Prerequisites
Configuring SIEM destinations requires themanage_exercises capability, which is included in the built-in admin role.
Adding a SIEM Destination
Enter a SIEM name
Type a display name for this destination. This name is used in the UI, API calls, and noise job target lists — it is case-sensitive.
Choose a driver
Select the driver that matches your SIEM product. Each driver has its own required fields:
See QRadar API management below to enable optional REST API features on a
splunk_hec — Splunk HTTP Event Collector
splunk_hec — Splunk HTTP Event Collector
| Field | Required | Notes |
|---|---|---|
| Host | Yes | Splunk hostname or IP |
| HEC Token | Yes | HTTP Event Collector token |
| Index | Yes | Target Splunk index |
| Management port | Yes | Typically 8089 |
| Management protocol | Yes | https (recommended) or http |
| Admin password | Yes | Used by the management API to wipe the index on session reset |
syslog_tcp — Raw TCP Syslog
syslog_tcp — Raw TCP Syslog
| Field | Required | Notes |
|---|---|---|
| Host | Yes | Syslog receiver hostname or IP |
| Port | Yes | TCP port |
| Header mode | No | preserve_raw, synthesize_if_missing, or force_synthesize |
| Header format | No | rfc3164 or rfc5424 |
| Source identity | No | Source host string inserted into the header |
| PRI | No | Priority value 0–191 |
| App name | No | Syslog APP-NAME field |
| Process ID | No | Syslog PROCID field |
| Message ID | No | Syslog MSGID field |
| QRadar API host | No | QRadar console hostname or IP. Required when log source provisioning is enabled. |
| QRadar API token | No | Bearer token for the QRadar REST API. Required when log source provisioning is enabled. |
| QRadar event collector ID | No | Numeric ID of the event collector that receives the syslog feed. ThreatLab resolves a default collector if left blank. |
| QRadar log source type | No | Display name of the QRadar log source type. Defaults to Universal LEEF. |
| QRadar log source protocol | No | Display name of the QRadar protocol type. Defaults to Syslog. |
| Enable log source provisioning | No | When on, ThreatLab calls the QRadar REST API at exercise start to create or reuse a per-exercise log source. See QRadar log source provisioning. |
| Enable offense cleanup | No | Reserved for closing QRadar offenses tied to an exercise’s log source identity. |
syslog_tcp destination that targets QRadar.elastic_bulk — Elasticsearch Bulk API
elastic_bulk — Elasticsearch Bulk API
| Field | Required | Notes |
|---|---|---|
| Host | Yes | Elasticsearch hostname or IP |
| Port | Yes | Typically 9200 |
| Username | Yes | Elasticsearch username |
| Password | Yes | Elasticsearch password |
| Index | Yes | Target index name |
Optional: configure QRadar API management
For
syslog_tcp destinations only, expand QRadar API management to let ThreatLab call the QRadar REST API for log source provisioning and offense cleanup. Event delivery still uses syslog/LEEF — these settings only authorize follow-up management calls.| Field | Required | Notes |
|---|---|---|
| Provision log source | No | When enabled, ThreatLab can create or update the QRadar log source that receives this destination’s syslog feed. |
| Close offenses | No | When enabled, ThreatLab can close offenses related to wiped sessions during cleanup. |
| API host | Conditional | QRadar console hostname (for example qradar-console.example.com). Required when either toggle above is on. |
| API token | Conditional | QRadar Authorized Service token. Required when either toggle is on. On edit, leave blank to keep the stored token. |
| Log source type | No | Defaults to Universal LEEF. Must match a log source type configured in QRadar. |
| Protocol | No | Defaults to Syslog. Must match a protocol name configured in QRadar. |
| Event collector ID | No | Positive integer. Leave blank to auto-select when QRadar has exactly one event collector. |
QRadar API management is only available for the
syslog_tcp driver. Switching a destination to another driver clears these settings.Set the payload format
Choose the log format ThreatLab will ship to this destination:
- LEEF — Default. Best for Splunk and syslog receivers.
