Overview RAXE integrates with enterprise SIEMs to provide centralized threat visibility. Forward scan events in native formats to:
Splunk HTTP Event Collector (HEC) format
CrowdStrike Falcon LogScale (Humio) ingest
Microsoft Sentinel Data Collector API with HMAC auth
ArcSight SmartConnector CEF format
CEF (Generic) Any CEF-compatible SIEM via HTTP or Syslog
Syslog UDP, TCP, or TLS transport
CEF (Common Event Format) support means RAXE works with any SIEM that accepts CEF, including QRadar, LogRhythm, Elastic SIEM, Sumo Logic, and more.
Quick Start (CLI) Configure SIEM integration per customer:
# Splunk HEC raxe customer siem configure cust_acme --mssp mssp_partner \ --type splunk \ --url https://splunk.company.com:8088/services/collector/event \ --token "hec-token-here" \ --index security \ --source raxe # Test the connection raxe customer siem test cust_acme --mssp mssp_partner # View configuration raxe customer siem show cust_acme --mssp mssp_partner
Splunk Configuration raxe customer siem configure cust_acme --mssp mssp_partner \ --type splunk \ --url https://splunk.company.com:8088/services/collector/event \ --token "your-hec-token" \ --index security \ --source raxe \ --sourcetype _json
from raxe.domain.siem.config import SIEMConfig, SIEMType from raxe.infrastructure.siem import create_siem_adapter adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. SPLUNK , endpoint_url = "https://splunk.company.com:8088/services/collector/event" , auth_token = "your-hec-token" , extra = { "index" : "security" , "source" : "raxe" , "sourcetype" : "_json" , "host" : "raxe-agent-01" , }, )) # Send event result = adapter.send_event(adapter.transform_event(scan_event))
{ "time" : 1706619000 , "host" : "raxe-agent-01" , "source" : "raxe" , "sourcetype" : "_json" , "index" : "security" , "event" : { "event_type" : "scan" , "threat_detected" : true , "severity" : "critical" , "rule_ids" : [ "pi-001" , "pi-003" ], "prompt_hash" : "sha256:abc123..." , "customer_id" : "cust_acme" , "agent_id" : "agent_prod_001" } }
Splunk Options Option Description Default --indexSplunk index name main--sourceEvent source identifier raxe--sourcetypeSplunk sourcetype _json--hostHost identifier Agent hostname
CrowdStrike Falcon LogScale Configuration raxe customer siem configure cust_acme --mssp mssp_partner \ --type crowdstrike \ --url https://cloud.community.humio.com/api/v1/ingest/hec \ --token "your-ingest-token" \ --repository security
adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. CROWDSTRIKE , endpoint_url = "https://cloud.community.humio.com/api/v1/ingest/hec" , auth_token = "your-ingest-token" , extra = { "repository" : "security" , "parser" : "raxe" , }, ))
CrowdStrike Options Option Description Default --repositoryLogScale repository - --parserCustom parser name -
Microsoft Sentinel Configuration raxe customer siem configure cust_acme --mssp mssp_partner \ --type sentinel \ --url https://YOUR-WORKSPACE.ods.opinsights.azure.com/api/logs \ --token "base64-encoded-shared-key" \ --workspace-id "your-workspace-id" \ --log-type RaxeEvents
adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. SENTINEL , endpoint_url = "https://YOUR-WORKSPACE.ods.opinsights.azure.com/api/logs" , auth_token = "base64-encoded-shared-key" , extra = { "workspace_id" : "your-workspace-id" , "log_type" : "RaxeEvents" , }, ))
Events are transformed to PascalCase for Azure conventions:
{ "TimeGenerated" : "2026-01-30T10:30:00Z" , "EventType" : "scan" , "ThreatDetected" : true , "Severity" : "Critical" , "RuleIds" : [ "pi-001" ], "PromptHash" : "sha256:abc123..." , "CustomerId" : "cust_acme" }
Sentinel Options Option Description Required --workspace-idAzure Log Analytics workspace ID Yes --log-typeCustom log type name Yes
Sentinel uses HMAC-SHA256 authentication. The token should be your Log Analytics workspace shared key, base64-encoded.
