Skip to content
Capabilities

SIEM integration

Permafrost exports the alert timeline as a downloadable artifact in two shapes: NDJSON for Microsoft Sentinel ingestion via a custom log type, and CEF for Splunk, Elastic, or any CIM-compatible SIEM. Each format is line-delimited — one self-contained event per line with a SHA-256 chain-of-custody hash.

Overview

The Permafrost alert timeline is the analyst-facing surface for pattern matches across all of this customer’s connected Azure tenants. Every match folds together one or more contributing audit-log rows, the matched pattern, the identity it touched, and the analyst disposition.

Export ships in two shapes so the customer’s SIEM can ingest the analyst-grade output without bespoke transform code.

  • NDJSON. One JSON object per line, LF-terminated. The canonical timestamp field is TimeGenerated so a Microsoft Sentinel Data Collection Rule can ingest the stream as a custom log without renaming. Splunk HEC and Elastic Filebeat consume the same shape.
  • CEF. ArcSight Common Event Format v0, one event per line: CEF:0|Permafrost EPM|CIEM|1.0|{patternId}|{name}|{sev}|{extension}. Severity is the standard 0–10 numeric scale. The extension carries CIM-aligned k=v pairs (src, suser, act, outcome, msg) and Permafrost- specific custom strings (cs1=fingerprint, cs2=contributing event count).

Both shapes carry a SHA-256 hash over the export body for chain-of-custody verification. The hash is exposed in the export drawer and on the artifact metadata; the body itself contains no hash so the value can be re-derived from the downloaded bytes.

Microsoft Sentinel

For Sentinel, use the NDJSON export. The recommended ingestion path is a Data Collection Rule pointing at a custom log type, for example PermafrostAlerts_CL. The DCR consumes the NDJSON file directly; no schema transformation is required.

The TimeGenerated field on every event is already the canonical Sentinel timestamp. Map it 1:1 in the DCR (no extend rewrite). The IncidentFingerprintcolumn is the stable per-alert identifier and the safe join key for KQL correlations against the rest of the customer’s Sentinel content.

The other event fields (PatternId, PatternName, Confidence, IdentityDisplayName, IdentityAzureObjectId, TenantId, Rationale, Disposition) land in the custom-log table as string columns. KQL queries against the table are immediate; no parser is required.

Native Sentinel push connector

The download export is the manual path: an analyst pulls the artifact and uploads it. The native connector is the automated path — Permafrost streams events straight into your own Log Analytics workspace via the Azure Monitor Logs Ingestion API, so finding state-changes and Mode C remediation events land in a custom table within one sync cycle. No file to pull, no receiver to host.

Configure it under /dashboard/settings/sentinel: supply the Data Collection Endpoint URL, the Data Collection Rule immutable id, and the target stream name. The ingestion credential is a secret to a workspace you own — not a read or write credential against your tenant — and is AES-256-GCM encrypted at rest, decrypted only in memory at the moment of a push. Permafrost still holds zero standing credentials against your tenant.

Push is opt-in twice over: a connector must be configured and active, and the alert opt-in master switch must be on. Events stop automatically if an account is winding down. Every row carries an EventKind field — finding or remediation — so a single Data Collection Rule transform can route them into separate custom tables, for example PermafrostFindings_CL and PermafrostRemediation_CL. The remediation row records the action, the analyst who ran it, the target finding, the HTTP result, and the execution-log hash — never any access token.

Deploying the connector (ARM template)

Rather than hand-build a Data Collection Rule, deploy the Permafrost connector template. It provisions two custom tables, a Data Collection Endpoint, and a Data Collection Rule that routes events by EventKind — and outputs the three values you paste into /dashboard/settings/sentinel: the Data Collection Endpoint URL, the DCR immutable id, and the stream name (Custom-Permafrost). A Codeless Connector Platform definition is included to surface the connector card in the workspace Data connectors gallery.

The templates live in the Permafrost repository under integrations/sentinel/connector/. The two custom tables are:

  • PermafrostFindings_CLTimeGenerated, EventKind, Provider, CustomerId, TenantId, FindingId, FindingType, Severity, Status, Title, Scope, IdentityId, DashboardUrl.
  • PermafrostRemediation_CLTimeGenerated, EventKind, CustomerId, TenantId, Action, ActorEmail, FindingId, Result, HttpStatus, ArtifactId, ArtifactHash. Records the action and execution-log hash — never the access token.

