Live SIEM
Real-time security event ingestion, correlation, and pivot analysis across 10 connectors.
/siemHow it works
OverviewHow the SIEM Engine Works
GuardFoxCopilot ingests security events from up to 10 data sources simultaneously. All events are normalised into the SIEMEvent schema before storage, which enables cross-source correlation and pivot analysis.
Ingestion flow:
- Source sends data to
POST /api/siem/ingest(webhook) or GuardFoxCopilot polls the source API - Events are parsed and normalised — fields mapped to:
user,host,srcIp,message,eventId,timestamp,category - Events are stored in PostgreSQL via Prisma
- If an event matches a SOAR trigger rule, the playbook engine fires
- AI root-cause analysis runs on correlated event clusters
Supported connectors:
- Syslog (UDP/514)
- Wazuh (webhook)
- CrowdStrike Falcon (API stream)
- AWS CloudTrail + GuardDuty
- Okta Identity Events
- Microsoft 365 / Azure AD
- Palo Alto Panorama
- Generic webhook (JSON)
- EDR agent events (internal)
Connecting a source
SetupConnecting a Data Source
Step 1 — Go to Administration → Data Sources
Each connector has a unique webhook URL and optional API key.
Step 2 — Configure your source
Syslog (UDP)
Host: portal.guardfoxsecurity.com
Port: 5140
Protocol: UDP
Format: RFC 5424 or RFC 3164Wazuh
In /var/ossec/etc/ossec.conf, add an integration block:
<integration>
<name>custom-webhook</name>
<hook_url>https://portal.guardfoxsecurity.com/api/siem/ingest</hook_url>
<alert_format>json</alert_format>
</integration>CrowdStrike
In the Falcon console: Settings → Integrations → SIEM Connector
- Protocol: HTTPS
- URL:
https://portal.guardfoxsecurity.com/api/siem/ingest - Format: JSON
Generic webhook
POST JSON to /api/siem/ingest with header X-GuardFoxKey: YOUR_INGEST_KEY.
Using the SIEM view
How to useUsing the Live SIEM
Event stream
The main view shows a real-time event stream with auto-refresh every 10 seconds. Events are colour-coded by severity.
Root-cause pivot
Click any IP, hostname, or username to pivot — the SIEM immediately filters to all events involving that entity across all sources and time.
AI root-cause summary
Click the AI Analyse button on any event cluster to generate a natural-language narrative explaining the sequence of events, likely attack technique, and recommended actions.
Filters
- Source — filter to one connector
- Category — Authentication, Network, Endpoint, Policy
- Time range — last 1h / 6h / 24h / 7d / custom
- Severity — Critical, High, Medium, Low, Info
Export
Click Export CSV to download the current filtered view. Useful for offline analysis or sharing with stakeholders.