The ThreatHawk API enables security teams to build custom integrations that extend SIEM capabilities into any workflow, toolchain, or automation pipeline. Whether you need to ingest proprietary log sources, push alerts into a ticketing system, or enrich events with internal threat intelligence, the ThreatHawk RESTful API provides the programmatic interface to make it happen without forcing your operations into a rigid vendor mold.
Unlike legacy SIEM platforms that treat API access as an afterthought, CyberSilo's ThreatHawk SIEM was architected from the ground up with API-first design principles. Every detection rule, correlation engine, and compliance dashboard in ThreatHawk exposes its functionality through well-documented endpoints, authenticated via OAuth 2.0, and secured with enterprise-grade rate limiting and audit logging. For SOC teams that need to glue together diverse security tools—EDR agents, cloud security posture management platforms, SOAR playbooks, and custom internal applications—the ThreatHawk API eliminates the integration bottlenecks that traditionally slow down security operations.
Understanding the ThreatHawk API Architecture
The ThreatHawk API follows a RESTful architecture with JSON serialization, making it compatible with virtually any modern programming language or automation platform. The base URL for all API calls follows the pattern https://api.threathawk.cybersilo.tech/v1/, with versioning built into the endpoint path to ensure backward compatibility as the platform evolves.
Authentication and Access Control
Every API request to ThreatHawk requires OAuth 2.0 client credentials grant authentication. Security teams generate API credentials through the ThreatHawk admin console under Settings > API Management, where they can create scoped API keys with granular permissions. This means you can issue a read-only key for a log ingestion pipeline while granting full read-write access to a SOAR integration that needs to create and update detection rules.
The token endpoint returns an access token valid for 3600 seconds by default, with refresh token support for long-running integrations. All API calls must include the token in the Authorization: Bearer <token> header, and all traffic occurs over TLS 1.3 encryption.
Security Note: Never embed API keys directly in source code or configuration files that could be committed to version control. Use a secrets management solution—or better yet, ThreatHawk's built-in credential vault—to store and rotate API credentials automatically.
Rate Limiting and Pagination
ThreatHawk enforces rate limits based on your subscription tier, with enterprise plans supporting up to 10,000 requests per minute. The API returns standard X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers to help you manage consumption. For endpoints that return collections—such as /events or /alerts—the API uses cursor-based pagination to maintain consistent performance even when querying millions of records.
Core API Endpoints for Custom Integrations
The ThreatHawk API organizes its functionality into logical resource groups. Understanding these core endpoints is essential before planning any custom integration.
/events/alerts/rules/threat-intel/assets/complianceEvent Ingestion Endpoint
The POST /events endpoint is the most frequently used integration point. It accepts JSON arrays of events, with each event requiring a timestamp, source, event_type, and payload field. ThreatHawk automatically normalizes incoming events against its schema library, but you can bypass normalization for custom log formats by setting the raw flag to true and providing a custom parser ID.
For high-throughput environments, the API supports batch ingestion of up to 10,000 events per request with compression via gzip. This is particularly valuable when integrating custom applications that generate high volumes of audit logs, such as proprietary manufacturing execution systems or custom banking transaction platforms.
Alert Management Endpoint
The GET /alerts endpoint with its filtering parameters allows you to pull alerts into external dashboards or ticketing systems. Filter by severity, status, detection rule, or time range. The PATCH /alerts/{id} endpoint lets external systems update alert status—for example, marking an alert as "investigating" when a SOAR playbook picks it up.
Building a Custom Threat Intelligence Feed Integration
One of the most powerful use cases for the ThreatHawk API is feeding internal threat intelligence into the SIEM's correlation engine. Many organizations maintain proprietary threat data—IOCs from incident response engagements, indicators from industry ISACs, or contextual data from internal threat research teams. With the ThreatHawk API, you can push this data directly into the platform's threat intelligence layer.
Authenticate and Obtain API Credentials
Navigate to the API Management section in the ThreatHawk admin console. Create a new API key with the "Threat Intelligence: Write" scope. This ensures the key can only push IOCs and cannot modify detection rules or access alert data—a critical security boundary for least-privilege integration design.
Format Your Threat Intelligence Data
The API expects a structured format. Each IOC requires a type (IP, domain, hash, URL), a value, a confidence score from 0–100, and a source identifier. Optionally, include ttl for expiration and tags for categorization. For example, a malicious IP from your internal research would look like: {"type": "ip", "value": "203.0.113.45", "confidence": 85, "source": "internal-ir-team", "tags": ["apt", "phishing-campaign"]}.
POST to the Threat Intelligence Endpoint
Send the formatted IOCs as a JSON array to POST /threat-intel/iocs. ThreatHawk validates each IOC against existing entries to prevent duplicates, then indexes them for real-time matching against incoming events. The API returns detailed error messages for any malformed entries, allowing you to correct issues in your pipeline without manual intervention.
Verify Correlation in Detection Rules
Once the IOCs are ingested, they become available to ThreatHawk's correlation engine. Any detection rule referencing threat intelligence—such as "Match incoming IP against threat feed"—will immediately begin firing alerts against the new indicators. You can verify this by checking the threat intelligence dashboard or querying GET /threat-intel/iocs?source=internal-ir-team.
