SIEM integration

The Permafrost incident timeline is the analyst-facing surface for pattern matches across all of this customer’s connected Azure tenants. Every match folds together one or more contributing audit-log rows, the matched pattern, the identity it touched, and the analyst disposition.

Export ships in two shapes so the customer’s SIEM can ingest the analyst-grade output without bespoke transform code.

• NDJSON. One JSON object per line, LF-terminated. The canonical timestamp field is TimeGenerated so a Microsoft Sentinel Data Collection Rule can ingest the stream as a custom log without renaming. Splunk HEC and Elastic Filebeat consume the same shape.
• CEF. ArcSight Common Event Format v0, one event per line: CEF:0|Permafrost EPM|CIEM|1.0|{patternId}|{name}|{sev}|{extension}. Severity is the standard 0–10 numeric scale. The extension carries CIM-aligned k=v pairs (src, suser, act, outcome, msg) and Permafrost- specific custom strings (cs1=fingerprint, cs2=contributing event count).

Both shapes carry a SHA-256 hash over the export body for chain-of-custody verification. The hash is exposed in the export drawer and on the artifact metadata; the body itself contains no hash so the value can be re-derived from the downloaded bytes.

For Sentinel, use the NDJSON export. The recommended ingestion path is a Data Collection Rule pointing at a custom log type, for example PermafrostIncidents_CL. The DCR consumes the NDJSON file directly; no schema transformation is required.

The TimeGenerated field on every event is already the canonical Sentinel timestamp. Map it 1:1 in the DCR (no extend rewrite). The IncidentFingerprintcolumn is the stable per-incident identifier and the safe join key for KQL correlations against the rest of the customer’s Sentinel content.

The other event fields (PatternId, PatternName, Confidence, IdentityDisplayName, IdentityAzureObjectId, TenantId, Rationale, Disposition) land in the custom-log table as string columns. KQL queries against the table are immediate; no parser is required.

For Splunk, Elastic, or any SIEM that speaks the Common Information Model, use the CEF export. Each line parses with a stock CEF source-type — Splunk’s built-in cefsource-type, Elastic’s CEF module, or a QRadar DSM — without a custom parser.

The CEF severity is mapped from Permafrost confidence: high → 8, medium → 5. Other values render as 3. Severity 7+ surfaces in most SIEM notable-event dashboards by default.

The Permafrost incident fingerprint flows into cs1 with label PermafrostEventId. The contributing-event count flows into cs2 with label ContributingEventCount. Disposition category, when present, flows into cs3 with label DispositionCategory.

The table maps the Permafrost field name to the Splunk CIM field name. The CEF column note shows where the same value surfaces in a CEF line so analysts can write search queries that span both shapes.

Open /dashboard/incidents and apply the filters the export should cover (window, tenant, pattern, confidence, identity type, disposition). The page-header Export button opens the export drawer. Pick the format (Markdown, NDJSON, or CEF), generate the export, then download. The drawer surfaces the SHA-256 hash for chain-of-custody.

The same filter set generated within the last 5 minutes returns the existing artifact rather than re-generating, so re-clicking does not produce divergent hashes for the same inputs.

Incident export is part of the Enterprise tier. The dashboard surface and the download route enforce the gate server-side; Community, Trial, and Professional tenants see the export surface as informational only.