Skip to content
Sidereal Sidereal

SIEM Export

Sidereal exports every SiderealProbeResult to one or more SIEM backends so that audit records live in your existing security monitoring infrastructure. You can run multiple export targets simultaneously, each with its own format.

Supported backends

Section titled “Supported backends”
BackendProtocolConfiguration key
SplunkHEC (HTTPS)splunk
ElasticsearchREST (HTTPS)elasticsearch
S3AWS S3 APIs3

S3 exports use SSE-KMS encryption and Object Lock in COMPLIANCE mode to satisfy append-only audit requirements.

Supported formats

Section titled “Supported formats”
FormatDescription
jsonNative Sidereal JSON (default)
cefCommon Event Format (ArcSight and others)
leefLog Event Extended Format (QRadar)
syslogRFC 5424 structured syslog
ocsfOpen Cybersecurity Schema Framework

Configuration

Section titled “Configuration”

Export targets are configured in Helm values under export.targets. Each target specifies a backend, format, endpoint, and a Kubernetes Secret reference for credentials.

export:
  targets:
    - backend: splunk
      format: json
      endpoint: https://splunk.example.com:8088
      secretRef: splunk-hec-token


    - backend: elasticsearch
      format: ocsf
      endpoint: https://es.example.com:9200
      secretRef: elasticsearch-credentials


    - backend: s3
      format: ocsf
      endpoint: https://s3.us-gov-west-1.amazonaws.com
      bucket: audit-evidence-bucket
      region: us-gov-west-1
      secretRef: s3-credentials

The secretRef names a Secret in the sidereal-system namespace. For Splunk, this Secret holds the HEC token. For Elasticsearch, it holds username and password or an API key. For S3, it holds AWS credentials (or you can use IRSA/pod identity).

Export tracking

Section titled “Export tracking”

Each SiderealProbeResult has an audit.exportStatus field that tracks delivery state: Pending, Exported, or Failed. The result reconciler updates this field after each export attempt.

Fail-closed behavior

Section titled “Fail-closed behavior”

At FIPS 199 High impact level, Sidereal defaults to fail-closed on export failure. If SIEM export fails consecutively, probe scheduling halts and a SiderealSystemAlert is raised with reason SIEMExportDegraded. This ensures audit records are not generated without a functioning export pipeline.

Control this with:

audit:
  failClosedOnExportFailure: true  # default at high impact level

At Moderate and Low impact levels, this defaults to false. Probes continue executing even if export is degraded, though the system alert is still raised.