13. SIEM#
FlareInspect v2.0 ships first-class Elasticsearch and Splunk shipping for findings. Every shipped event is enriched with its resource-graph node and every attack path it participates in, so SIEM rules can alert on paths, not just findings.
The wire protocol lives in src/core/integrations/siem/ and is
re-used by three surfaces — the flareinspect ship CLI, the
/api/integrations/ship web endpoint, and the file exporters. The
packaged Kibana saved-objects bundle and Splunk Technology Add-on
under integrations/ are import-ready dashboards and field
extractions tuned to the same payload.
13.3. Why ship to a SIEM?#
A standalone assessment tells you what is wrong right now. A SIEM tells you what changed over time and across all your accounts. Two operators running the same assessment at 3 a.m. will see the same critical findings; what they want from a SIEM is correlation, alerting, and historic context.
To support that, every shipped event carries:
the finding (severity, evidence, check ID, resource);
the graph node the finding is attached to (typed by
node.typeand keyed bynode.id);the attack path IDs the finding participates in (
flareinspect.attack_path_ids[]and a nestedthreat.enrichments[]with the full path node/edge list and explanation).
13.4. Common shape#
For Elasticsearch we use ECS 8.11.0 field names; for Splunk we use a CIM-aligned envelope. Both ship the same logical information under slightly different field names so the dashboards work out of the box on each platform.
Concept |
Elasticsearch (ECS) |
Splunk (CIM) |
|---|---|---|
Severity |
|
|
Finding ID |
|
|
Affected resource |
|
|
Graph node |
|
|
Attack paths |
|
|
Status / remediable |
|
|
13.5. Targets#
flareinspect ship --target <target> accepts one of:
elastic— live ship to Elasticsearch viaPOST {esUrl}/_bulk(ApiKey or Basic auth)splunk— live ship to Splunk viaPOST {hecUrl}/services/collector/event(Authorization: Splunk <token>)all— both elastic and splunk in one call (each target reports its own ok / error)file— skip the HTTP path; write the same NDJSON the live shipper would have posted, plus the recommended Elasticsearch index template, into--out-dir. Use this for air-gapped environments or for piping the file into an offline SIEM.
All four targets support --dry-run: the payload is built and printed, but no HTTP and no file write.
The web API mirrors the same dispatch — see API Reference
for POST /api/integrations/ship.
13.6. Authentication#
For Elasticsearch, prefer ApiKey (--es-api-key) but Basic auth
(--es-username / --es-password) is also supported. For
Splunk, the HEC token (--hec-token) is the only auth option.
All credentials can come from CLI flags or env vars (see the Environment variables table in API Reference). Flags take precedence; the web API reads from the JSON body first.
13.7. Pull / air-gapped mode#
When you can’t reach the SIEM directly, use --out-dir to write
the files the live shipper would have posted:
flareinspect ship -i assessment.json --target file --out-dir ./out
This produces:
flareinspect-findings-<timestamp>.ndjson— the ECS _bulk bodyflareinspect-hec-<timestamp>.ndjson— the HEC envelopesflareinspect-index-template.json— the recommended Elasticsearch index template (also available atGET /api/integrations/template/elastic)
The two NDJSON files can be replayed later with
curl -H "Authorization: ApiKey $KEY" --data-binary @…
or by piping into the HEC collector.
13.8. Deduplication#
Every shipped document carries the finding ID under
vulnerability.id and the assessment ID under
flareinspect.assessment_id. Most SIEMs will index these
automatically; for idempotent re-ship we recommend an ingest
pipeline (Elasticsearch) or a search-time lookup (Splunk) keyed on
the same fields.
13.9. Next steps#
Elasticsearch — Elasticsearch ECS mapping, index template, packaged Kibana app
Splunk — Splunk HEC envelope, packaged TA, dashboard