Skip to content

SIEM Integration

Ingest BreachSpider CVE intelligence into your SIEM for correlation and alerting.

Splunk

Using the REST API Input

Configure a Splunk scripted input or HTTP Event Collector to poll BreachSpider.

import requests
import json

BREACHSPIDER_API_KEY = "bs_live_your_key_here"
SPLUNK_HEC_URL = "https://splunk.yourorg.com:8088/services/collector"
SPLUNK_HEC_TOKEN = "your-hec-token"

def ingest_kev_to_splunk():
    bs_headers = {"Authorization": f"Bearer {BREACHSPIDER_API_KEY}"}
    splunk_headers = {
        "Authorization": f"Splunk {SPLUNK_HEC_TOKEN}",
        "Content-Type": "application/json"
    }

    response = requests.get(
        "https://breachspider.com/api/v1/cves/kev?limit=100",
        headers=bs_headers
    )
    cves = response.json()["data"]

    for cve in cves:
        event = {
            "sourcetype": "breachspider:cve",
            "source": "breachspider_api",
            "index": "security",
            "event": cve
        }
        requests.post(SPLUNK_HEC_URL, headers=splunk_headers, json=event)

    print(f"Ingested {len(cves)} KEV entries to Splunk")

Elastic/OpenSearch

Using Logstash HTTP Poller

input {
  http_poller {
    urls => {
      breachspider_kev => {
        method => get
        url => "https://breachspider.com/api/v1/cves/kev?limit=100"
        headers => {
          "Authorization" => "Bearer bs_live_your_key_here"
        }
      }
    }
    schedule => { cron => "*/15 * * * *" }
    codec => json
  }
}

filter {
  json {
    source => "[data]"
    target => "cve"
  }
}

output {
  elasticsearch {
    hosts => ["https://elastic.yourorg.com:9200"]
    index => "breachspider-cves-%{+YYYY.MM}"
  }
}

Generic Webhook-to-SIEM Pattern

Configure a BreachSpider webhook to deliver events to a SIEM-compatible HTTP endpoint. Most SIEMs support a REST API input or HTTP Event Collector.

# Create webhook pointing to your SIEM endpoint
curl -X POST \
  -H "Authorization: Bearer bs_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "SIEM Pipeline",
    "url": "https://siem.yourorg.com/api/v1/events",
    "events": ["kev.new", "cve.critical", "exploit.confirmed"],
    "secret": "your-signing-secret"
  }' \
  "https://breachspider.com/api/v1/webhooks"

All BreachSpider webhook payloads are JSON with a consistent schema. See Webhooks for the full payload format.