🛡️ GuardFoxCopilot Documentation

SIEM Ingest API

Technical reference for the POST /api/siem/ingest webhook — connector setup, HMAC signing, batch format, and normalisation for all 10 supported connectors.

Route: /siem

Connector configuration reference

Setup

Connector Configuration Reference

All connectors send data to the same endpoint:

POST https://portal.guardfoxsecurity.com/api/siem/ingest
Content-Type: application/json
X-GuardFox-Source: <connector-name>
X-GuardFox-Signature: sha256=<hmac-hex>   (optional but recommended)

Supported X-GuardFox-Source values

syslog · wazuh · crowdstrike · okta · m365 · azure · aws · cloudtrail · guardduty · paloalto · panorama · generic

If X-GuardFox-Source is not set, the pipeline auto-detects the connector from the payload shape.

Wazuh setup

In /var/ossec/etc/ossec.conf:

<integration>
  <name>custom-webhook</name>
  <hook_url>https://portal.guardfoxsecurity.com/api/siem/ingest</hook_url>
  <alert_format>json</alert_format>
  <level>6</level>
</integration>

CrowdStrike setup

Falcon Console → Settings → Integrations → SIEM Connector:

  • URL: https://portal.guardfoxsecurity.com/api/siem/ingest
  • Header: X-GuardFox-Source: crowdstrike

Okta setup

Okta Admin → Security → Log Streaming → Add:

  • Type: HTTPS
  • URL: https://portal.guardfoxsecurity.com/api/siem/ingest
  • Header: X-GuardFox-Source: okta

Palo Alto Panorama

Configure a syslog server profile in Panorama pointing to your ingest endpoint on port 443 with HTTPS. Set X-GuardFox-Source: paloalto.

Generic JSON webhook

Any tool that can POST JSON — Zapier, n8n, Make, custom scripts:

curl -X POST https://portal.guardfoxsecurity.com/api/siem/ingest \
  -H "Content-Type: application/json" \
  -H "X-GuardFox-Source: generic" \
  -H "X-GuardFox-Signature: sha256=$(echo -n '$BODY' | openssl dgst -sha256 -hmac '$SECRET' | cut -d' ' -f2)" \
  -d '{"message":"Login failure","severity":"high","host":"server01","srcIp":"1.2.3.4"}'

Batch format and response

API Reference

Batch Format

Send a single event or an array of up to 1,000 events per request:

// Single event
{ "message": "...", "severity": "high", "host": "server01" }

// Batch of events
[
  { "message": "Event 1", "severity": "high", "host": "server01" },
  { "message": "Event 2", "severity": "low",  "host": "server02" }
]

Response

{ "ok": true, "inserted": 47, "duplicates": 2, "errors": 0 }

Deduplication

Events with an id / eventId / uuid field are deduplicated against the last 24 hours. If the same eventId arrives twice in 24h, the second is counted as a duplicate and skipped.

Auto-alert creation

Any event with severity critical or high automatically creates an Alert record. The alert appears in Alert Explorer within seconds.

HMAC authentication

Set SIEM_INGEST_SECRET in your .env. Sign each request body with HMAC-SHA256 and send the hex digest as X-GuardFox-Signature: sha256=<hex>. Without the secret env var, the signature check is skipped (dev mode).