Required Log Analytics permissions: read/write/delete on the workspace to create the tables and rule, and Monitoring Metrics Publisher on the Data Collection Rule for the ingestion identity. The connector is in preview; a certified marketplace listing is a separate step.

Splunk and other CIM-compatible SIEMs

For Splunk, Elastic, or any SIEM that speaks the Common Information Model, use the CEF export. Each line parses with a stock CEF source-type — Splunk’s built-in cefsource-type, Elastic’s CEF module, or a QRadar DSM — without a custom parser.

The CEF severity is mapped from Permafrost confidence: high → 8, medium → 5. Other values render as 3. Severity 7+ surfaces in most SIEM notable-event dashboards by default.

The Permafrost alert fingerprint flows into cs1 with label PermafrostEventId. The contributing-event count flows into cs2 with label ContributingEventCount. Disposition category, when present, flows into cs3 with label DispositionCategory.

Generic CEF / syslog push

The CEF download is the manual path. The generic CEF push is the automated twin of the Sentinel connector for everyone not on Sentinel: Permafrost streams each finding state-change and Mode C remediation event as a CEF line straight to an HTTP collector you run, so events land in your SIEM within one sync cycle. Same CEF serializer as the download — one code path, two transports.

Configure it under /dashboard/settings/cef. Pick a transport:

  • CEF over HTTP. Newline-delimited raw CEF lines as text/plain to a CEF-over-HTTP receiver or an HTTP-to-syslog gateway. An optional bearer token is sent as Authorization: Bearer.
  • Splunk HEC. One HTTP Event Collector envelope per line — {"event": "<cef>", "sourcetype": "cef"} — authenticated with Authorization: Splunk <token>. Point it at your /services/collector/raw (or event) endpoint.

The collector URL is SSRF-guarded at save and at every dispatch (private and reserved addresses are rejected, HTTPS only), and the token is AES-256-GCM encrypted at rest, decrypted only at push time. It is a secret to a collector you own — not a read or write credential against your tenant.

Push is opt-in twice over, identical to the Sentinel connector: a connector must be configured and active, and the alert opt-in master switch must be on. Events stop automatically while an account is winding down. The finding line and the mode_c_remediation line carry the action, actor, target finding, HTTP result, and execution-log hash — never any access token.

Field mapping reference

The table maps the Permafrost field name to the Splunk CIM field name. The CEF column note shows where the same value surfaces in a CEF line so analysts can write search queries that span both shapes.

Permafrost fieldSplunk CIMNote
PatternIdactionPattern signature (P1–P6). Drives SignatureID in CEF.
IdentityDisplayNamesrc_userSource user / principal display name. CEF: suser.
IdentityAzureObjectIdsrc_user_idMicrosoft Graph object id of the identity. CEF: suid.
AzureTenantIdsrcConnected Azure tenant id. CEF: src.
DispositionresultAnalyst disposition (open / acknowledged / actioned / …). CEF: outcome.
LastEventAt_timeLast contributing event timestamp. CEF: rt + end.
FirstEventAtearliestFirst contributing event timestamp. CEF: start.
RationaledescriptionPattern rationale (truncated to 500 chars in CEF msg).
Confidenceseverityhigh → CEF severity 8, medium → 5.
IncidentFingerprintsignatureStable per-alert identifier. CEF: cs1.
ContributingEventCountcountCount of underlying audit-log rows folded into the alert. CEF: cs2.

How to download

Open /dashboard/alerts and apply the filters the export should cover (window, tenant, pattern, confidence, identity type, disposition). The page-header Export button opens the export drawer. Pick the format (Markdown, NDJSON, or CEF), generate the export, then download. The drawer surfaces the SHA-256 hash for chain-of-custody.

The same filter set generated within the last 5 minutes returns the existing artifact rather than re-generating, so re-clicking does not produce divergent hashes for the same inputs.

Enterprise tier

Alert export is part of the Enterprise tier. The dashboard surface and the download route enforce the gate server-side; tenants below the Enterprise tier see the export surface as informational only.