SIEM Management

Overview

miniOrange’s SIEM Integration module enables seamless forwarding of identity, authentication, admin action, and access pattern event data (login, logout, MFA, session, policy violations, etc.) from the miniOrange identity platform into your SIEM of choice (e.g. Wazuh, Splunk, Sumo Logic, or custom tools).

This allows security teams to correlate SSO / IAM events with broader infrastructure logs for unified threat detection, monitoring, and compliance.

Use Cases / Benefits

Threat Detection & Correlation
Correlate authentication, admin, and access pattern events with network or endpoint logs to detect anomalies like brute-force attempts, privilege escalations, or insider threats.
Incident Response & Forensics
Trace an incident end-to-end — from user authentication to admin configuration changes — for faster root-cause analysis.
Compliance & Auditing
Maintain a unified, tamper-proof audit trail of identity, admin, and access events to support audit and regulatory compliance.
Alerting & Real-time Monitoring
Enable rule-based alerts in your SIEM for repeated login failures, high-risk admin actions, or unusual access behavior.
Operational Visibility
Gain insights into user access trends, authentication health, admin operations, and platform activity across your environment.

Sample Workflow

A user attempts to log in via SSO (SAML / OIDC).
miniOrange processes authentication and MFA policies.
Any related identity, authentication, or admin action events (e.g., login success/failure, policy change, configuration update) are formatted and forwarded to the configured SIEM (via HTTP collector, syslog, or API).
The SIEM ingests, normalizes, and correlates these with other infrastructure logs.
Alerts, dashboards, and incident workflows trigger based on defined security rules.

Custom API SIEM Configuration

miniOrange Admin Handbook: SIEM Management

Click on Configure and select Add New.

miniOrange Admin Handbook: Select SIEM Tools

Choose API under Protocol.
Provide Display Name, Tool Name, Choose Data Format(JSON, SYSLOG etc.) and Endpoint URL.
Select the appropriate Auth Type from the drop down.

miniOrange Admin Handbook: add siem details

Provide the fields required based on the AuthType selected above.

miniOrange Admin Handbook: siem configuration

(Optional) You can also configure more fields via the Custom API Body, to be sent along with the event logs.
[If you configure custom api body, then ##event## is mandatory value field against any key]

miniOrange Admin Handbook: siem endpoint

Click on Save.
Activate SIEM to start receiving audit in API SIEM Tool.

Custom TCP SIEM Configuration

Login on miniOrange Admin Dashboard.
Select SIEM Management from side menu.

Click on Configure and select Add New.

Choose TCP under Protocol.
Provide Display Name, Tool Name, Choose Data Format(JSON, SYSLOG etc).
TCP Port and TCP Host are mandatory fields when the Protocol is TCP.

miniOrange Admin Handbook: add-siem-configuration

Click on Save.
Activate SIEM to start receiving audit in TCP SIEM Tool.

miniOrange Admin Handbook: siem-management-list

Note:

Superadmin can also activate the SIEM tool for customers using the Manage activation options. Admin can either activate the SIEM tool for all the customers using Activate For all customers option or can activate for individual customers using manage activation option available under the actions menu by clicking on 3 dots.
Please follow this guide to know more.

Select Activate For All Customers :

Superadmin can toggle Activate For All Customers to enable the SIEM tool for all tenants in one action.

Select Manage Activation :

Superadmin can use Manage Activation to selectively enable the SIEM tool for individual customer accounts.

Contents