[ DOCS · SIEM FORMATS ]

SIEM / SOAR / EDR Formats

OCSF · CEF · SYSLOG · ONE WEBHOOK, EVERY SIEM

ShieldPi webhooks render the same event in any of four formats. Pick the format your ingestion pipeline already speaks; ShieldPi handles the conversion. The HMAC signature is computed over the rendered body, so signature verification works unchanged regardless of format.

format_type	Format	Built for
`json` (default)	ShieldPi native JSON	Custom backends, internal tooling
`ocsf`	OCSF v1.3 Detection Finding	Splunk, Datadog, Sentinel, CrowdStrike LogScale, AWS Security Lake
`cef`	CEF 0 (ArcSight)	ArcSight, QRadar, ELK, syslog forwarders
`syslog`	RFC 5424 Syslog	Long-tail SOC ingestion, UDP/TCP relays

OCSF v1.3 Detection Finding

ShieldPi events are rendered as OCSF Detection Finding (class_uid 2004) objects. The event payload is preserved verbatim under raw_data so no information is lost.

application/json (OCSF v1.3)
{
  "activity_id": 1,
  "category_uid": 2,
  "class_uid": 2004,
  "type_uid": 200401,
  "severity_id": 5,
  "severity": "Critical",
  "time": 1777636800000,
  "finding_info": {
    "uid": "evt-11111111-2222-3333-4444-555555555555",
    "title": "ShieldPi: TAP",
    "desc": "Model leaked instructions for X | Remediation: ...",
    "types": ["jailbreak"],
    "analytic": { "name": "TAP", "type_id": 2 }
  },
  "metadata": {
    "version": "1.3.0",
    "product": { "name": "ShieldPi Watchtower", "vendor_name": "ShieldPi" },
    "log_provider": "ShieldPi",
    "event_code": "severity.critical"
  },
  "confidence_score": 92,
  "raw_data": "{...full ShieldPi event JSON...}"
}

Activity mapping: Create (1) for new findings, Update (2) for status changes, Close (3) for remediation.verified.Severity mapping: info=1, low=2, medium=3, high=4, critical=5, fatal=6.

CEF 0 (ArcSight)

One line per event. Pipe-separated header followed by key=value extension. Pipes inside header fields are escaped as \|; equals signs inside extension values are escaped as \=.

text/plain (CEF:0)
CEF:0|ShieldPi|Watchtower|1.0|shieldpi.TAP|Critical Vulnerability|9|rt=1777636800000 externalId=evt-... cs1Label=EventType cs1=severity.critical cs2Label=ScanID cs2=scan-abc-123 cat=jailbreak cs4Label=Technique cs4=TAP cn1Label=Confidence cn1=0.92 dst=https://example.com/api/chat msg=Model leaked instructions for X cs6Label=SeverityLabel cs6=critical

Severity mapping (0-10): info=1, low=3, medium=5, high=7, critical=9, fatal=10. Fields use ArcSight's standard CEF dictionary (rt, externalId, cs1Label/cs1, cn1Label/cn1, msg, dst, etc.).

Syslog (RFC 5424)

Single-line PRI-prefixed message with structured-data block and a UTF-8 BOM-prefixed JSON body. PRI = facility (1, user-level) × 8 + severity (0-7).

application/syslog (RFC 5424)
<10>1 2026-05-01T12:00:00.000Z host shieldpi-watchtower - SEVERITY_CRITICAL [shieldpi@53595 eventId="evt-..." eventType="severity.critical" scanId="scan-abc-123"] {"event_id":"evt-...","event_type":"severity.critical",...}

Severity mapping (0-7, lower = more severe): fatal=0, critical=2, high=3, medium=4, low=5, info=6.

Vendor Presets (zero-config integrations)

For three of the most-asked SIEMs ShieldPi ships vendor presets that handle envelope shaping + auth header automatically. Pick the preset, paste the credential, save — no scripting required.

Preset	Required fields	Recommended format
`splunk_hec`	`hec_token` (optional: `sourcetype`, `index`)	ocsf
`datadog`	`api_key` (optional: `service`, `ddtags`)	ocsf
`sentinel`	`workspace_id`, `shared_key` (optional: `log_type`)	ocsf (URL auto-constructed)
`generic` (default)	none	your choice — POST goes to your URL with no vendor-specific header

Credentials are encrypted at rest with ShieldPi's platform credential-encryption key. They are never returned in plaintext from the API; the dashboard shows ***set*** to confirm a value is stored.

For any SIEM not on this list, pair preset=generic with the right format_type and target your endpoint directly.

Selecting a Format

In the dashboard, pick the format from the Payload Format dropdown when creating a webhook. Or via the API:

bash
curl -X POST https://api.shieldpi.io/api/webhooks \
  -H "X-API-Key: shpi_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://splunk.example.com/services/collector/event",
    "event_types": ["scan.completed", "severity.critical"],
    "format_type": "ocsf"
  }'

Update an existing webhook's format with PUT /api/webhooks/{id}:

bash
curl -X PUT https://api.shieldpi.io/api/webhooks/$WEBHOOK_ID \
  -H "X-API-Key: shpi_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "format_type": "cef" }'

HTTP Headers

Every webhook delivery includes ShieldPi-specific headers regardless of format:

Header	Value
`Content-Type`	`application/json` (json, ocsf), `text/plain` (cef), `application/syslog` (syslog)
`X-ShieldPi-Format`	The selected format_type
`X-ShieldPi-Signature`	HMAC-SHA256 over the rendered body
`X-ShieldPi-Event-Type`	scan.completed, severity.critical, etc.
`X-ShieldPi-Event-ID`	UUID for idempotency
`X-ShieldPi-Webhook-ID`	UUID of the webhook configuration

Compatibility Matrix

ShieldPi has been validated against documented ingestion paths for the following destinations. Any ingestion endpoint that accepts the listed standard format will work; this list is illustrative, not exhaustive.

Destination	Format	Endpoint
Splunk Cloud / Enterprise	ocsf or json	HEC: `https://{splunk}/services/collector/event`
Datadog Logs	ocsf or json	`https://http-intake.logs.datadoghq.com/v1/input/{api_key}`
Microsoft Sentinel	ocsf	Log Analytics HTTP Data Collector
CrowdStrike Falcon LogScale	ocsf	LogScale ingest endpoint
AWS Security Lake	ocsf	Custom-source S3 PUT (via Lambda forwarder)
Elastic / Logstash	cef, ocsf, or json	Logstash HTTP input or Elasticsearch `_bulk`
IBM QRadar	cef	CEF source via syslog or HTTP receiver
ArcSight Logger / ESM	cef	CEF source via syslog
Sumo Logic	json or ocsf	HTTP Source endpoint
Generic SOAR / SIEM	syslog	RFC 5424 over TCP/HTTP