Skip to content
Seliq Docs

SIEM Integrations

Seliq ingests alerts and incidents from your SIEM and adds AI triage on top. Your SIEM keeps its existing detection rules, dashboards, and workflows. Seliq adds the analyst-facing prioritisation and investigation layer.

Microsoft Sentinel

Section titled “Microsoft Sentinel”

Ingestion method: Pull (Azure REST API) and optional Push (Logic App webhook) Permissions required: Security Reader role on the Sentinel workspace

Configuration

Section titled “Configuration”
  1. In the Azure portal, go to Azure Active Directory → App registrations → New registration
  2. Name the app (e.g. seliq-reader), leave redirect URI blank
  3. Under Certificates & secrets, create a new client secret and note the value
  4. Note the Application (client) ID and Directory (tenant) ID from the Overview page
  5. Navigate to your Sentinel workspace → Access control (IAM) → Add role assignment
  6. Assign Security Reader scoped to the workspace, using the app you just created
  7. In Seliq: Settings → Integrations → Add → Microsoft Sentinel
  8. Enter: Tenant ID, Client ID, Client Secret, and the workspace Resource ID

Workspace Resource ID format:

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}

What Seliq ingests

Section titled “What Seliq ingests”
  • SecurityAlert table — all SIEM alerts
  • SecurityIncident table — Sentinel-managed incidents (imported as grouped alerts)
  • Alert entities (IPs, accounts, hosts) for enrichment

Splunk

Section titled “Splunk”

Ingestion method: Pull (Splunk REST API, port 8089) Permissions required: search capability on the target indexes

Configuration

Section titled “Configuration”
  1. In Splunk: Settings → Tokens → New Token
  2. Set an expiry appropriate for a service integration (or use a long-lived token with rotation policy)
  3. Note the token value (shown once)
  4. In Seliq: Settings → Integrations → Add → Splunk
  5. Enter: Splunk host URL, API port (8089), and the token
  6. Optionally set a SPL filter to limit which events Seliq ingests (e.g. index=notable)
  7. Set the polling interval (default: 60 seconds)
Section titled “Recommended SPL filter for Splunk ES”
index=notable | where severity >= "high"

Adjust the severity threshold and index name to match your Splunk ES configuration.

Elastic SIEM

Section titled “Elastic SIEM”

Ingestion method: Pull (Elasticsearch API) Permissions required: Read access to the .alerts-security.alerts-* index pattern

Configuration

Section titled “Configuration”
  1. In Kibana: Stack Management → Security → API Keys → Create API key
  2. Grant read access to .alerts-security.alerts-* index
  3. Note the encoded API key
  4. In Seliq: Settings → Integrations → Add → Elastic SIEM
  5. Enter: Elasticsearch host URL, API key, and optionally a KQL filter