SIEM / SOAR
HLD HomeBase integrates bidirectionally with major SIEM and SOAR platforms — forwarding normalised security events outbound and accepting enrichment or playbook triggers inbound.
Supported platforms
| Name | Type | Required | Description |
|---|---|---|---|
| Splunk | siem | No | HTTP Event Collector (HEC) outbound push. Splunk SOAR webhook trigger inbound. |
| Microsoft Sentinel | siem | No | Log Analytics workspace forwarder. Logic App trigger inbound. |
| Elastic Security | siem | No | Elasticsearch bulk ingest API. Fleet webhook inbound. |
| IBM QRadar | siem | No | Syslog CEF/LEEF outbound. Custom offense action inbound. |
| Generic Syslog | siem | No | RFC 5424 syslog over TCP/TLS. CEF format. |
| Webhook / HTTP | soar | No | Any SOAR platform that accepts a webhook payload. |
Outbound: Splunk HEC
bash
POST /v1/integrations
{
"type": "siem_splunk",
"tenant_id": "ten_01hxyz",
"credentials": {
"hec_url": "https://splunk.yourcompany.com:8088/services/collector",
"hec_token": "your-hec-token"
},
"config": {
"index": "hld_security",
"sourcetype": "hld:alert",
"forward_alerts": true,
"forward_incidents": true,
"min_severity": "medium"
}
}Outbound: Microsoft Sentinel
bash
POST /v1/integrations
{
"type": "siem_sentinel",
"tenant_id": "ten_01hxyz",
"credentials": {
"workspace_id": "YOUR_WORKSPACE_ID",
"shared_key": "YOUR_PRIMARY_KEY"
},
"config": {
"log_type": "HLDSecurityEvents",
"forward_alerts": true,
"forward_incidents": true
}
}Outbound: Generic syslog (CEF)
bash
POST /v1/integrations
{
"type": "siem_syslog",
"tenant_id": "ten_01hxyz",
"credentials": {
"host": "syslog.yourcompany.com",
"port": 6514,
"tls": true
},
"config": {
"format": "cef",
"min_severity": "low"
}
}Inbound: SOAR trigger
Your SOAR platform can trigger Sentinel response actions by calling the HLD API. This closes the loop from detection in HomeBase → enrichment/decision in your SOAR → containment back in Sentinel.
bash
# Example: Splunk SOAR calling HLD Sentinel to isolate a device
POST https://api.hldgroup.org/v1/sentinel/actions
Authorization: Bearer hld_live_xxxx
{
"action": "isolate_device",
"target_type": "device",
"target_id": "dev_01hxyz",
"reason": "Triggered by Splunk SOAR playbook: ransomware-response-v2"
}Tip:Use the
reason field to include your SOAR playbook name and run ID. This creates a complete audit trail linking the SOAR decision to the Sentinel action.