Stream DLP Events to Your SIEM

Zeuslock can deliver every DLP detection to your SIEM in OCSF (Open Cybersecurity Schema Framework) format, so it maps cleanly into Splunk, Microsoft Sentinel, or Elastic. There are two ways to do it — Pull (your SIEM polls Zeuslock) and Push (Zeuslock forwards to your SIEM). Open SIEM in the sidebar — "Forward or pull DLP events in OCSF format."

First, get an API key

On the API Keys page, Create a key, name it for your SIEM, and copy the full key when it is shown. You will add it to your SIEM client. (See Generate & manage API keys.)

Option A — Pull API (your SIEM polls Zeuslock)

Your SIEM calls this endpoint on a schedule and pulls new events.

Endpoint

GET https://api.zeuslock.ai/api/v1/siem/events

Authentication — pass your key as either header:

Authorization: Bearer YOUR_API_KEY

X-API-Key: YOUR_API_KEY

Query parameters (all optional):

Response

{
  "events": [ /* OCSF DLP events */ ],
  "next_cursor": "..."
}

Paging: keep calling with since=<next_cursor> until you have caught up. Events are retained for 90 days.

Example

curl -H "X-API-Key: YOUR_API_KEY" \
  "https://api.zeuslock.ai/api/v1/siem/events?severity=high&limit=200"

Option B — Push integrations (Zeuslock forwards to your SIEM)

On the SIEM page, under Push integrations, click Add SIEM, choose your platform — Splunk HEC, Microsoft Sentinel, or Elastic Bulk API — enter its endpoint and credentials, and save. Each integration shows its Name, SIEM type, Endpoint, and Status, with Disable / Edit / Delete actions. Zeuslock forwards the same OCSF events the Pull API serves.

Use the API URL shown on your dashboard if it differs (for example a staging environment).