Connecting Your SIEM¶
Parapet Security receives alerts via webhook from your SIEM. This guide covers the general setup process - see the Integrations section for platform-specific instructions.
Overview¶
All SIEM integrations follow the same pattern:
- Get your webhook URL from Parapet Security
- Configure your SIEM to send alerts to that URL
- Test the connection to verify alerts are arriving
Your Webhook URL¶
Your unique webhook URL is available in the dashboard:
- Log in to app.parapetsecurity.com
- Navigate to Settings → Service Tokens
- Copy your webhook URL
The URL format is:
Where:
{region}isusoreubased on your data region{tenant-id}is your unique tenant identifier (UUID)
Authentication¶
Parapet Security uses Bearer token authentication for webhooks.
Getting Your Service Token¶
- Go to Settings → Service Tokens
- Click Generate New Token
- Give the token a descriptive name (e.g., "Wazuh Production")
- Copy the token immediately - it won't be shown again
Token Security
- Store your token securely (e.g., in a secrets manager)
- Never commit tokens to version control
- Rotate tokens periodically for security
- Revoke tokens immediately if compromised
Using the Token¶
Include the token in the Authorization header:
POST /webhook/{tenant-id} HTTP/1.1
Host: webhook-us.parapetsecurity.com
Authorization: Bearer pst_abc123...
Content-Type: application/json
{
"alert": {...}
}
What We Accept¶
Parapet Security's AI normalization can process alerts from any SIEM in any format:
Supported Formats¶
- JSON (preferred)
- XML
- CEF (Common Event Format)
- LEEF (Log Event Extended Format)
- Syslog
Content Types¶
application/jsonapplication/xmltext/plain
Payload Size¶
- Maximum payload size: 1 MB
- Alerts larger than 1 MB will be rejected
Testing Your Connection¶
Using cURL¶
Test your webhook with a sample alert:
curl -X POST https://webhook-us.parapetsecurity.com/webhook/{tenant-id} \
-H "Authorization: Bearer {your-token}" \
-H "Content-Type: application/json" \
-d '{
"source": "test",
"timestamp": "2026-01-28T12:00:00Z",
"severity": "high",
"message": "Test alert from cURL"
}'
Expected response:
Verifying in Dashboard¶
After sending a test alert:
- Go to your Parapet Dashboard
- Navigate to Alerts
- You should see your test alert within 30 seconds
Alert Processing Time
Most alerts are processed and triaged within 10-30 seconds. High volumes during peak times may take up to 60 seconds.
Firewall Configuration¶
If your SIEM is behind a firewall, ensure outbound HTTPS (port 443) is allowed to:
| Endpoint | Port | Purpose |
|---|---|---|
webhook-us.parapetsecurity.com | 443 | Alert ingestion (NA) |
webhook-eu.parapetsecurity.com | 443 | Alert ingestion (EU) |
IP Allowlisting
Parapet Security uses dynamic cloud IPs. If you need to allowlist specific IPs, contact support@parapetsecurity.com for our current IP ranges.
Rate Limits¶
Webhook endpoints are rate-limited based on your subscription tier:
| Plan | Alerts per Minute | Alerts per Day |
|---|---|---|
| Starter | 50 | 1,000 |
| Professional | 200 | 5,000 |
| Team | 500 | 20,000 |
Exceeding your rate limit returns HTTP 429 (Too Many Requests).
Error Handling¶
HTTP Response Codes¶
| Code | Meaning | Action |
|---|---|---|
202 | Alert accepted | Success |
400 | Invalid payload | Check JSON syntax |
401 | Invalid token | Verify your Bearer token |
403 | Token expired/revoked | Generate a new token |
429 | Rate limited | Slow down or upgrade plan |
500 | Server error | Retry with exponential backoff |
Retry Strategy¶
For transient errors (429, 500), implement exponential backoff:
Attempt 1: Wait 1 second
Attempt 2: Wait 2 seconds
Attempt 3: Wait 4 seconds
Attempt 4: Wait 8 seconds
...
Maximum: 5 retries or 60 seconds
Platform-Specific Guides¶
For detailed setup instructions for your specific SIEM:
Need Help?¶
If you're having trouble connecting your SIEM:
- Check the Troubleshooting Guide
- Verify your token is valid in Settings → Service Tokens
- Contact support@parapetsecurity.com with:
- Your SIEM platform and version
- The HTTP response you're receiving
- Your tenant ID (first 8 characters only)