Event streaming

The event streaming feature in Strivacity lets you set up integrations with supported data streaming vendors, such as Elasticsearch and Splunk, to send important events and logs to external platforms. With this feature, you can monitor, analyze, and gain insights into your instance's activities and performance using your preferred data tools.

Capabilities

• Send events to external platforms
  Strivacity’s event streaming capability allows you to forward different types of events to external data platforms automatically. You can choose to send:
  • Audit logs: Comprehensive logs that capture administrative and system actions within Strivacity.
  • Account events: Events related to customer activities, such as when a customer attempts to log in, changes their password, receives a multi-factor authentication (MFA) code, or performs other key identity-related actions.
• Flexible data inclusion
  You can specify native claims to include in your event payload. This makes it easy to customize the information you send to your analytics, monitoring, or security tools.
• Multiple integrations
  Strivacity currently supports Splunk and Elasticsearch out of the box, and you can run both integrations at the same time if needed.
• Easy configuration
  Configuration for each supported vendor is done through the Admin Console. You can enable or disable streaming, provide the necessary credentials, and tailor the data that gets sent.
• Resilient data delivery
  A simple retry mechanism is built into the platform to handle transient network or endpoint issues.

Use cases

• Security monitoring and SIEM integration
  Forward events to a Security Information and Event Management (SIEM) solution such as Splunk to detect suspicious login attempts, track changes to customer accounts, or watch for anomalies in real time.
• Audit and compliance
  Export audit logs to Elasticsearch for long-term storage, compliance reporting, or forensic investigations. Retain a complete record of administrative changes, customer flows, and policy updates.
• Operational analytics
  Centralize your logs and events in an analytics platform to gain visibility into performance metrics, customer behaviors, and other operational insights.
• Alerting and incident response
  Trigger alerts in external tools when certain types of account or audit events occur (for example, a high volume of failed login attempts). Respond to incidents faster by correlating Strivacity events with logs from other systems.

Configuration

Event streaming configurations can be managed in the Admin Console under Instance configuration and Event streaming. From here, you can add or edit configurations for Splunk or Elasticsearch.

General steps

1. Navigate to Event streaming
   Go to Admin Console > Instance configuration > Event streaming.
2. Add configuration
   Click +Add configuration to create a new event streaming setup.
3. Select a vendor
   Choose Splunk or Elasticsearch.
4. Fill in required fields
   Provide a name, description, and any required endpoint details.
5. Enable audit log streaming and/or account event streaming
   Select which types of events you want to stream.
6. Include Native Claims
   If you want to include specific customer attributes in the event payload, you can specify them here.
7. Save and enable
   Select Save (and enable if not automatically enabled) to activate the streaming configuration.

Below are specific configuration details for Splunk and Elasticsearch.

Splunk configuration

When creating a Splunk configuration, you will be asked for the following information:

Data streaming options

• Enable audit log streaming
  Sends the entire audit log to Splunk. Certain policy changes (for example, Branding policy, Notification policy, Lifecycle event hooks) will have empty request and response fields.
• Enable account event streaming
  Sends customer-centric events (for example, login attempts, password changes) to Splunk.
  • Limited to the basic information available in the header of an account event. This means that only high-level details are forwarded—such as the customer’s identity, the timestamp of the action, and labels indicating success or failure. The detailed steps (for example, identification started, MFA selection started) are not included by default.
  • If additional account information is required, you can enable native claims. These native claims are selected via a UI field that lists all native claims available in your instance and included in the event payload when enabled.

Splunk event format

Strivacity sends events to Splunk in JSON format compatible with the Splunk HTTP Event Collector. A typical JSON payload looks like this:

{
  "time": 1638316800,
  "host": "my-strivacity-domain.com",
  "source": "strivacity",
  "sourcetype": "json",
  "index": "main",
  "event": {
    // Account event or audit log data goes here
  }
}

• time: The UNIX timestamp of the event.
• host: Your Strivacity instance domain.
• source: Optional field you can configure; can also be set in Splunk.
• sourcetype: json.
• index: An optional index name (can also be configured in Splunk).
• event: Contains the actual event data from Strivacity, including customer details (excluding any actions that are not relevant for streaming).

Once saved, Strivacity will begin sending events to your Splunk instance. You can then use Splunk to monitor, search, and create dashboards based on these events.

Elasticsearch configuration

When creating an Elasticsearch configuration, you will be asked for the following information:

Data streaming options

• Enable audit log streaming
  Sends the entire audit log to Elasticsearch. Certain policy changes (for example, Branding policy, Notification policy, Lifecycle event hooks) will have empty request and response fields.
• Enable account event streaming
  Sends customer-centric events (for example, login attempts, password changes) to Elasticsearch.
  • Limited to the basic information available in the header of an account event. This means that only high-level details are forwarded—such as the customer’s identity, the timestamp of the action, and labels indicating success or failure. The detailed steps (for example, identification started, MFA selection started) are not included by default.
  • If additional account information is required, you can enable native claims. These native claims are selected via a UI field that lists all native claims available in your instance and included in the event payload when enabled.

Elasticsearch event format

Strivacity uses the Bulk API to send events in JSON format. A typical bulk request might look like:

{ "index": { "_index": "your_index_name" } }
{ "field1": "value1", "field2": "value2" }
{ "index": { "_index": "your_index_name" } }
{ "field1": "value3", "field2": "value4" }

In this case, each Strivacity event (the audit log or account event) is added as a separate JSON document within the bulk payload.

Fields vary depending on the event type but typically include:

• Timestamps
• Customer information (subject, customer ID, optional native claims)
• Event type (login, password reset, etc.)
• Additional contextual data

Once configured, Strivacity will automatically push events to your specified Elasticsearch index. You can then visualize or analyze the data in Kibana or any other compatible tool.

Next steps

1. Test your integration
   After saving your Splunk or Elasticsearch configuration, trigger a few test events (for example, customer login) and confirm that they appear in your external system.
2. Create dashboards and alerts
   Use Splunk dashboards or Elasticsearch/Kibana visualizations to gain insights into Strivacity events. Configure alerts based on your security or operational requirements.

Additional notes

• Retry mechanism: Strivacity implements a simple retry mechanism for event delivery if the endpoint is temporarily unavailable.
• Linking back to Strivacity: Each streamed event includes a unique identifier (eventID). This allows you to link back to the specific event in the Strivacity Admin Console for deeper investigation if needed.