Skip to main content
Creates a SIEM streaming destination for the authenticated tenant. Once created with enabled: true, audit events begin streaming immediately. Requires the Enterprise tier.

Parameters

provider
string
required
SIEM provider type. One of splunk, datadog, cloudwatch, elastic, or webhook.
endpoint
string
required
HTTPS URL of the destination. For Splunk, use the HEC endpoint. For Datadog, use the log intake URL. For CloudWatch, use the regional Logs endpoint.
token
string
Authentication token for Splunk, Datadog, or Elastic destinations.
access_key_id
string
AWS access key ID. Required when provider is cloudwatch.
secret_access_key
string
AWS secret access key. Required when provider is cloudwatch.
secret
string
Shared secret for HMAC signature verification. Required when provider is webhook.
enabled
boolean
Whether to start streaming immediately. Defaults to true.

Responses

{
  "id": "siem_abc123",
  "provider": "splunk",
  "endpoint": "https://hec.splunk.example.com:8088/services/collector",
  "enabled": true,
  "created_at": "2026-06-30T12:00:00Z",
  "status": "active"
}

curl -X POST https://api.truthlocks.com/v1/audit/siem \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "splunk",
    "endpoint": "https://hec.splunk.example.com:8088/services/collector",
    "token": "your-hec-token",
    "enabled": true
  }'