ENTERPRISEPlan PRO+
SIEM Integration
Centralisez vos evenements de securite Adlibo dans votre SIEM existant. Integrations natives avec les principales plateformes.
Fonctionnalites Cles
9 Integrations Natives
Prelude, Wazuh, OpenSearch, Splunk, Elastic, Datadog, Syslog, CEF et Webhooks.
Temps Reel
Forwarding immediat des evenements avec latence sub-seconde.
Circuit Breaker
Protection contre les pannes SIEM avec queue et retry automatique.
Formats Standards
CEF, JSON, Syslog RFC 5424. Compatible avec tous les collecteurs.
Plateformes Supportees
🇪🇺 Solutions Souveraines Europeennes
| Plateforme | Origine | Protocole | Souverainete |
|---|---|---|---|
| Prelude SIEM | 🇫🇷 France (CS Group) | HTTPS / IDMEF | ANSSI/OIV |
| Wazuh | 🇪🇸 Espagne | HTTPS / Elastic API | Open Source |
| OpenSearch | 🔍 Linux Foundation | HTTPS | Open Source |
Plateformes Globales
| Plateforme | Protocole | Format | Statut |
|---|---|---|---|
| Splunk | HEC (HTTP Event Collector) | JSON | Native |
| Elastic | HTTPS | ECS JSON | Native |
| Datadog | HTTPS | JSON | Native |
| Syslog Server | TCP/UDP 514 | RFC 5424 | Native |
| CEF (ArcSight) | TCP/Syslog | CEF | Native |
| Custom Webhook | HTTPS | JSON | Configurable |
🇪🇺 Configuration SIEM Souverain Europeen
🇫🇷 Prelude SIEM (CS Group)
SIEM francais conforme ANSSI/OIV. Utilise le format IDMEF (Intrusion Detection Message Exchange Format).
json
// Configuration Prelude via API reseller
{
"type": "PRELUDE",
"name": "Prelude Production",
"endpoint": "https://prelude.company.fr/api/events",
"credentials": {
"apiKey": "your-prelude-api-key",
"agentId": "ADLIBO-001",
"analyzerId": "adlibo-analyzer"
},
"forwardDetections": true,
"forwardDlp": true,
"minSeverity": "MEDIUM"
}🇪🇸 Wazuh (Open Source XDR/SIEM)
SIEM open source auto-heberge. Compatible avec l'API Elastic. Ideal pour la souverainete complete.
json
// Configuration Wazuh via API reseller
{
"type": "WAZUH",
"name": "Wazuh On-Premise",
"endpoint": "https://wazuh.company.com:9200",
"credentials": {
"username": "wazuh",
"password": "your-wazuh-password",
"agentId": "001",
"index": "wazuh-alerts-*"
},
"forwardDetections": true,
"forwardDlp": true,
"minSeverity": "LOW"
}🔍 OpenSearch (Linux Foundation)
Fork open source d'Elasticsearch. API compatible, auto-heberge pour souverainete maximale.
json
// Configuration OpenSearch via API reseller
{
"type": "OPENSEARCH",
"name": "OpenSearch Sovereign",
"endpoint": "https://opensearch.company.eu:9200",
"credentials": {
"username": "admin",
"password": "your-opensearch-password",
"index": "adlibo-security"
},
"forwardDetections": true,
"forwardDlp": true,
"minSeverity": "LOW"
}Configuration Splunk
1. Creer un HEC Token dans Splunk
Settings → Data Inputs → HTTP Event Collector → New Token
2. Configurer l'integration Adlibo
json
// POST /api/saas/siem/integrations
{
"platform": "SPLUNK",
"name": "Production Splunk",
"config": {
"hecUrl": "https://splunk.company.com:8088/services/collector",
"hecToken": "your-hec-token",
"index": "adlibo_security",
"source": "adlibo",
"sourcetype": "adlibo:detection"
},
"enabled": true,
"eventTypes": ["DETECTION", "DLP", "AUTHENTICATION", "AUDIT"]
}Exemple d'evenement Splunk
json
{
"time": 1735824000,
"host": "adlibo.com",
"source": "adlibo",
"sourcetype": "adlibo:detection",
"index": "adlibo_security",
"event": {
"eventType": "DETECTION",
"severity": "HIGH",
"riskScore": 85,
"category": "DIRECT_OVERRIDE",
"organizationId": "org_abc123",
"userId": "usr_xyz789",
"inputPreview": "ignore previous instructions...",
"action": "BLOCKED",
"patterns": [
{"category": "DIRECT_OVERRIDE", "match": "ignore previous", "score": 85}
],
"sourceIp": "192.168.1.100",
"userAgent": "Mozilla/5.0...",
"timestamp": "2026-01-02T12:00:00Z"
}
}Configuration Elastic / OpenSearch
json
// POST /api/saas/siem/integrations
{
"platform": "ELASTIC",
"name": "Elastic Cloud",
"config": {
"cloudId": "deployment:region:base64...",
"apiKey": "your-api-key",
"index": "adlibo-events",
"pipeline": "adlibo-enrich"
},
"enabled": true,
"eventTypes": ["DETECTION", "DLP", "AUDIT"]
}
// Ou avec URL directe
{
"platform": "ELASTIC",
"name": "Self-Hosted Elastic",
"config": {
