# Security Information and Event Management In modern SaaS environments, identity is the primary control plane - governing access, enforcing security policies, and driving compliance. For the Coherent platform, customers are issued dedicated [Keycloak](https://www.keycloak.org/) realms where identity management, federation, and access control are fully delegated. This makes centralized visibility into identity events critical. This can be managed with a Security Information and Event Management (SIEM) solution. ## SIEM is essential for Keycloak In Spark, the Identity and Access Management application is the gateway to customer environments, enforcing: * Authentication (Single Sign-On, Multi-Factor Authentication, federation). * Authorization (roles, policies). * Access to APIs, UIs, and admin features. To protect this surface, identity activity should be logged, monitored, and ingested into a SIEM. ## SIEM integration strategy Customers can integrate by pulling audit and event logs from their Keycloak realm via the Keycloak Admin REST API using a dedicated service account. In addition to Keycloak logs, customers can also integrate Spark tenant from the [API Call History](/navigation/api-call-history.md) and [Options](/navigation/options.md#event-viewer). Configuring and maintaining SIEM integration is solely the customer’s responsibility. The type of SIEM solution used is entirely the customer’s decision. Any modern SIEM is capable of ingesting logs from REST APIs or standard log formats (e.g., JSON, CEF) can be integrated based on the customer’s security architecture and preferences. ### Recommended events to monitor * Successful and failed login attempts. * Token grants and refreshes. * Admin role assignments. * Federation and identity provider changes. * Group membership and access policy changes. For identity-centric security, the first and most critical layer of defense is visibility into identity-driven events such as authentication, access control, and configuration changes, rather than focusing on traditional perimeter tools. ### IAM recommendations Before implementing SIEM we recommend reviewing: * IAM [Recommendations](/identity-and-access-management/recommendations.md) including [Recommendations](/identity-and-access-management/recommendations.md#when-to-use-oauth2-client-credentials-or-api-keys). * IAM [Fundamentals](/identity-and-access-management/fundamentals.md). * The [Shared responsibility model](/support/shared-responsibility-model.md) to understand best practices. Identity management defines your security perimeter. Treat identity logs with the same urgency as network logs! ## Demo video [Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/) is the [Microsoft Azure](https://learn.microsoft.com/en-us/azure/) SIEM application. This video demonstrates how a failed login to Spark registers into a [Sentinel workbook](https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data). {% file src="/files/4h2Ywix9L6vh7OXjodUx" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.coherent.global/identity-and-access-management/security-information-and-event-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.