Supported Sources
Microsoft Sentinel
Azure-native SIEM. Forward alerts via Logic Apps or Automation Rules.
Elastic Security
Elastic SIEM. Forward alerts via Elastic webhook actions.
Splunk
Splunk Enterprise Security. Forward alerts via webhook alert actions.
Generic Webhook
Any source that can POST JSON. Use the generic format for unsupported SIEMs.
How Ingestion Works
- Validate — the source plugin checks the payload structure
- Normalize — maps source-specific fields to Calseta’s agent-native schema
- Extract indicators — pulls IPs, domains, hashes, URLs, emails, accounts from the payload
- Save — persists the normalized alert and indicators to the database
- Enqueue — enrichment and agent dispatch are queued for async processing
202 Accepted within 200ms. All enrichment and dispatch happen asynchronously.
Webhook Signature Verification
Each source can verify webhook signatures to ensure payloads haven’t been tampered with. Configure the webhook secret via environment variables:| Variable | Source |
|---|---|
SENTINEL_WEBHOOK_SECRET | Microsoft Sentinel |
ELASTIC_WEBHOOK_SECRET | Elastic Security |
SPLUNK_WEBHOOK_SECRET | Splunk |
Normalized Alert Schema
Regardless of source, all alerts are normalized to:| Field | Type | Description |
|---|---|---|
title | string | Alert title |
severity | string | Pending, Informational, Low, Medium, High, Critical |
occurred_at | timestamp | When the event occurred (from source) |
source_name | string | Which source sent the alert |
status | string | Investigation lifecycle: Open → Triaging/Escalated → Closed |
enrichment_status | string | System-managed: Pending → Enriched/Failed |
tags | string[] | Alert tags |
raw_payload | object | Original source payload (preserved in full) |