Security Information and Event Management
In modern SaaS environments, identity is the primary control plane - governing access, enforcing security policies, and driving compliance. For the Coherent platform, customers are issued dedicated Keycloak realms where identity management, federation, and access control are fully delegated. This makes centralized visibility into identity events critical. This can be managed with a Security Information and Event Management (SIEM) solution.
SIEM is essential for Keycloak
In Spark, the Identity and Access Management application is the gateway to customer environments, enforcing:
Authentication (Single Sign-On, Multi-Factor Authentication, federation).
Authorization (roles, policies).
Access to APIs, UIs, and admin features.
To protect this surface, identity activity should be logged, monitored, and ingested into a SIEM.
SIEM integration strategy
Customers can integrate by pulling audit and event logs from their Keycloak realm via the Keycloak Admin REST API using a dedicated service account. In addition to Keycloak logs, customers can also integrate Spark tenant from the API Call History and Event viewer.
Configuring and maintaining SIEM integration is solely the customer’s responsibility. The type of SIEM solution used is entirely the customer’s decision. Any modern SIEM is capable of ingesting logs from REST APIs or standard log formats (e.g., JSON, CEF) can be integrated based on the customer’s security architecture and preferences.
Recommended events to monitor
Successful and failed login attempts.
Token grants and refreshes.
Admin role assignments.
Federation and identity provider changes.
Group membership and access policy changes.
For identity-centric security, the first and most critical layer of defense is visibility into identity-driven events such as authentication, access control, and configuration changes, rather than focusing on traditional perimeter tools.
IAM recommendations
Before implementing SIEM we recommend reviewing:
IAM Recommendations including When to use OAuth2 Client Credentials or API Keys.
IAM Fundamentals.
The Shared responsibility model to understand best practices.
Identity management defines your security perimeter. Treat identity logs with the same urgency as network logs!
Demo video
Microsoft Sentinel is the Microsoft Azure SIEM application. This video demonstrates how a failed login to Spark registers into a Sentinel workbook.
Last updated