SIEM Management

Overview

miniOrange’s SIEM Integration module enables seamless forwarding of identity, authentication, admin action, and access pattern event data (login, logout, MFA, session, policy violations, etc.) from the miniOrange identity platform into your SIEM of choice (e.g. Wazuh, Splunk, Sumo Logic, or custom tools).

This allows security teams to correlate SSO / IAM events with broader infrastructure logs for unified threat detection, monitoring, and compliance.

Use Cases / Benefits

Threat Detection & Correlation
Correlate authentication, admin, and access pattern events with network or endpoint logs to detect anomalies like brute-force attempts, privilege escalations, or insider threats.
Incident Response & Forensics
Trace an incident end-to-end — from user authentication to admin configuration changes — for faster root-cause analysis.
Compliance & Auditing
Maintain a unified, tamper-proof audit trail of identity, admin, and access events to support audit and regulatory compliance.
Alerting & Real-time Monitoring
Enable rule-based alerts in your SIEM for repeated login failures, high-risk admin actions, or unusual access behavior.
Operational Visibility
Gain insights into user access trends, authentication health, admin operations, and platform activity across your environment.

Sample Workflow

A user attempts to log in via SSO (SAML / OIDC).
miniOrange processes authentication and MFA policies.
Any related identity, authentication, or admin action events (e.g., login success/failure, policy change, configuration update) are formatted and forwarded to the configured SIEM (via HTTP collector, syslog, or API).
The SIEM ingests, normalizes, and correlates these with other infrastructure logs.
Alerts, dashboards, and incident workflows trigger based on defined security rules.

Custom TCP SIEM Configuration

Login on miniOrange Admin Dashboard.
Select SIEM Management from side menu.

miniOrange Partner Portal Handbook: SIEM Management

Click on Configure and select Add New.

miniOrange Partner Portal Handbook: Select SIEM Tools

Choose TCP under Protocol.
Provide Display Name, Tool Name, Choose Data Format(JSON, SYSLOG etc).
TCP Port and TCP Host are mandatory fields when the Protocol is TCP.

miniOrange Partner Portal Handbook: add-siem-configuration

Click on Save.
Activate SIEM to start receiving audit in TCP SIEM Tool.

miniOrange Partner Portal Handbook: Activate SIEM Configuration

miniOrange Partner Portal Handbook: Configuration Activated Successfully

Custom API SIEM Configuration

Click on Configure and select Add New.

Choose API under Protocol.
Provide Display Name, Tool Name, Choose Data Format(JSON, SYSLOG etc.) and Endpoint URL.
Select the appropriate Auth Type from the drop down.

miniOrange Partner Portal Handbook: add siem details

Provide the fields required based on the AuthType selected above.

miniOrange Partner Portal Handbook: siem configuration

(Optional) You can also configure more fields via the Custom API Body, to be sent along with the event logs.
[If you configure custom api body, then ##event## is mandatory value field against any key]

miniOrange Partner Portal Handbook: siem endpoint

Click on Save.
Activate SIEM to start receiving audit in API SIEM Tool.

Managing SIEM Activation for All or Individual Customers

Superadmin can also activate the SIEM tool for customers using the Manage activation options. SuperAdmin can either activate the SIEM tool for all the customers using Activate For all customers option or can activate for individual customers using manage activation option available under actions menu by clicking on 3 dots.

Superadmin can toggle Activate For All Customers to enable the SIEM tool for all tenants in one action.

miniOrange Partner Portal Handbook: Select Activate For All Customers

Superadmin can use Manage Activation to selectively enable the SIEM tool for individual customer accounts.

Contents