SIEM Bot Detection Integration: Complete Guide for Splunk, Elastic, CrowdStrike, and Universal Formats

Your SOC monitors thousands of events per second. Endpoint alerts, firewall logs, identity events, network flows. But here is the gap most security teams do not talk about: bot traffic is invisible to your SIEM.

That credential stuffing attack hitting your login page at 3 AM? It looks like normal authentication failures. That AI scraper exfiltrating your pricing data? Just another HTTP 200. That vulnerability scanner probing your API endpoints? Lost in the noise of legitimate traffic.

WebDecoy changes this. Our native SIEM integrations deliver enriched bot detection events directly into your existing security workflows in under 100 milliseconds. No blind spots. No manual correlation. Every bot attack becomes actionable intelligence in the tools your analysts already use.

The Bot Visibility Problem in Security Operations

Traditional SIEMs are built to correlate known threats: malware signatures, CVE exploits, suspicious login patterns. They excel at connecting dots when the dots are labeled.

Bot attacks create unlabeled dots.

A sophisticated scraper does not trigger your IDS. It does not match a malware hash. It generates legitimate-looking HTTP requests that your WAF waves through. By the time you notice the damage (stolen content, inventory depletion, credential compromise), the attacker is long gone.

Consider what your SIEM sees during a typical bot attack:

2025-11-27T03:14:22Z web-01 nginx: 192.168.1.100 - - "POST /api/login HTTP/1.1" 401 0.023s
2025-11-27T03:14:22Z web-01 nginx: 192.168.1.101 - - "POST /api/login HTTP/1.1" 401 0.019s
2025-11-27T03:14:23Z web-01 nginx: 192.168.1.102 - - "POST /api/login HTTP/1.1" 401 0.021s

Three failed logins from three IPs. Could be a botnet cycling through a credential list. Could be three users who forgot their passwords. Your SIEM cannot tell the difference because it lacks the context that only bot detection can provide.

Now imagine those same events enriched with WebDecoy intelligence:

{
  "timestamp": "2025-11-27T03:14:22Z",
  "src_ip": "192.168.1.100",
  "threat_score": 94,
  "bot_classification": "credential_stuffing",
  "ja3_fingerprint": "e7d705a3286e19ea42f587b344ee6865",
  "ja3_match": "python-requests/2.28",
  "geo": { "country": "RU", "asn": "AS12345", "isp": "HostingProvider LLC" },
  "mitre_attack": ["T1110.001", "T1110.003"],
  "honeypot_triggered": true,
  "user_agent_mismatch": true
}

Now your analysts have actionable intelligence. Now your correlation rules can fire. Now your SOAR playbooks can respond.

WebDecoy SIEM Integration Architecture

WebDecoy delivers bot detection events through five integration paths, ensuring compatibility with every SIEM on the market:

Integration Methods at a Glance

All integrations include the same enriched event data. The only difference is the format and transport mechanism.

Enriched Event Data Model

Every bot detection event includes:

Threat Intelligence

• threat_score (0-100): Composite risk score based on multiple signals
• bot_classification: Attack type (credential_stuffing, scraping, vulnerability_scan, inventory_hoarding, etc.)
• confidence: Detection confidence percentage
• verdict: Block, challenge, monitor, or allow recommendation

TLS Fingerprinting

• ja3_fingerprint: JA3 hash of the TLS handshake
• ja4_fingerprint: JA4 extended fingerprint
• ja3_match: Known bot tool match (curl, python-requests, scrapy, etc.)
• tls_version: TLS protocol version
• cipher_suite: Negotiated cipher

Geolocation and Network

• country, city, region: Geo-IP data
• asn, isp, org: Network ownership
• is_datacenter: Datacenter/hosting provider flag
• is_proxy, is_vpn, is_tor: Anonymization detection

Behavioral Signals

• honeypot_triggered: Boolean indicating honeypot interaction
• user_agent_mismatch: UA does not match TLS fingerprint
• request_velocity: Requests per minute from this source
• session_anomalies: Abnormal session patterns detected

MITRE ATT&CK Mapping (see our MITRE ATT&CK honeypot mapping guide)

• mitre_attack: Array of applicable technique IDs (T1110, T1595, T1589, etc.)
• mitre_tactics: Applicable tactics (Credential Access, Reconnaissance, etc.)

