SIEM integration
Permafrost exports the alert timeline as a downloadable artifact in two shapes: NDJSON for Microsoft Sentinel ingestion via a custom log type, and CEF for Splunk, Elastic, or any CIM-compatible SIEM. Each format is line-delimited — one self-contained event per line with a SHA-256 chain-of-custody hash.
Overview
The Permafrost alert timeline is the analyst-facing surface for pattern matches across all of this customer’s connected Azure tenants. Every match folds together one or more contributing audit-log rows, the matched pattern, the identity it touched, and the analyst disposition.
Export ships in two shapes so the customer’s SIEM can ingest the analyst-grade output without bespoke transform code.
- NDJSON. One JSON object per line, LF-terminated. The canonical timestamp field is
TimeGeneratedso a Microsoft Sentinel Data Collection Rule can ingest the stream as a custom log without renaming. Splunk HEC and Elastic Filebeat consume the same shape. - CEF. ArcSight Common Event Format v0, one event per line:
CEF:0|Permafrost EPM|CIEM|1.0|{patternId}|{name}|{sev}|{extension}. Severity is the standard 0–10 numeric scale. The extension carries CIM-aligned k=v pairs (src,suser,act,outcome,msg) and Permafrost- specific custom strings (cs1=fingerprint,cs2=contributing event count).
Both shapes carry a SHA-256 hash over the export body for chain-of-custody verification. The hash is exposed in the export drawer and on the artifact metadata; the body itself contains no hash so the value can be re-derived from the downloaded bytes.
Microsoft Sentinel
For Sentinel, use the NDJSON export. The recommended ingestion path is a Data Collection Rule pointing at a custom log type, for example PermafrostAlerts_CL. The DCR consumes the NDJSON file directly; no schema transformation is required.
The TimeGenerated field on every event is already the canonical Sentinel timestamp. Map it 1:1 in the DCR (no extend rewrite). The IncidentFingerprintcolumn is the stable per-alert identifier and the safe join key for KQL correlations against the rest of the customer’s Sentinel content.
The other event fields (PatternId, PatternName, Confidence, IdentityDisplayName, IdentityAzureObjectId, TenantId, Rationale, Disposition) land in the custom-log table as string columns. KQL queries against the table are immediate; no parser is required.
Native Sentinel push connector
The download export is the manual path: an analyst pulls the artifact and uploads it. The native connector is the automated path — Permafrost streams events straight into your own Log Analytics workspace via the Azure Monitor Logs Ingestion API, so finding state-changes and Mode C remediation events land in a custom table within one sync cycle. No file to pull, no receiver to host.
Configure it under /dashboard/settings/sentinel: supply the Data Collection Endpoint URL, the Data Collection Rule immutable id, and the target stream name. The ingestion credential is a secret to a workspace you own — not a read or write credential against your tenant — and is AES-256-GCM encrypted at rest, decrypted only in memory at the moment of a push. Permafrost still holds zero standing credentials against your tenant.
Push is opt-in twice over: a connector must be configured and active, and the alert opt-in master switch must be on. Events stop automatically if an account is winding down. Every row carries an EventKind field — finding or remediation — so a single Data Collection Rule transform can route them into separate custom tables, for example PermafrostFindings_CL and PermafrostRemediation_CL. The remediation row records the action, the analyst who ran it, the target finding, the HTTP result, and the execution-log hash — never any access token.
Deploying the connector (ARM template)
Rather than hand-build a Data Collection Rule, deploy the Permafrost connector template. It provisions two custom tables, a Data Collection Endpoint, and a Data Collection Rule that routes events by EventKind — and outputs the three values you paste into /dashboard/settings/sentinel: the Data Collection Endpoint URL, the DCR immutable id, and the stream name (Custom-Permafrost). A Codeless Connector Platform definition is included to surface the connector card in the workspace Data connectors gallery.
The templates live in the Permafrost repository under integrations/sentinel/connector/. The two custom tables are:
PermafrostFindings_CL—TimeGenerated,EventKind,Provider,CustomerId,TenantId,FindingId,FindingType,Severity,Status,Title,Scope,IdentityId,DashboardUrl.PermafrostRemediation_CL—TimeGenerated,EventKind,CustomerId,TenantId,Action,ActorEmail,FindingId,Result,HttpStatus,ArtifactId,ArtifactHash. Records the action and execution-log hash — never the access token.
