Alert Ingestion
Alert ingestion is the entry point for everything in Seliq. Every alert that arrives — regardless of source format — is normalised into a common schema, deduplicated, and queued for AI triage. Your analysts see a single, consistent interface no matter where the alert originated.
Supported ingestion methods
Section titled “Supported ingestion methods”Seliq supports two ingestion modes depending on what your source provides:
Pull (polling): Seliq queries your source on a configurable interval (default: 60 seconds). Suitable for SIEMs and ticketing systems that expose a query or search API. Slightly higher latency than push.
Push (webhooks): Your source sends alerts to a Seliq-provided webhook endpoint in real time. Zero polling lag. Supported by EDR platforms (CrowdStrike, SentinelOne) and most modern SIEM services.
The normalisation pipeline
Section titled “The normalisation pipeline”When an alert arrives, Seliq runs it through a normalisation pipeline before it reaches the analyst queue:
- Schema mapping — vendor-specific field names are mapped to the Seliq common event schema (based on OCSF)
- Severity translation — vendor severity scales (e.g. Splunk’s 0–10 or CrowdStrike’s informational/low/medium/high/critical) are mapped to Seliq’s five-level scale
- Entity extraction — IP addresses, hostnames, usernames, file hashes, and CVE identifiers are extracted and indexed for cross-alert correlation
- Deduplication — near-duplicate alerts from the same source within a rolling 10-minute window are collapsed into a single event with a count
Alert fields
Section titled “Alert fields”Every normalised alert in Seliq carries:
| Field | Type | Description |
|---|---|---|
id | string | Seliq-generated UUID |
source | string | Integration name (e.g. crowdstrike, sentinel) |
external_id | string | Original alert ID from the source system |
severity | enum | critical | high | medium | low | info |
title | string | Normalised alert title |
entities | object[] | Extracted IP, hostname, user, hash, and CVE references |
raw | object | The original, unmodified payload from the source |
ingested_at | timestamp | UTC timestamp of ingestion |
Filtering and suppression
Section titled “Filtering and suppression”You can configure source-level filters to suppress low-value alerts before they reach the analyst queue:
- Severity floor — ignore all alerts below a configurable severity (e.g. drop
infoandlow) - Title exclusion list — suppress specific alert titles that are known false-positive generators in your environment
- Time-of-day windows — suppress certain alert types outside business hours