ArcSight Configuration raxe customer siem configure cust_acme --mssp mssp_partner \ --type arcsight \ --url https://arcsight.company.com/receiver/v1/events \ --token "connector-token" \ --smart-connector-id sc-001 \ --device-vendor RAXE \ --device-product ThreatDetection
adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. ARCSIGHT , endpoint_url = "https://arcsight.company.com/receiver/v1/events" , auth_token = "connector-token" , extra = { "smart_connector_id" : "sc-001" , "device_vendor" : "RAXE" , "device_product" : "ThreatDetection" , }, ))
ArcSight Options Option Description Default --smart-connector-idSmartConnector ID - --device-vendorCEF device vendor RAXE--device-productCEF device product ThreatDetection
CEF support enables integration with any SIEM that accepts CEF, including:
IBM QRadar
LogRhythm
Elastic SIEM
Sumo Logic
Exabeam
And many more
CEF over HTTP raxe customer siem configure cust_acme --mssp mssp_partner \ --type cef \ --url https://collector.company.com/cef \ --token "bearer-token"
adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. CEF , endpoint_url = "https://collector.company.com/cef" , auth_token = "bearer-token" , ))
CEF over Syslog (UDP) raxe customer siem configure cust_acme --mssp mssp_partner \ --type cef \ --url syslog://siem.company.com \ --transport udp \ --port 514
adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. CEF , endpoint_url = "syslog://siem.company.com" , auth_token = "not-used" , extra = { "transport" : "udp" , "port" : 514 }, ))
CEF over Syslog (TCP with TLS) raxe customer siem configure cust_acme --mssp mssp_partner \ --type cef \ --url syslog://siem.company.com \ --transport tcp \ --port 6514 \ --tls
adapter = create_siem_adapter(SIEMConfig( siem_type = SIEMType. CEF , endpoint_url = "syslog://siem.company.com" , auth_token = "not-used" , extra = { "transport" : "tcp" , "port" : 6514 , "use_tls" : True }, ))
RAXE generates standard CEF messages:
CEF:0|RAXE|ThreatDetection|0.10.0|pi-001|Prompt Injection Detected|10|rt=1706619000000 src=inst_abc123 suser=agent_prod_001 cs1=sha256:abc123 cs1Label=PromptHash cs2=pi-001,pi-003 cs2Label=RuleIDs cs3=PI cs3Label=ThreatFamilies
CEF Field Mapping CEF Field RAXE Field Description rttimestamp Receipt time (ms epoch) srcinstallation_id Source identifier suseragent_id Agent identifier cs1prompt_hash SHA-256 prompt hash cs2rule_ids Comma-separated rule IDs cs3families Threat families detected cs5mssp_id MSSP identifier cs6customer_id Customer identifier cn1prompt_length Prompt character count cn2detection_count Number of detections cn3scan_duration_ms Scan latency
CEF Severity Mapping RAXE Severity CEF Severity Syslog Priority none0 6 (informational) LOW3 5 (notice) MEDIUM5 4 (warning) HIGH7 3 (error) CRITICAL10 2 (critical)
CEF Options Option Description Default --transporthttp, udp, or tcphttp--portSyslog port 514 (UDP), 6514 (TCP) --tlsEnable TLS (TCP only) false --facilitySyslog facility 16 (local0)
Multi-Customer Routing The SIEM dispatcher routes events to the correct SIEM based on customer:
from raxe.infrastructure.siem import SIEMDispatcher, create_siem_adapter dispatcher = SIEMDispatcher() # Customer A → Splunk dispatcher.register_adapter( create_siem_adapter(splunk_config), customer_id = "cust_acme" ) # Customer B → CrowdStrike dispatcher.register_adapter( create_siem_adapter(crowdstrike_config), customer_id = "cust_beta" ) # Global adapter (receives ALL events) dispatcher.register_adapter(create_siem_adapter(global_config)) # Start background delivery dispatcher.start() # Events auto-route based on customer_id dispatcher.dispatch(event)
Testing Test Connection # Test SIEM connectivity raxe customer siem test cust_acme --mssp mssp_partner
Output:
Testing SIEM connection for cust_acme... ✓ Connection successful (HTTP 200) ✓ Authentication valid ✓ Test event delivered
View Configuration raxe customer siem show cust_acme --mssp mssp_partner
Output:
SIEM Configuration: cust_acme Type: splunk URL: https://splunk.company.com:8088/services/collector/event Index: security Source: raxe Enabled: true
Disable SIEM raxe customer siem disable cust_acme --mssp mssp_partner
Event Batching SIEM adapters batch events for efficiency:
Setting Default Description batch_size100 Events per batch flush_interval_seconds10 Max wait before flush retry_count3 Retries on failure timeout_seconds30 Request timeout
Configure via SDK:
config = SIEMConfig( siem_type = SIEMType. SPLUNK , endpoint_url = "..." , auth_token = "..." , batch_size = 50 , flush_interval_seconds = 5 , retry_count = 5 , timeout_seconds = 60 , )
Troubleshooting
Verify URL is correct (include full path for HEC endpoints)
Check firewall allows outbound to SIEM
Verify token/credentials are valid
Test with curl: curl -X POST <url> -H "Authorization: Bearer <token>"
Check SIEM index/repository permissions
Verify event format matches SIEM expectations
Check SIEM ingestion logs for parsing errors
Ensure batch has been flushed (default: 10 seconds)
Verify syslog daemon is running
Check port is correct (514 UDP, 6514 TLS)
For TLS, ensure certificate is valid
Check firewall allows UDP/TCP on syslog port
Splunk : Token must have HEC permissionsSentinel : Use base64-encoded shared keyCrowdStrike : Use ingest API tokenCEF HTTP : Bearer token format required Best Practices
Use Dedicated Index/Repository
Create a dedicated index (Splunk) or repository (LogScale) for RAXE events. This enables:
Easier searching and dashboards
Separate retention policies
Access control isolation
Always use TLS (port 6514) for syslog in production. UDP syslog is unencrypted and can be spoofed.
Use audit logging to track SIEM delivery success rates: from raxe.infrastructure.audit.mssp_audit_logger import get_mssp_audit_logger stats = get_mssp_audit_logger().get_stats() print ( f "Success rate: { stats[ 'successful' ] / stats[ 'total_deliveries' ] :.1%} " )
Per-Customer Configuration
Different customers may use different SIEMs. Configure each customer individually to route events correctly.
