What SIEM platforms does IronWiFi integrate with?

IronWiFi integrates with Splunk, Microsoft Sentinel, Elastic/ELK Stack, IBM QRadar, Datadog, and any SIEM that accepts CEF-formatted syslog, webhooks, or REST API ingestion. Configuration takes approximately 5 minutes.

What format are IronWiFi SIEM events sent in?

IronWiFi sends events in Common Event Format (CEF), the industry standard for SIEM interoperability. Events include ITDR threat detections, authentication successes/failures, policy violations, and administrative actions — all with MITRE ATT&CK technique IDs where applicable.

How does the ITDR to SIEM pipeline work?

IronWiFi ITDR detects threats from RADIUS authentication events, scores them, and maps them to MITRE ATT&CK techniques. These detections are then forwarded via Cloud Tasks to your configured SIEM destination — webhook, syslog, or direct API — with sub-second latency.

Connect WiFi Security to Your SIEM

Stream ITDR alerts and authentication events to Splunk, Microsoft Sentinel, Elastic, QRadar, Datadog, or any SIEM. CEF format, webhook, or syslog. Configure in 5 minutes.

1,000+ Organizations

108 Countries

50M+ Authentications/Month

IronWiFi streams WiFi authentication events and ITDR threat detections to your SIEM in Common Event Format (CEF). Supported platforms include Splunk, Microsoft Sentinel, Elastic/ELK Stack, IBM QRadar, and Datadog. Events include MITRE ATT&CK technique IDs, risk scores, and full identity context. Setup takes approximately 5 minutes via webhook or syslog configuration.

Supported SIEM Platforms

Splunk

HTTP Event Collector (HEC) with CEF-formatted events. Pre-built search queries available.

Microsoft Sentinel

Log Analytics workspace ingestion via Data Collector API or syslog connector.

Elastic / ELK

Elasticsearch ingest via webhook or Logstash syslog input with CEF codec.

IBM QRadar

Syslog forwarding with automatic CEF parsing. QRadar DSM compatible.

Datadog

Webhook integration with Datadog Logs API. Custom facets for WiFi-specific fields.

Custom Webhook

Send events to any HTTP endpoint. JSON or CEF payload with custom headers and auth.

Architecture Overview

IronWiFi ITDR processes RADIUS authentication events in real time. When a threat is detected, scored, and mapped to MITRE ATT&CK, the event is forwarded to your SIEM via Cloud Tasks for reliable, at-least-once delivery.

RADIUS Event

Authentication request from access point

ITDR Analysis

5 detection engines score and map to ATT&CK

Cloud Tasks

Reliable delivery queue with retry logic

Your SIEM

Events arrive in CEF format via webhook or syslog

CEF Event Format

All events use the Common Event Format (CEF) standard for maximum SIEM compatibility. Here is an example ITDR detection event:

// Example: Impossible Travel Detection
CEF:0|IronWiFi|ITDR|1.0|IMPOSSIBLE_TRAVEL|Impossible Travel Detected|7|
  src=192.168.1.42
  suser[email protected]
  cs1Label=MITRETechnique cs1=T1078.004
  cs2Label=RiskScore cs2=85
  cs3Label=PreviousAP cs3=AP-Building-A-Floor3
  cs4Label=CurrentAP cs4=AP-Building-C-Floor1
  cs5Label=TimeDelta cs5=47s
  cs6Label=DetectionEngine cs6=BehavioralBaseline
  deviceExternalId=AA:BB:CC:DD:EE:FF
  rt=2026-04-05T14:32:18Z
    

Event Types

ITDR Threat Detections — credential attacks, impossible travel, MAC spoofing, brute force, privilege escalation (with MITRE ATT&CK technique IDs and risk scores)
Authentication Events — successful and failed RADIUS authentications with full identity context (username, MAC, AP, SSID, auth method)
Policy Violations — conditional access denials, certificate issues, VLAN assignment anomalies
Administrative Actions — configuration changes, user management, policy updates
Incident Lifecycle — incident created, updated, resolved, and response playbook execution events

Configuration Methods

Webhook (Recommended)

The fastest way to connect. Point IronWiFi to your SIEM's HTTP ingestion endpoint.

Go to Console → Settings → Integrations → SIEM
Select Webhook as the delivery method
Enter your SIEM endpoint URL (e.g., Splunk HEC URL, Datadog Logs API)
Add authentication headers (API key, Bearer token, or HEC token)
Select event types to forward (ITDR alerts, auth events, policy violations)
Click Test Connection to verify, then Save

Syslog

For SIEMs that prefer traditional syslog ingestion (QRadar, on-premise Splunk, rsyslog).

Go to Console → Settings → Integrations → SIEM
Select Syslog as the delivery method
Enter your syslog server address and port
Choose protocol: TCP+TLS (recommended) or UDP
Select CEF or raw JSON format
Click Test & Save

Configure in 5 Minutes

Most teams complete SIEM integration in under 5 minutes. No agents to install, no log collectors to configure. IronWiFi pushes events directly to your SIEM from the cloud. Events start flowing immediately after saving your configuration.

Start Streaming WiFi Events to Your SIEM

Connect IronWiFi ITDR to your security operations workflow. Free 14-day trial includes full SIEM integration.

Start Free Trial Schedule a Demo