Integration Tutorial

SIEM Integration for SOC Teams

Stream security events to Splunk, Sentinel, or ELK for centralized monitoring and incident response.

Overview

Security Operations Centers (SOCs) need centralized visibility into all security tools. This tutorial shows you how to integrate GoPhish and reNgine Cloud with your SIEM platform to correlate phishing simulations and reconnaissance findings with other security events.

What You'll Learn

Configure webhook endpoints for real-time event streaming
Map events to SIEM schemas (CEF, LEEF, JSON)
Create correlation rules for incident detection
Build custom dashboards for security metrics
Set up automated playbooks and response workflows

Step 1: Configure Webhook Endpoints

Set up webhook endpoints to send events from GoPhish/reNgine to your SIEM. Most SIEMs support HTTP Event Collector (HEC) or webhook ingestion endpoints.

Supported SIEM Platforms

Splunk: HTTP Event Collector (HEC) with token authentication
Microsoft Sentinel: Log Analytics API with workspace ID
Elastic (ELK): Logstash HTTP input or Elasticsearch bulk API
IBM QRadar: Universal Cloud REST API Protocol
Sumo Logic: HTTP Source endpoint
Datadog: Logs API with API key

# Splunk HEC Configuration
POST /api/integrations/webhooks
{
  "name": "Splunk HEC - Security Events",
  "type": "splunk",
  "endpoint": "https://splunk.company.com:8088/services/collector",
  "auth": {
    "type": "bearer",
    "token": "YOUR-HEC-TOKEN"
  },
  "events": [
    "campaign_created",
    "email_sent",
    "email_opened",
    "link_clicked",
    "data_submitted",
    "scan_completed",
    "vulnerability_found"
  ]
}

# Microsoft Sentinel Configuration
POST /api/integrations/webhooks
{
  "name": "Azure Sentinel - Security Logs",
  "type": "azure_sentinel",
  "workspace_id": "YOUR-WORKSPACE-ID",
  "shared_key": "YOUR-SHARED-KEY",
  "log_type": "HailBytesSecurity",
  "events": ["*"]
}

Step 2: Map Events to SIEM Schemas

Transform HailBytes events into your SIEM's preferred format. Use Common Event Format (CEF), Log Event Extended Format (LEEF), or custom JSON schemas.

# CEF Format Example (ArcSight, QRadar)
{
  "format": "cef",
  "mapping": {
    "deviceVendor": "HailBytes",
    "deviceProduct": "GoPhish Cloud",
    "deviceVersion": "1.0",
    "signatureId": "${event_type}",
    "name": "${event_name}",
    "severity": "${severity}",
    "extension": {
      "src": "${source_ip}",
      "suser": "${target_email}",
      "request": "${landing_page_url}",
      "outcome": "${event_outcome}"
    }
  }
}

# Sample CEF Output:
CEF:0|HailBytes|GoPhish Cloud|1.0|EMAIL_CLICKED|Phishing Link Clicked|7|src=192.168.1.100 suser=john.doe@company.com request=http://phish.test/landing outcome=clicked

Step 3: Create Correlation Rules

Build correlation rules to detect security incidents by combining phishing simulation data with other security events. Examples include detecting real phishing after failed simulations or identifying compromised accounts.

Correlation Rule Examples

Use Case	Correlation Logic	Action
High-Risk Users	User clicked 3+ phishing simulations in 30 days	Require MFA enrollment
Credential Compromise	Phish click + VPN login from new country	Trigger account review
Shadow IT Detection	reNgine finds new subdomain + DNS query logs	Create ticket for IT
Vulnerability Exploit	Critical vuln found + abnormal traffic pattern	Incident response

# Splunk SPL Query Example
index=security sourcetype=hailbytes:gophish event_type=link_clicked
| stats count by target_email
| where count > 3
| join target_email [search index=vpn sourcetype=vpn:login]
| where vpn_country != user_country
| table target_email, phish_click_count, vpn_country, alert_severity

Step 4: Build Custom Dashboards

Create executive and SOC dashboards to visualize security awareness trends, phishing campaign effectiveness, and attack surface monitoring.

Phishing Success Rate: Track click-through rates over time by department
Security Awareness Score: Aggregate metrics showing organizational resilience
Attack Surface Growth: Monitor subdomain discovery and new asset trends
Vulnerability Heatmap: Geographic or departmental vulnerability distribution
Mean Time to Report: How quickly users report suspicious emails

Step 5: Set Up Automated Playbooks

Automate response workflows using SOAR platforms like Splunk Phantom, Palo Alto Cortex XSOAR, or Microsoft Sentinel automation rules.

# Example Playbook: High-Risk User Response
Trigger: User clicks 3+ phishing simulations in 30 days

Actions:
1. Enrich user data from Active Directory
2. Check for recent security incidents involving user
3. If no incidents: Send remedial training notification
4. If incidents detected:
   - Disable account
   - Notify SOC lead
   - Create ServiceNow ticket
   - Require password reset + MFA enrollment

# Example Playbook: Critical Vulnerability Found
Trigger: reNgine discovers critical CVE on production asset

Actions:
1. Query asset inventory for affected systems
2. Check patch management system for fix availability
3. Create high-priority ticket in Jira
4. Notify DevOps team via Slack
5. If internet-facing: Create emergency change request
6. Track remediation SLA (4 hours for critical)

Best Practices

Start Small: Begin with basic event forwarding, then add correlation rules
Test Webhooks: Verify connectivity and authentication before going live
Monitor Volume: Track event ingestion rates to avoid SIEM license overages
Use Filters: Only send high-value events to reduce noise
Document Playbooks: Maintain runbooks for each automated response

Next Steps

Deploy HailBytes products on AWS or Azure
Review API documentation for webhook schemas
Explore CI/CD pipeline integration
Get support from our team via contact page