Automate Your Threat Intelligence Pipeline
Stop manually uploading IOCs into your SIEM. With ThreatHawk's API, you can build automated pipelines that push threat intelligence from your internal research, ISAC feeds, and partner sources directly into the correlation engine—in real time. Talk to our security engineers to see how it works in your environment.
Integrating ThreatHawk with Your SOAR Platform
Security orchestration, automation, and response platforms rely on bidirectional communication with SIEMs to close the loop between detection and remediation. The ThreatHawk API supports this workflow natively, allowing SOAR platforms to query alerts, trigger enrichment, and update statuses as playbooks execute.
Querying Alerts from a SOAR Playbook
A typical SOAR integration begins with the GET /alerts endpoint. You can filter for unacknowledged critical alerts from the last hour using query parameters: GET /alerts?status=open&severity=critical&created_after=2025-02-10T00:00:00Z. The response includes the full alert context—affected assets, matched rules, raw event IDs, and MITRE ATT&CK mapping—giving your SOAR platform everything it needs to make enrichment calls to external threat intelligence or sandbox services.
One common pattern is enriching alert IPs against VirusTotal or AlienVault OTX before escalating. The ThreatHawk API returns the raw event payload in the alert detail, so your SOAR playbook can extract the relevant IOCs without an additional database query.
Pushing Enrichment Results Back Into ThreatHawk
After enrichment, the SOAR playbook can update the alert via PATCH /alerts/{alert_id} with a custom payload containing enrichment results. This data becomes part of the alert's audit trail within ThreatHawk, visible to the SOC team reviewing the case. For example, you might add {"custom_fields": {"virustotal_hits": 12, "sandbox_verdict": "malicious"}} to the alert record.
Custom Log Source Ingestion Pipelines
Every organization has legacy applications, custom-built software, or niche security tools that don't have native SIEM integrations. The ThreatHawk API's event ingestion capabilities solve this problem without requiring you to purchase additional connectors or adapters.
Building a Syslog-to-API Bridge
Many legacy systems still output syslog. Rather than forcing them through complex agent configurations, you can deploy a lightweight Python or Go service that listens on a UDP or TCP syslog port, parses the incoming messages, and forwards them to the ThreatHawk API. This approach gives you full control over log normalization before the data reaches the SIEM, which is particularly valuable for proprietary application logs that don't match standard syslog formats.
The bridge service batches logs and sends them via POST /events, applying field mappings and enrichment at the edge. For example, you could map a legacy application's severity codes (1–5) to ThreatHawk's severity levels (info, low, medium, high, critical) before ingestion, ensuring consistent alerting behavior across all log sources.
Cloud-Native Log Ingestion via Webhooks
For cloud-native applications that emit webhooks—such as AWS CloudWatch, Azure Monitor, or custom microservices—the ThreatHawk API can serve as a webhook receiver endpoint. Configure your cloud services to send JSON payloads to POST /events/webhook/{source_id}, where the source ID maps to a predefined log source within ThreatHawk. This eliminates the need for intermediate message queues or Lambda functions, reducing both latency and infrastructure complexity.
Detection Rules as Code
Modern SOC teams are adopting infrastructure-as-code practices for their security tooling. The ThreatHawk API's detection rules endpoints allow you to manage rules through version-controlled YAML or JSON files, enabling peer review, automated testing, and consistent deployment across development, staging, and production SIEM environments.
Creating and Versioning Rules Programmatically
The POST /rules endpoint accepts a complete rule definition, including conditions, severity, MITRE ATT&CK mapping, and response actions. You can write rules in SIQL (ThreatHawk's native query language) or use the visual rule builder's JSON representation. By managing rules as code, your SOC can:
- Subject new detection logic to code review before deployment
- Roll back problematic rules to the previous version instantly
- Duplicate rules across multiple environments with environment-specific parameter overrides
- Test rules against historical event data via the
POST /rules/testendpoint before enabling them in production
Compliance Consideration: Under frameworks like SOC 2 and NIST 800-53, detection rules must be reviewed and approved before deployment. Managing rules as code with API-driven deployment creates an auditable trail of who created, modified, or enabled each rule—critical evidence during compliance audits.
Bulk Rule Operations and Migration
When migrating from a legacy SIEM to ThreatHawk, the API supports bulk import and export of detection rules. Use GET /rules/export to download all rules in a portable JSON format, and POST /rules/import to upload them into a new ThreatHawk instance. The API automatically flags rules that require manual review due to incompatible data sources or missing field references, saving weeks of manual migration effort.
Building a Custom Compliance Dashboard
SOC teams often need to present compliance data in organization-specific formats or integrate with GRC platforms that don't support standard SIEM integrations. The ThreatHawk API's compliance endpoints make this straightforward.
