Push Enriched Threat Intel to Your SIEM in Seconds
MalCloud's SIEM Connector Framework enriches IOCs and pushes them to Elastic, Splunk, Sentinel, Chronicle, or any Syslog/CEF target in real-time. No manual import. No CSV uploads. Under 2 seconds from enrichment to SIEM.
Threat intelligence platforms collect, correlate, and enrich indicators. SOC analysts live in the SIEM. The gap between those two systems is where intelligence goes to die.
The typical workflow: analyst finds a relevant IOC in the TIP, copies it, switches to the SIEM, pastes it into a search or detection rule, manually adds context fields, and repeats. For bulk imports, someone exports a CSV from the TIP, reformats it to match the SIEM’s expected schema, uploads it, and hopes the field mappings didn’t silently break. This process is slow, error-prone, and doesn’t scale past a handful of indicators per day.
MalCloud’s SIEM Connector Framework eliminates this gap. When an IOC is enriched — with reputation scores, WHOIS data, geolocation, ATT&CK mappings, Threat Pool sighting counts — the connector formats a payload for your SIEM and pushes it. The IOC appears in your SIEM, fully contextualized, in under 2 seconds.
Supported SIEMs
MalCloud ships with native connectors for the platforms SOC teams actually use:
| SIEM | Protocol | Tier |
|---|---|---|
| Elastic Security | Elasticsearch API (ECS) | Pro+ |
| Splunk | HTTP Event Collector (HEC) | Pro+ |
| Microsoft Sentinel | Log Analytics Data Collector API | Pro+ |
| Google Chronicle | Ingestion API | Pro+ |
| Syslog / CEF | RFC 5424 / CEF over TCP/UDP/TLS | Free |
The Syslog/CEF connector is free because it’s the universal fallback. Any SIEM, any log management platform, any SOAR tool that accepts syslog can receive enriched IOCs from MalCloud without a paid tier. Named connectors — Elastic, Splunk, Sentinel, Chronicle — produce SIEM-native payloads with proper field mappings and are available on Pro+.
How it works
Event-driven, not polled
MalCloud’s internal event bus runs on NATS. Every meaningful state change — IOC created, IOC enriched, reputation updated, Threat Pool signal received — emits an event. The SIEM connectors subscribe to these events and react in real-time.
The pipeline for a single IOC:
1. IOC ingested (feed, extractor, manual, API)
↓
2. Enrichment services fire (VirusTotal, Shodan, AbuseIPDB, RDAP, etc.)
↓
3. NATS event: ioc.enriched
↓
4. SIEM connector receives event
↓
5. Connector formats payload for target SIEM schema
↓
6. Payload pushed to SIEM endpoint
↓
7. IOC available in SIEM for search, correlation, detection rulesNo polling intervals. No batch export windows. No cron jobs. The connector fires on the event and pushes immediately. Measured end-to-end latency from enrichment completion to SIEM availability: under 2 seconds, dominated by network round-trip to the SIEM endpoint.
Payload formatting
Each connector transforms MalCloud’s internal IOC representation into the target SIEM’s native schema. This isn’t a generic JSON dump — it’s structured data that the SIEM can index, search, and correlate without post-processing.
Elastic: ECS-native threat indicators
The Elastic connector maps IOCs to the Elastic Common Schema threat.indicator.* field set. This means enriched IOCs from MalCloud are immediately compatible with Elastic Security’s built-in indicator match rules.
{
"@timestamp": "2026-04-16T10:23:45.000Z",
"event.kind": "enrichment",
"event.category": ["threat"],
"event.type": ["indicator"],
"threat.indicator.type": "ipv4-addr",
"threat.indicator.ip": "185.220.101.34",
"threat.indicator.confidence": "High",
"threat.indicator.description": "Tor exit node, associated with credential stuffing campaigns targeting financial sector",
"threat.indicator.provider": "MalCloud",
"threat.indicator.first_seen": "2026-04-14T03:17:00.000Z",
"threat.indicator.last_seen": "2026-04-16T10:22:38.000Z",
"threat.indicator.marking.tlp": "WHITE",
"threat.indicator.scanner_stats": 4,
"threat.technique.id": ["T1110.001", "T1110.003"],
"threat.technique.name": ["Password Guessing", "Password Spraying"],
"threat.tactic.id": ["TA0006"],
"threat.tactic.name": ["Credential Access"],
"tags": ["malcloud", "threat-pool-sighting-47", "attack.t1110.001", "attack.t1110.003"]
}The tags array includes ATT&CK technique IDs, which means existing Elastic detection rules that filter on technique tags will automatically pick up MalCloud-pushed indicators. The threat.indicator.scanner_stats field carries the Threat Pool sighting count, so analysts can sort and filter by collective confidence.
No schema wrangling. No Logstash pipelines to maintain. Push and it works.
Splunk: HEC with CIM compliance
The Splunk connector sends events via HTTP Event Collector formatted to align with the Splunk Common Information Model for threat intelligence:
{
"event": {
"indicator_type": "ipv4-addr",
"indicator_value": "185.220.101.34",
"confidence": "high",
"description": "Tor exit node, credential stuffing campaigns, financial sector",
"mitre_technique_id": "T1110.001,T1110.003",
"mitre_tactic": "Credential Access",
"threat_pool_sightings": 47,
"first_seen": "2026-04-14T03:17:00.000Z",
"last_seen": "2026-04-16T10:22:38.000Z",
"source": "malcloud"
},
"sourcetype": "malcloud:threat:indicator",
"index": "threat_intel",
"host": "malcloud.internal"
}Splunk ES correlation searches that reference the threat_intel index and CIM-compliant fields will match these events without modification.