"url": "https://elastic.company.com:9200",
"username": "adlibo_writer",
"password": "encrypted_password",
"index": "adlibo-events-{yyyy.MM}"
}
}Index Template ECS
json
PUT _index_template/adlibo-events
{
"index_patterns": ["adlibo-events-*"],
"template": {
"mappings": {
"properties": {
"@timestamp": { "type": "date" },
"event.category": { "type": "keyword" },
"event.severity": { "type": "integer" },
"threat.indicator.type": { "type": "keyword" },
"user.id": { "type": "keyword" },
"organization.id": { "type": "keyword" },
"source.ip": { "type": "ip" },
"adlibo.risk_score": { "type": "integer" },
"adlibo.patterns": { "type": "nested" }
}
}
}
}Configuration Datadog
json
// POST /api/saas/siem/integrations
{
"platform": "DATADOG",
"name": "Datadog US",
"config": {
"apiKey": "your-dd-api-key",
"site": "datadoghq.com", // ou datadoghq.eu
"service": "adlibo",
"env": "production",
"tags": ["team:security", "app:ai-protection"]
},
"enabled": true,
"eventTypes": ["DETECTION", "DLP"]
}Configuration Syslog
json
// POST /api/saas/siem/integrations
{
"platform": "SYSLOG",
"name": "On-Prem SIEM",
"config": {
"host": "syslog.company.com",
"port": 514,
"protocol": "TCP", // TCP, UDP, ou TLS
"facility": "LOCAL0",
"format": "RFC5424", // ou RFC3164, CEF
"appName": "ADLIBO"
},
"enabled": true
}
// TLS Configuration
{
"platform": "SYSLOG",
"config": {
"host": "syslog.company.com",
"port": 6514,
"protocol": "TLS",
"tlsCert": "-----BEGIN CERTIFICATE-----...",
"tlsKey": "-----BEGIN PRIVATE KEY-----...",
"tlsCa": "-----BEGIN CERTIFICATE-----..."
}
}Exemple Message Syslog CEF
text
CEF:0|Adlibo|AI-Protection|1.0|DETECTION|Prompt Injection Detected|8|
rt=Jan 02 2026 12:00:00
src=192.168.1.100
duser=john.doe@company.com
cs1Label=Category cs1=DIRECT_OVERRIDE
cs2Label=RiskScore cs2=85
cs3Label=Action cs3=BLOCKED
msg=Detected prompt injection attempt: ignore previous instructionsTypes d'Evenements
| Type | Description | Severite |
|---|---|---|
| DETECTION | Prompt injection detectee | Variable |
| DLP | Donnee sensible detectee/masquee | HIGH-CRITICAL |
| AUTHENTICATION | Evenements SSO/login | INFO-MEDIUM |
| AUDIT | Actions administratives | INFO |
| API_ERROR | Erreurs API (rate limit, auth) | MEDIUM |
| HONEYPOT | Detection honeypot | HIGH-CRITICAL |
Circuit Breaker & Resilience
Le systeme de circuit breaker protege contre les pannes de votre SIEM et garantit la livraison des evenements.
CLOSED
Fonctionnement normal
HALF-OPEN
Test de reconnexion
OPEN
Queue & retry actif
json
// Configuration Circuit Breaker (defaut)
{
"circuitBreaker": {
"failureThreshold": 5, // Echecs avant ouverture
"resetTimeout": 30000, // 30s avant test
"halfOpenRequests": 3, // Requetes test
"successThreshold": 2 // Succes pour fermer
},
"queue": {
"maxSize": 10000, // Events en queue max
"retryAttempts": 5, // Tentatives de retry
"retryDelay": [1000, 5000, 15000, 60000, 300000] // Backoff
}
}Zero event loss
Les evenements sont stockes localement et rejoues automatiquement quand le SIEM redevient disponible.
Monitoring des Integrations
json
// GET /api/saas/siem/status
{
"integrations": [
{
"id": "int_abc123",
"name": "Production Splunk",
"platform": "SPLUNK",
"status": "healthy",
"circuitState": "CLOSED",
"stats": {
"eventsSent24h": 15420,
"eventsQueued": 0,
"lastEventAt": "2026-01-02T11:59:55Z",
"avgLatencyMs": 45,
"errorRate24h": 0.01
}
},
{
"id": "int_xyz789",
"name": "Backup Syslog",
"platform": "SYSLOG",
"status": "degraded",
"circuitState": "HALF_OPEN",
"stats": {
"eventsSent24h": 12000,
"eventsQueued": 342,
"lastErrorAt": "2026-01-02T11:45:00Z",
"errorRate24h": 0.15
}
}
]
}Alertes SIEM
Alertes automatiques
Recevez des notifications quand une integration passe en etat degrade ou si le queue depasse un seuil.
json
// Configuration des alertes
{
"alerts": {
"circuitOpen": {
"enabled": true,
"channels": ["email", "slack"]
},
"queueThreshold": {
"enabled": true,
"threshold": 1000,
"channels": ["pagerduty"]
},
"highErrorRate": {
"enabled": true,
"threshold": 0.05, // 5%
"window": "5m",
"channels": ["email"]
}
}
}Documentation Associee
Besoin d'aide avec l'integration SIEM ?
Notre equipe peut vous aider a configurer et optimiser vos integrations.