Pulling Evidence for Specific Frameworks
The GET /compliance/{framework}/evidence endpoint returns pre-collected evidence mapped to specific controls. For PCI DSS Requirement 10 (log monitoring), for example, the API can return all log retention evidence, alerting on unauthorized access, and time synchronization configurations in a single paginated response. Your GRC platform or internal dashboard can consume this data directly, eliminating manual evidence collection during audit preparation.
Automate Compliance Reporting with ThreatHawk
Stop manually gathering evidence for SOC 2, PCI DSS, ISO 27001, or HIPAA audits. The ThreatHawk API gives your compliance team programmatic access to evidence, control mappings, and retention reports. Schedule a demo to see how enterprise teams reduce audit prep time by 70%.
Custom Report Generation
For organizations that need compliance reports in specific formats—such as a feed into a board-level risk dashboard or integration with a third-party audit platform—the POST /compliance/reports endpoint accepts template parameters and returns JSON or CSV output. You can schedule these report generation jobs via the API and push the results into your reporting infrastructure without manual intervention.
Error Handling and Best Practices
Even well-designed integrations encounter errors. Understanding the ThreatHawk API's error response patterns helps you build resilient pipelines that recover gracefully.
Common Error Codes
The API returns standard HTTP status codes with structured error messages in the response body. A 400 Bad Request indicates malformed JSON or missing required fields, with the response containing a "fields" array identifying which fields need attention. 429 Too Many Requests includes a Retry-After header specifying seconds until the rate limit resets. 422 Unprocessable Entity indicates semantic validation failures—for example, an IOC with an invalid hash format or a detection rule referencing a nonexistent data source.
Retry Strategies
For production integrations, implement exponential backoff with jitter for retries on 429 and 5xx errors. ThreatHawk recommends a starting retry delay of 1 second, doubling up to a maximum of 60 seconds, with a random jitter of ±500ms to prevent thundering herd problems. The API's idempotency keys—passed via the Idempotency-Key header—ensure that retried requests don't create duplicate events or alerts in the system.
Monitoring Your API Integration
ThreatHawk exposes API usage metrics through the GET /metrics/integration/{id} endpoint, showing request volume, error rates, and latency percentiles for each API key. These metrics can feed into your existing monitoring stack (Prometheus, Datadog, etc.) to alert when an integration's error rate exceeds acceptable thresholds. Additionally, ThreatHawk logs every API call in the platform's own event pipeline, so you can search for API errors using the same SIEM queries you use for security events.
Security Considerations for API Integrations
While the ThreatHawk API is designed with security in mind, the integrations you build must follow the same security principles you apply to other critical infrastructure.
Least-Privilege API Keys
Each integration should have its own API key with the minimum permissions required. A log ingestion pipeline only needs write access to /events. A reporting dashboard only needs read access to /alerts and /compliance. If a key is compromised, the blast radius is limited to that integration's scope. ThreatHawk's API management console allows you to revoke individual keys without affecting other integrations, and you can set expiration dates for temporary integrations.
Network Security
For enterprise deployments, ThreatHawk supports restricting API access to specific IP ranges or VPC endpoints. Configure these restrictions in the API management console to ensure that only trusted network segments can reach the API. If your integration runs in a cloud environment, use private network peering or VPN tunnels to keep API traffic off the public internet.
Troubleshooting Common Integration Scenarios
Even with thorough planning, integrations sometimes encounter issues. Here are the most common troubleshooting scenarios and their resolutions.
Events Not Appearing in Correlation Engine
If you've successfully posted events to /events but they don't appear in the correlation engine, verify that the source field in your events matches a configured log source within ThreatHawk. Events from unrecognized sources are still ingested and searchable, but they won't be processed by correlation rules unless they're mapped to a known source. Use the GET /events/latest?source=your-source endpoint to confirm ingestion, then check the source configuration in the admin console.
Alerts Not Firing After Rule Creation
When creating detection rules programmatically, ensure the rule's enabled field is set to true and that data_sources array includes the log sources your integration is sending to. Rules created via API are not automatically enabled by default—a deliberate safety measure to prevent unintended alerting. Use GET /rules/{id} to inspect the rule's current state and source mappings.
Our Conclusion & Recommendation
The ThreatHawk API transforms a powerful SIEM into an extensible security platform that adapts to your organization's unique toolchain and workflows. For CISOs and security architects evaluating top SIEM tools, the depth and flexibility of the API should be a top consideration—not just for current integration needs, but for future use cases that haven't emerged yet. Legacy SIEM platforms with bolted-on API access create integration debt that compounds over time.
We recommend starting with a focused integration—perhaps a custom threat intelligence feed or a SOAR connector—to validate your pipeline before expanding to more complex use cases like detection rules as code or compliance automation. ThreatHawk's API documentation includes SDK examples in Python, Go, and Node.js, and the CyberSilo team provides architectural guidance for enterprise deployments. Your SOC shouldn't be limited by your SIEM's integration capabilities; with ThreatHawk, the only limit is what you can build.
Ready to Build Your Custom SIEM Integration?
Our security engineers help enterprise teams design, test, and deploy ThreatHawk API integrations that fit their unique infrastructure. Get hands-on guidance from the team that built the platform.