Required Log Analytics permissions: read/write/delete on the workspace to create the tables and rule, and Monitoring Metrics Publisher on the Data Collection Rule for the ingestion identity. The connector is in preview; a certified marketplace listing is a separate step.
Splunk and other CIM-compatible SIEMs
For Splunk, Elastic, or any SIEM that speaks the Common Information Model, use the CEF export. Each line parses with a stock CEF source-type — Splunk’s built-in cefsource-type, Elastic’s CEF module, or a QRadar DSM — without a custom parser.
The CEF severity is mapped from Permafrost confidence: high → 8, medium → 5. Other values render as 3. Severity 7+ surfaces in most SIEM notable-event dashboards by default.
The Permafrost alert fingerprint flows into cs1 with label PermafrostEventId. The contributing-event count flows into cs2 with label ContributingEventCount. Disposition category, when present, flows into cs3 with label DispositionCategory.
Generic CEF / syslog push
The CEF download is the manual path. The generic CEF push is the automated twin of the Sentinel connector for everyone not on Sentinel: Permafrost streams each finding state-change and Mode C remediation event as a CEF line straight to an HTTP collector you run, so events land in your SIEM within one sync cycle. Same CEF serializer as the download — one code path, two transports.
Configure it under /dashboard/settings/cef. Pick a transport:
- CEF over HTTP. Newline-delimited raw CEF lines as
text/plainto a CEF-over-HTTP receiver or an HTTP-to-syslog gateway. An optional bearer token is sent asAuthorization: Bearer. - Splunk HEC. One HTTP Event Collector envelope per line —
{"event": "<cef>", "sourcetype": "cef"}— authenticated withAuthorization: Splunk <token>. Point it at your/services/collector/raw(or event) endpoint.
The collector URL is SSRF-guarded at save and at every dispatch (private and reserved addresses are rejected, HTTPS only), and the token is AES-256-GCM encrypted at rest, decrypted only at push time. It is a secret to a collector you own — not a read or write credential against your tenant.
Push is opt-in twice over, identical to the Sentinel connector: a connector must be configured and active, and the alert opt-in master switch must be on. Events stop automatically while an account is winding down. The finding line and the mode_c_remediation line carry the action, actor, target finding, HTTP result, and execution-log hash — never any access token.
Field mapping reference
The table maps the Permafrost field name to the Splunk CIM field name. The CEF column note shows where the same value surfaces in a CEF line so analysts can write search queries that span both shapes.
| Permafrost field | Splunk CIM | Note |
|---|---|---|
| PatternId | action | Pattern signature (P1–P6). Drives SignatureID in CEF. |
| IdentityDisplayName | src_user | Source user / principal display name. CEF: suser. |
| IdentityAzureObjectId | src_user_id | Microsoft Graph object id of the identity. CEF: suid. |
| AzureTenantId | src | Connected Azure tenant id. CEF: src. |
| Disposition | result | Analyst disposition (open / acknowledged / actioned / …). CEF: outcome. |
| LastEventAt | _time | Last contributing event timestamp. CEF: rt + end. |
| FirstEventAt | earliest | First contributing event timestamp. CEF: start. |
| Rationale | description | Pattern rationale (truncated to 500 chars in CEF msg). |
| Confidence | severity | high → CEF severity 8, medium → 5. |
| IncidentFingerprint | signature | Stable per-alert identifier. CEF: cs1. |
| ContributingEventCount | count | Count of underlying audit-log rows folded into the alert. CEF: cs2. |
How to download
Open /dashboard/alerts and apply the filters the export should cover (window, tenant, pattern, confidence, identity type, disposition). The page-header Export button opens the export drawer. Pick the format (Markdown, NDJSON, or CEF), generate the export, then download. The drawer surfaces the SHA-256 hash for chain-of-custody.
The same filter set generated within the last 5 minutes returns the existing artifact rather than re-generating, so re-clicking does not produce divergent hashes for the same inputs.
Enterprise tier
Alert export is part of the Enterprise tier. The dashboard surface and the download route enforce the gate server-side; tenants below the Enterprise tier see the export surface as informational only.
Next stop
Three-mode remediation
What the surface layer offers when the SIEM-exported finding is something the customer wants to act on, without standing write access.
Next stop
Security posture
Read-only by default, the operator boundary, the partition-by-customer rule, and what Permafrost does not store.