- ECS — Elastic Common Schema. Use this for Elasticsearch destinations.
Enable the destination
Toggle Enabled on. Disabled destinations are silently skipped when an exercise starts.
SIEM name is case-sensitive. It must match exactly in exercise start requests and noise job target lists.
QRadar API management
For QRadar destinations on thesyslog_tcp driver, you can give ThreatLab REST API credentials so it can automate console tasks alongside event delivery. Event delivery still flows over syslog/LEEF — the API is only used for the management actions you opt into.
Expand the qradar api management section on a syslog_tcp destination to configure it.
| Field | Required | Notes |
|---|---|---|
| Provision log source | No | Toggle. When on, ThreatLab creates a per-exercise QRadar log source on first ship so events route to the right log source automatically. |
| Close offenses | No | Toggle. When on, ThreatLab closes the QRadar offenses opened by an exercise attempt after the analyst completes it. |
| API host | Yes (if either toggle is on) | QRadar console hostname (for example, qradar-console.example.com). |
| API token | Yes (if either toggle is on) | QRadar authorized service token. Leave blank when editing to keep the existing value. |
| Log source type | No | QRadar log source type name. Defaults to Universal LEEF. |
| Protocol | No | QRadar log source protocol name. Defaults to Syslog. |
| Event collector ID | No | Numeric event collector ID. Leave blank to auto-select when the console has exactly one collector. |
Both toggles are scoped strictly to the destination’s log source and the current exercise attempt window. ThreatLab will not touch offenses or log sources that belong to other destinations or attempts.
Close offenses on completion
When Close offenses is enabled, ThreatLab closes any OPEN QRadar offenses linked to the exercise log source that were opened during the analyst’s attempt window. Cleanup runs after the attempt is scored and is non-blocking: if QRadar is unreachable or the API rejects a request, the analyst still gets a successful completion, and the failure is recorded for administrators to review. Every cleanup attempt is recorded with the matched, closed, and failed offense IDs and one of three outcomes:| Status | Meaning |
|---|---|
ok | Every matched offense was closed (or no offenses were open). |
partial | Some offenses closed; at least one failed. The last error message is stored alongside the failed IDs. |
failed | Cleanup could not run (for example, missing credentials, no provisioned log source) or every close call failed. |
Enabling and Disabling Destinations
You can toggle a destination on or off from its detail page at any time. Disabled destinations are ignored at exercise start — no logs are shipped to them, and they do not block other destinations from receiving events.QRadar Log Source Provisioning
When asyslog_tcp destination targets QRadar and Enable log source provisioning is on, ThreatLab calls the QRadar REST API at exercise start to ensure a dedicated log source exists for that exercise. This lets you tie every event in QRadar back to a single exercise run.
To use provisioning:
- Set the QRadar API host and QRadar API token on the destination.
- Optionally pin the QRadar event collector ID, log source type, and log source protocol. ThreatLab uses sensible defaults (
Universal LEEFoverSyslog) and resolves the first available event collector if you leave them blank. - Toggle Enable log source provisioning on.
- Make sure the QRadar API token has permission to read event collectors and log source types and to create log sources.
threatlab-{exercise}-{siem} so the same exercise always reuses the same QRadar log source. Provisioning failures abort the exercise start so analysts never see a partially configured run — see QRadar log source provisioning for the end-to-end behavior.
Wipe Behavior on Session Reset
When an analyst resets their session (DELETE /api/sessions), ThreatLab wipes the SIEM index before re-shipping archives so the analyst starts with a clean dataset.
Splunk HEC
Wipes the configured index via the Splunk management API using the admin credentials you provided.
Elasticsearch
Removes all documents in the target index using the
_delete_by_query API.Syslog TCP
No wipe mechanism exists for raw TCP syslog. These destinations are skipped during the wipe phase.