Sentinel: Log Analytics ingestion
The Sentinel connector posts to the Log Analytics Data Collector API, writing to a custom MalCloudThreatIntel_CL table that maps to Sentinel’s ThreatIntelligenceIndicator schema. Sentinel’s built-in TI analytics rules — “TI map IP entity to…” — can be configured to query the custom table alongside Microsoft’s native TI feed.
Chronicle: UDM entity mapping
The Chronicle connector maps IOCs to Google’s Unified Data Model (UDM) entity format. Chronicle’s detection rules and entity graph queries can reference MalCloud-pushed indicators for automated correlation against ingested log data.
Syslog/CEF: the universal connector
For SIEMs not covered by a named connector — QRadar, LogRhythm, ArcSight, Graylog, or any platform that accepts syslog — the CEF connector formats IOCs as CEF (Common Event Format) messages over syslog:
CEF:0|ThreatFight|MalCloud|1.0|IOC_ENRICHED|Enriched Threat Indicator|7|
src=185.220.101.34
cs1Label=indicator_type cs1=ipv4-addr
cs2Label=confidence cs2=High
cs3Label=mitre_technique cs3=T1110.001,T1110.003
cn1Label=threat_pool_sightings cn1=47
msg=Tor exit node associated with credential stuffing campaignsCEF is supported by every major SIEM on the market. The output is immediately parseable without custom parsing rules on the receiving end.
Test endpoint: configure and verify in minutes
Every connector includes a test endpoint. Configure your SIEM target (URL, credentials, index/table name), hit the test button, and MalCloud pushes a synthetic test indicator to your SIEM. Open your SIEM, search for source=malcloud AND indicator_value=test*, and confirm it arrived.
This matters for POC evaluations. A prospect configuring MalCloud during a proof-of-concept can have enriched threat indicators flowing into their production SIEM in under 15 minutes from first login. No professional services engagement. No “we’ll schedule an integration call next week.” Configure, test, done.
The test endpoint also serves as a health check. If your SIEM connector stops delivering — network change, expired credentials, index rotation — the test endpoint fails immediately and the connector surfaces the error. MalCloud tracks delivery success rates per connector and alerts on degradation.
Adding a new SIEM: one interface
The connector framework is built on a Go plugin architecture. Each SIEM connector implements a single interface:
type SIEMConnector interface {
// Name returns the connector identifier
Name() string
// Configure accepts SIEM-specific connection parameters
Configure(cfg ConnectorConfig) error
// Push sends an enriched IOC to the target SIEM
Push(ctx context.Context, ioc EnrichedIOC) error
// Test sends a synthetic indicator and verifies delivery
Test(ctx context.Context) error
// Health returns the connector's current status
Health() ConnectorHealth
}Five methods. That’s the entire contract. Configure handles authentication and endpoint setup. Push transforms the internal IOC representation to the SIEM’s schema and delivers it. Test exercises the full pipeline with a synthetic indicator. Health reports delivery success rates and latency.
Adding support for a new SIEM — say, Wazuh or Datadog Security — means implementing these five methods. The event subscription, retry logic, batching, and error handling are provided by the framework. A competent Go developer can write a new connector in a day.
We ship the five connectors listed above. If your SIEM isn’t covered by a named connector, the Syslog/CEF connector handles it. If you need a native connector for an unsupported platform, the interface is documented and PRs are welcome.
Why this matters operationally
The value of threat intelligence degrades with time. An IOC that reaches your SIEM 4 hours after enrichment is worth less than the same IOC delivered in 2 seconds. During those 4 hours, an active attacker using that infrastructure could have completed lateral movement, exfiltrated data, and burned the indicator.
Manual IOC import also introduces human error. Transposed octets in an IP address. A domain pasted without defanging (or defanged and not re-fanged in the SIEM). A hash truncated by a spreadsheet column. These errors are invisible until an analyst wonders why their IOC search returned zero hits during an active incident.
Automated push eliminates both failure modes: latency and transcription error. The IOC that MalCloud enriches is the IOC that arrives in your SIEM, in the correct schema, with full context, in under 2 seconds.
For organizations running detection-as-code pipelines (covered in our previous post), the SIEM connector completes the loop. MalCloud generates Sigma rules from threat intelligence and compiles them to SIEM-native queries. The SIEM connector ensures the underlying IOCs are present in the SIEM for those rules to match against. Rules without indicators are inert. Indicators without rules are noise. The combination is operational detection.
Getting started
The Syslog/CEF connector is available in all tiers, including free. If your SIEM accepts syslog, you can start receiving enriched IOCs from MalCloud today.
Named connectors (Elastic, Splunk, Sentinel, Chronicle) are available on Pro+. Configuration takes under 5 minutes per connector: endpoint URL, authentication credentials, target index or table.
Request access and connect your SIEM, or request a demo to see the connector framework in action.
Interested in self-hosted threat intelligence?
Request a Briefing