About events streaming
Our platform enables you to feed events into your SIEM (Security information and event management) and log collection systems. To provide better control over the granularity of data attributes sent to downstream systems, Mosaic allows prefiltering events by type and streaming them separately, for example, feeding user events to Splunk and verification events to GCS. The following event types are available:
Event type | Description |
---|---|
cis | Authentication and user management events, such as when a user is created or logs in to an app. See View user activity. |
admin | Administrative actions and changes to portal settings, such as adding admins or modifying a tenant. See View admin activity. |
risk | Detection and response events, such as triggering an action event or getting a recommendation. |
verify | Identity verification events, such as document verification and face authentication. |
Integration options
To feed events into your systems, you can take advantage of the following:
- API polling techniques
-
Prebuilt plugins for third-party systems:
- Connector for Splunk
- Connector for Microsoft Sentinel
- More plugins under development
Prebuilt plugins are normally better optimized for the source system (Transmit's platform) and the consumers.
Prebuilt plugins
There are multiple patterns a plugin can use to share data with target systems: API polling, pub/sub, and so on. No matter which pattern is implemented, a prebuilt plugin is easier to set up and configure than starting from scratch.
- To feed data into Splunk, use Mosaic Events Add-o for Splunk .
- To feed data into Sentinel, use Mosaic Data Connector for Microsoft Sentinel .
- More plugins are on the way, so check back soon.
API polling
You can set up a cron job or a custom scheduler and query Event streaming APIs at specified intervals. When configuring the batch size and polling interval, think about the approximate number of events. Consider setting a longer polling period for rare events and a shorter polling period for frequent events. Keep in mind that determining the right batch size and polling interval for your organization may require some trial and error.
Setting up event collection consists of several steps:
- Enabling event collection. Specify the type of events you want to collect.
import fetch from 'node-fetch';
async function run() {
const query = new URLSearchParams({
type: '<TYPE>', // Event type. One of cis, admin, risk, verify
}).toString();
const resp = await fetch(
`https://api.transmitsecurity.io/activities/v1/activities/start-collect?${query}`,
{
method: 'PUT',
headers: {
Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
}
}
);
const data = await resp.text();
console.log(data);
}
run();
- Creating an event stream. Make sure to provide a ID to identify the stream. The stream ID should be a continuous string, without spaces, and unique for each stream.
import fetch from 'node-fetch';
async function run() {
const query = new URLSearchParams({
type: '<TYPE>', // Event type. One of cis, admin, risk, verify
stream_id: 'string', // Unique stream ID, without spaces
retention: '7'
}).toString();
const resp = await fetch(
`https://api.transmitsecurity.io/activities/v1/activities/stream?${query}`,
{
method: 'PUT',
headers: {
Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
}
}
);
const data = await resp.text();
console.log(data);
}
run();
- Collecting events of a specific type. Specify the batch size of events.
import fetch from 'node-fetch';
async function run() {
const query = new URLSearchParams({
type: '<TYPE>', // Event type. One of cis, admin, risk, verify
stream_id: 'string', // Unique stream ID
batch_size: '100' // The number of events to return in each batch
}).toString();
const resp = await fetch(
`https://api.transmitsecurity.io/activities/v1/activities/collect?${query}`,
{
method: 'POST',
headers: {
Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
}
}
);
const data = await resp.text();
console.log(data);
}
run();
- Stop collecting events and delete streams that are no longer needed.