Audit into your SIEM
in real time.
Stream every Monosign and Monopam event into Splunk, Sentinel, ELK, or Chronicle — over HTTPS webhook, syslog, or Monosync log export. Build the detections your security program needs.
- Webhook / syslog / Monosync
- HMAC-signed payloads
- ~5 minutes to read
Subscribe. Authenticate. Index. Detect.
The shape of any Monofor → SIEM pipeline. Specific connectors live in the help center.
- 01
Subscribe to the audit stream
In Monosign, set up an audit subscription. Pick the event types you want (sign-in, MFA challenge, policy change, privilege grant) and the delivery target (HTTPS webhook, syslog, or Monosync log export).
Tip — Start broad in dev, narrow in prod — overly chatty subscriptions can drown the SIEM index. - 02
Authenticate the receiver
For webhook delivery, share an HMAC signing secret so the SIEM can verify payloads. For syslog, configure mutual TLS. Monosync log export uses the Monosync auth layer directly.
- 03
Parse and index in the SIEM
Drop the Monofor field schema into Splunk / Sentinel / ELK / Chronicle. Map user, app, source-IP, factor, and risk-score fields to the SIEM's canonical schema for cross-product correlation.
Tip — Use the same field names your other identity sources use — it pays back at investigation time. - 04
Build the detections
Start with the classics: impossible travel, brute-force, privilege-escalation in PAM, anomalous group membership change. Monofor events carry enough context that most detections write themselves.
The complete walkthrough — with every screenshot, every flag, and version-specific notes — lives in our help center.
Ready to start managing
identities the right way?
Spin up a fully-loaded trial tenant in under five minutes. No credit card. No sales gate.