Connecting Your First Integration

Seliq connects to your existing security tools rather than replacing them. This page covers connecting your first source. For a full list of supported integrations, see the Integrations Overview.

How ingestion works

When you connect a source, Seliq:

1. Authenticates using the credentials you provide (API key, OAuth token, or service principal)
2. Performs an initial backfill of recent alerts (configurable, default: last 72 hours)
3. Sets up continuous polling or webhook delivery depending on the source type
4. Begins AI triage as soon as the first batch arrives

Credentials are encrypted at rest and never exposed in the UI after the initial setup.

Connecting your first source

Microsoft Sentinel

Required: Azure AD service principal with Security Reader role on the target workspace.

1. In the Azure portal, create a service principal under Azure Active Directory → App registrations
2. Assign the Security Reader role scoped to your Sentinel workspace
3. Note the Tenant ID, Client ID, and Client Secret
4. In Seliq, go to Settings → Integrations → Add Source → Microsoft Sentinel
5. Enter your Tenant ID, Client ID, Client Secret, and the Sentinel workspace resource ID
6. Click Test connection — a green indicator confirms access

Permissions

Seliq only requires read access to Sentinel. We never write back to your SIEM unless you explicitly enable bidirectional sync (coming soon).

Splunk

Required: A Splunk user account or service account with search capability and can_delete turned off (read-only recommended).

1. In Splunk, create an API token: Settings → Tokens → New Token
2. Scope the token to the index(es) you want Seliq to ingest from
3. In Seliq, go to Settings → Integrations → Add Source → Splunk
4. Enter your Splunk host (e.g. https://your-instance.splunkcloud.com), port (8089 for API), and the token
5. Optionally set a SPL filter to limit which events Seliq ingests
6. Click Test connection

CrowdStrike

Required: A CrowdStrike OAuth2 API client with Detections: Read and Incidents: Read scopes.

1. In the Falcon console, go to Support → API Clients and Keys → Add new API client
2. Enable Detections: Read and Incidents: Read — no write scopes required
3. Note the Client ID and Client Secret
4. In Seliq, go to Settings → Integrations → Add Source → CrowdStrike Falcon
5. Select your Falcon cloud region and enter the Client ID and Client Secret
6. Click Test connection

Testing your connection

After saving an integration, Seliq runs a connectivity check and attempts to pull a sample of alerts. The integration card shows one of three states:

Status	Meaning
✅ Connected	Credentials are valid and alerts are flowing
⚠️ Degraded	Connected but fewer alerts than expected — check your filter settings
❌ Failed	Authentication or network error — check credentials and firewall rules

More integrations coming soon

Full configuration guides for AWS GuardDuty, Elastic SIEM, Google Chronicle, SentinelOne, and others are being written. See Integrations Overview for the current status list.