazevault)
  8. Source Type: mazevault:audit
  9. Click Save Destination

2.3 Install Detection Rules

  1. Copy savedsearches.conf to $SPLUNK_HOME/etc/apps/mazevault/local/
  2. Copy props.conf and transforms.conf to the same directory
  3. Restart Splunk: $SPLUNK_HOME/bin/splunk restart

Alternatively, import via Splunk UI: 1. Settings → Searches, reports, and alerts 2. Import each saved search manually

2.4 Verify

  1. Search: index=* sourcetype="mazevault:audit" | head 10
  2. Verify JSON fields are extracted correctly

3. Microsoft Sentinel

3.1 Prerequisites

  • Azure Sentinel workspace configured
  • CEF via AMA (Azure Monitor Agent) data connector enabled
  • Syslog listener on a designated VM (port 514 or custom)

3.2 Configure in MazeVault

  1. Navigate to Organization Settings → Audit Streams
  2. Click Add Streaming Destination
  3. Select Syslog / SIEM (CEF, LEEF, RFC 5424)
  4. Configure:
  5. Host: Your syslog forwarder IP/hostname
  6. Port: 514 (or custom)
  7. Protocol: TCP or TLS (recommended)
  8. Message Format: CEF (ArcSight / Sentinel)
  9. Application Name: MazeVault
  10. Click Save Destination

3.3 Import Analytic Rules

Using Azure CLI: 

az deployment group create \
  --resource-group YOUR_RG \
  --template-file mazevault-sentinel-rules.json

Or via Azure Portal: 1. Sentinel → Analytics → Import 2. Upload mazevault-sentinel-rules.json

3.4 Import Hunting Queries

  1. Sentinel → Hunting → New Query
  2. Copy KQL queries from mazevault-hunting-queries.yaml

3.5 Verify

  1. In Sentinel, go to Logs
  2. Query: CommonSecurityLog | where DeviceVendor == "MazeVault" | take 10

4. IBM QRadar

4.1 Prerequisites

  • QRadar Console access
  • Syslog log source configured

4.2 Configure in MazeVault

  1. Navigate to Organization Settings → Audit Streams
  2. Click Add Streaming Destination
  3. Select Syslog / SIEM (CEF, LEEF, RFC 5424)
  4. Configure:
  5. Host: QRadar Event Collector IP
  6. Port: 514
  7. Protocol: TCP
  8. Message Format: LEEF (IBM QRadar)
  9. Application Name: MazeVault
  10. Click Save Destination

4.3 Import DSM Extension

  1. Admin → DSM Editor
  2. Click Import and upload mazevault-log-source-extension.xml
  3. Deploy changes

4.4 Import Custom Rules

  1. Admin → Rules
  2. Actions → Import Rules
  3. Upload mazevault-qradar-rules.xml
  4. Deploy changes

4.5 Verify

  1. Log Activity → Filter by Log Source Type "MazeVault"
  2. Verify events are parsed with correct custom properties

5. ECS Field Mapping Reference

MazeVault maps audit events to the Elastic Common Schema (ECS) for Elasticsearch destinations:

MazeVault Field ECS Field Type
CreatedAt @timestamp date
Action event.action keyword
event.module keyword (always "mazevault")
Severity event.severity integer
RiskScore event.risk_score integer
UserID user.id keyword
IPAddress source.ip ip
EntityType mazevault.entity_type keyword
EntityID mazevault.entity_id keyword
Details mazevault.details text
ChainHash mazevault.chain_hash keyword
PreviousHash mazevault.previous_hash keyword
ProjectID mazevault.project_id keyword
SessionID mazevault.session_id keyword
RequestID mazevault.request_id keyword

6. CEF Field Mapping Reference

For Syslog/CEF destinations (Microsoft Sentinel, ArcSight):

CEF Field MazeVault Source
src IPAddress
suser UserID
cs1 (EntityType) EntityType
cs2 (EntityID) EntityID
cs3 (ChainHash) ChainHash
rt CreatedAt (epoch ms)
SignatureID Action
Severity RiskScore → 0-10 scale

7. LEEF Field Mapping Reference

For Syslog/LEEF destinations (IBM QRadar):

LEEF Key MazeVault Source
src IPAddress
usrName UserID
action Action
entityType EntityType
entityId EntityID
chainHash ChainHash
riskScore RiskScore
devTime CreatedAt
msg Details

8. Monitoring & Observability

MazeVault exposes Prometheus metrics for streaming health:

Metric Description
mazevault_log_stream_events_dropped_total Events dropped due to buffer full
mazevault_log_stream_send_duration_seconds Send latency per destination
mazevault_log_stream_send_errors_total Send errors per destination
mazevault_log_stream_batch_size Batch sizes sent
mazevault_log_stream_dlq_writes_total Events written to dead letter queue
mazevault_archive_events_dropped_total Archive events dropped
mazevault_archive_upload_errors_total Archive upload errors

Dead Letter Queue

If a destination is unavailable after 3 retry attempts (1s, 2s, 4s exponential backoff), events are written to /var/log/mazevault/stream_dlq.jsonl for manual replay.

9. Troubleshooting

No events appearing in SIEM

  1. Check destination status in MazeVault UI (green = active)
  2. Check Prometheus metric mazevault_log_stream_send_errors_total
  3. Check DLQ file: tail -f /var/log/mazevault/stream_dlq.jsonl
  4. Verify network connectivity from MazeVault to SIEM endpoint

High latency

  1. Check mazevault_log_stream_send_duration_seconds histogram
  2. Consider reducing batch size or increasing flush interval
  3. For Elasticsearch: ensure bulk API is not rate-limited

Events dropped

  1. Monitor mazevault_log_stream_events_dropped_total
  2. If consistently dropping, increase channel buffer or add more destinations with lower latency

Files Reference

siem-rules/
├── elastic/
│   ├── mazevault-detection-rules.ndjson    # Kibana import (17 rules)
│   ├── mazevault-ilm-policy.json           # ILM lifecycle policy
│   └── mazevault-index-template.json       # Index template with mappings
├── splunk/
│   ├── savedsearches.conf                  # Correlation searches (15 rules)
│   ├── props.conf                          # Source type definition
│   └── transforms.conf                     # Field extractions
├── sentinel/
│   ├── mazevault-sentinel-rules.json       # ARM template (7 analytic rules)
│   └── mazevault-hunting-queries.yaml      # KQL hunting queries (6 queries)
└── qradar/
    ├── mazevault-qradar-rules.xml          # Custom rules (8 rules)
    └── mazevault-log-source-extension.xml  # DSM / log source type definition