Integrate with SIEM Tools

Enpass retains event logs for up to 90 days. Connecting to a SIEM (Security Information and Event Management) tool lets you extend log retention indefinitely, build custom dashboards, and configure automated alerts for high-risk events.

Enpass supports the following SIEM integrations. Each section below covers the credentials you need to collect from your SIEM tool, followed by the steps to connect it in the Enpass Admin Console.

How to Open the SIEM Configuration

The first two steps are the same for all SIEM tools:

1. Log in to the Enpass Admin Console.

2. Navigate to Settings > Event Logs.

3. Under the SIEM Integration section, click Configure.

4. Select your SIEM tool from the list and click Continue.

5. Enter the credentials specific to your tool (detailed in each section below).

6. Click Verify & Save.

Azure Sentinel (Microsoft Sentinel)

Before you begin: Set up a Log Analytics Workspace for Enpass in the Azure portal and collect the following:

• Workspace ID

• Primary Key

In the Enpass Admin Console, select Azure Sentinel, click Continue, then enter the Workspace ID and Primary Key. Click Verify & Save.

Splunk

Before you begin: Configure an HTTP Event Collector in Splunk and collect the following:

• Host (HTTP Event Collector URL)

• Port

• Path

• Token

In the Enpass Admin Console, select Splunk, click Continue, then enter the Host, Port, Path, and Token. Click Verify & Save.

IBM QRadar

Before you begin: Configure a Log Source for Enpass in your QRadar instance and collect the following:

• Host URL

• Log Source Identifier

In the Enpass Admin Console, select IBM QRadar SIEM, click Continue, then enter the Host URL and Log Source Identifier. Click Verify & Save.

Sumo Logic

Before you begin: Create an HTTP Source on a Hosted Collector in Sumo Logic and collect the following:

• HTTP Source URL

In the Enpass Admin Console, select Sumo Logic, click Continue, then enter the HTTP Source URL. Click Verify & Save.

Graylog

Before you begin: Configure a GELF HTTP Input in Graylog to receive Enpass logs and generate a secret token. See Pre-configure Graylog for Event Logs for the full setup steps. Once done, collect the following:

• GELF HTTP Endpoint URL (format: http://<graylog-ip>:<port>/gelf)

• Secret Token

In the Enpass Admin Console, select Graylog, click Continue, then enter the URL and Token. Click Verify & Save.

Note: The system automatically prepends the Bearer prefix to your token — enter only the token value itself.

Other SIEM Tools (Webhook / JSON)

Enpass supports any SIEM or automation tool that accepts data via an HTTP POST webhook in JSON format. This includes tools like Tines and Datadog.

Before you begin: Generate a webhook endpoint URL and authentication token in your tool. For step-by-step setup instructions for specific tools, see:

• Pre-configure Tines for Event Logs

• Pre-configuring Datadog for Event Logs

Once you have your endpoint details, collect the following:

• SIEM Tool Name (used as a label in Enpass)

• Webhook URL (JSON log ingestion endpoint)

• Header Name (typically Authorization)

• Token Value (typically Bearer <your-secret-key>)

In the Enpass Admin Console, select Others, click Continue, then fill in the fields above. Click Verify & Save.

Note: The exact URL format, header name, and token format vary by tool. Refer to your SIEM tool's documentation for the correct webhook and authentication details.

Related Pages

• Event Logs & SIEM Integration — How to enable and manage event log collection

• Event Categories & Field Reference — Full breakdown of every tracked event by category