SIEM Integration

Exporting audit records to your SIEM

Modern Treasury provides detailed audit records that are essential for identifying security incidents, maintaining compliance, and tracking user activity. These audit records can be streamed in real-time to Security Information and Event Management (SIEM) or log management solutions. Audit records are enriched with context helpful for investigations.

Audit Records

All actions performed by users, API keys, and the Modern Treasury system are recorded as Audit Records. The Modern Treasury dashboard offers access to 4 months of live audit record data and 2 months of sandbox data, while older audit records can be retrieved via a historical export on the Audit Trail page (accessible by organization admins). Modern Treasury’s SIEM integration provides a systematic way to stream audit record data in real time to your log management system for security detection and log retention purposes.

The following is an example of our audit record SIEM integration with Datadog.

Example audit records in DataDog with SIEM Integration

Example audit records in DataDog with SIEM Integration

Audit Record Format

An audit record contains the following top level data fields:

{
  "id",
  "record_type",
  "organization_id",
  "action_type",
  "actor_id",
  "actor_type",
  "entity_type",
  "entity_id",
  "event_name",
  "event_time",
  "geo_location",
  "ip_address",
  "source",
  "data"
}

Example DataDog SIEM Detection

Once the audit records are in the log management system, security detection rules can be set up. The following is an example SIEM rule on DataDog that detects "impossible travel". This detects actions by a single user occurring from different locations that would be impossible to travel between within the time interval they occur. For example, user actions occurring in New York, then London, then New York, all within an hour, would indicate that a malicious actor in London has hijacked the account of a user currently in New York.

In this case, the DataDog SIEM ingests the Modern Treasury audit records, monitors every single record, and a detection will be triggered when an "impossible travel" happens. Alerts can also be set up with this detection rule.

DataDog SIEM impossible travel detection

DataDog SIEM impossible travel detection

Supported Destinations

Below are currently supported destinations. Additionally, data can be sent to a generic HTTP endpoint.

  • Amazon Redshift
  • Amazon S3
  • Coralogix
  • Datadog
  • Dynatrace
  • Elastic
  • Exabeam
  • Honeycomb
  • IBM QRadar
  • LogicMonitor
  • LogRhythm
  • Logz.io
  • Microsoft Sentinel
  • MongoDB
  • New Relic
  • OpenSearch Service/Serverless
  • Rapid7
  • Splunk
  • Sumo Logic

Supported Objects

We currently support sending audit records. Contact [email protected] if you are interested in adding additional signals.

Setting it up

To learn more about activating this feature, reach out to [email protected].

Integrations typically require routing (e.g. an endpoint URL) and authentication (e.g. an API key) information for your destination.