Documentation

Integrations Guide

Connect SOCWarden to your security stack — SIEM, firewalls, and notification channels.

Response Actions

Response actions let SOCWarden push security decisions directly to your infrastructure. When you block an IP in SOCWarden, it can automatically propagate to your firewall or WAF.

Cloudflare BYOK

Starter+

Bring Your Own Key (BYOK) integration with Cloudflare. When you block an IP in SOCWarden, it automatically creates a firewall rule in your Cloudflare zone to block that IP at the edge.

How to get your credentials

•API Token: Go to Cloudflare Dashboard > My Profile > API Tokens > Create Token. Use the "Edit zone firewall" template or create a custom token with Zone.Firewall Services: Edit permission.
•Zone ID: Go to Cloudflare Dashboard > select your domain > Overview. The Zone ID is displayed in the right sidebar under "API".

Configuration

Navigate to Settings > Integrations > Response Actionsin your SOCWarden dashboard. Enter your Cloudflare API token and Zone ID. Click "Test Connection" to verify, then save.

What happens when you Block IP

When you click "Block IP" on an event (in the forensic drawer, event detail, or alert queue), SOCWarden creates a Cloudflare firewall rule that blocks all traffic from that IP to your zone. The rule is tagged with socwarden-block for easy identification. Unblocking removes the Cloudflare rule automatically.

AWS WAF

Starter+

When you block an IP in SOCWarden, it automatically adds the IP to an AWS WAF IP Set attached to your Web ACL. Unblocking removes the entry automatically.

How to get your credentials

•AWS Access Key ID & Secret: Create an IAM user with wafv2:GetIPSet and wafv2:UpdateIPSet permissions.
•Region: The AWS region where your WAF IP Set is deployed (e.g. us-east-1).
•IP Set ARN: Go to AWS Console > WAF > IP Sets, select your IP set, and copy the ARN.

Configuration

Navigate to Settings > Integrations > Response Actionsin your SOCWarden dashboard. Enter your AWS credentials, region, and IP Set ARN. Click "Test Connection" to verify, then save.

Data Export (SIEM Forwarding)

Forward enriched security events and alerts to your SIEM platform for centralized analysis, long-term retention, and correlation with other data sources. SIEM forwarding is available on the Business plan.

Splunk HEC

SOCWarden sends events to your Splunk HTTP Event Collector (HEC) endpoint in real-time as alerts are generated.

•Endpoint URL: https://your-splunk:8088/services/collector/event

•HEC Token: Your Splunk HEC token (generated in Splunk > Settings > Data Inputs > HTTP Event Collector)

•Index: Target Splunk index (e.g. socwarden_events)

•Severity Filter: Minimum severity to forward (low / medium / high / critical)

Datadog Logs

SOCWarden forwards events to Datadog's Log Management API. Events appear as structured logs with all enrichment metadata preserved.

•API Key: Your Datadog API key (Organization Settings > API Keys)

•Site: US (datadoghq.com) or EU (datadoghq.eu)

•Severity Filter: Minimum severity to forward (low / medium / high / critical)

Webhook

Send raw alert payloads to any HTTP endpoint. Webhook payloads are signed with HMAC-SHA256 for verification.

•URL: Your webhook endpoint (must accept POST)

•HMAC Secret: Shared secret for payload signature verification (X-SOCWarden-Signature header)

•Payload Format: JSON — see webhook payload docs for all 43 alert type samples

View webhook payload reference →

Notification Channels

Configure where SOCWarden sends alert notifications. Channels can be scoped per-project and filtered by severity and alert type.

Email

Free+

Send alert summaries to one or more email addresses. Available on all plans.

Slack

Pro+

Post alerts to a Slack channel via incoming webhook URL. Rich formatting with risk score, geo, and action buttons.

Starter+

Send alerts to a Telegram chat or group via bot token and chat ID.

Discord

Pro+

Post alerts to a Discord channel via webhook URL. Embed format with severity color coding.

Webhook

Pro+

Send raw JSON payloads to any HTTP endpoint. HMAC-SHA256 signed for verification.

PagerDuty

Business

Trigger PagerDuty incidents for high/critical alerts. Auto-resolve when acknowledged in SOCWarden.

MS Teams

Business

Post alerts to a Microsoft Teams channel via incoming webhook connector. Adaptive card format.

Per-project scoping

Each notification channel can be scoped to specific projects. For example, route production API alerts to PagerDuty while sending staging alerts to a Slack channel. Configure this in Settings > Notifications when creating or editing a channel.

Severity and alert type filters

Filter notifications by minimum severity level (low, medium, high, critical) and by specific alert types (brute_force, impossible_travel, etc.). This prevents alert fatigue by routing only relevant notifications to each channel.

Webhook payloads for automation

Use webhook channels to build custom automations. SOCWarden sends structured JSON payloads with all enrichment data, which you can consume in tools like n8n, Zapier, or custom scripts.See payload reference →

Plan Availability

Integration features are gated by plan tier. The table below shows what is available on each plan.

Plan Matrix

Feature	Free	Starter	Pro	Business
Notifications (Email)	Yes	Yes	Yes	Yes
Telegram	—	Yes	Yes	Yes
Slack / Discord / Webhook	—	—	Yes	Yes
PagerDuty / MS Teams	—	—	—	Yes
SIEM Forwarding	—	—	—	Yes
Cloudflare BYOK	—	Yes	Yes	Yes
AWS WAF	—	Yes	Yes	Yes

← PreviousCustom Threat Models Related →SOC 2 Compliance Guide

Back to →Getting Started