Splunk Integration

Splunk is the gold standard for enterprise security operations. WebDecoy’s Splunk integration delivers bot detection events directly to Splunk via HTTP Event Collector (HEC), with pre-built dashboards and saved searches ready for immediate deployment.

Configuration

Step 1: Enable HTTP Event Collector in Splunk

Settings → Data Inputs → HTTP Event Collector → New Token

Create a token with the following settings:

• Source type: _json
• Index: webdecoy (create this index first)
• Enable indexer acknowledgment for guaranteed delivery

Step 2: Configure WebDecoy

In your WebDecoy dashboard, navigate to Integrations → SIEM → Splunk:

{
  "integration": "splunk",
  "hec_endpoint": "https://splunk.yourcompany.com:8088/services/collector",
  "hec_token": "your-hec-token",
  "index": "webdecoy",
  "source": "webdecoy:bot_detection",
  "sourcetype": "_json",
  "enable_acknowledgment": true,
  "batch_size": 100,
  "flush_interval_ms": 1000
}

Event Format

WebDecoy sends events in Splunk-native JSON format:

{
  "time": 1732691662,
  "host": "webdecoy-edge-01",
  "source": "webdecoy:bot_detection",
  "sourcetype": "_json",
  "index": "webdecoy",
  "event": {
    "timestamp": "2025-11-27T08:14:22Z",
    "event_type": "bot_detection",
    "threat_score": 87,
    "verdict": "block",
    "bot_classification": "credential_stuffing",
    "src_ip": "192.168.1.100",
    "dst_host": "app.yourcompany.com",
    "dst_path": "/api/v1/auth/login",
    "http_method": "POST",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0",
    "ja3": "e7d705a3286e19ea42f587b344ee6865",
    "ja3_match": "python-requests/2.28",
    "ja4": "t13d1516h2_8daaf6152771_b0da82dd1658",
    "tls_version": "TLSv1.2",
    "geo": {
      "country": "RU",
      "city": "Moscow",
      "asn": "AS12345",
      "isp": "Cloud Hosting Ltd"
    },
    "signals": {
      "honeypot_triggered": true,
      "user_agent_mismatch": true,
      "datacenter_ip": true,
      "velocity_anomaly": true
    },
    "mitre_attack": ["T1110.001", "T1110.003"],
    "request_id": "req_abc123xyz"
  }
}

Pre-Built Splunk Dashboards

WebDecoy provides a Splunk app with ready-to-use dashboards:

Bot Attack Overview Dashboard

• Real-time attack volume by classification
• Geographic heat map of bot sources
• Top targeted endpoints
• Threat score distribution histogram

Credential Stuffing Dashboard

• Failed authentication correlation
• Account lockout patterns
• Botnet IP cluster analysis
• Time-series attack velocity

MITRE ATT&CK Coverage Dashboard

• Technique coverage matrix
• Detection gaps visualization
• Attack chain reconstruction

Splunk Saved Searches

Deploy these saved searches to power alerts and reports:

High-Confidence Credential Stuffing

index=webdecoy sourcetype=_json
| where threat_score >= 80 AND bot_classification="credential_stuffing"
| stats count by src_ip, geo.country, ja3_match
| where count > 10
| sort -count

Honeypot Triggered Alerts

index=webdecoy sourcetype=_json signals.honeypot_triggered=true
| stats count, values(dst_path) as endpoints by src_ip
| where count > 1

Bot Tool Detection

index=webdecoy sourcetype=_json ja3_match=*
| timechart span=1h count by ja3_match

Splunk SOAR Integration

WebDecoy events trigger Splunk SOAR playbooks automatically:

Automated Response Workflow

1. Bot detection event arrives with threat_score >= 90
2. SOAR playbook triggers
3. IP enrichment from threat intel feeds
4. Automatic firewall block rule creation
5. Slack/PagerDuty notification to SOC
6. Ticket creation in ServiceNow

# Splunk SOAR Playbook Snippet
def on_bot_detection(container, **kwargs):
    if container['artifact']['threat_score'] >= 90:
        # Block at perimeter
        phantom.add_firewall_rule(
            src_ip=container['artifact']['src_ip'],
            action='block',
            duration='24h'
        )
        # Notify SOC
        phantom.send_slack(
            channel='#soc-alerts',
            message=f"High-confidence bot blocked: {container['artifact']['src_ip']}"
        )

Elastic Security (ELK Stack) Integration

Elastic Security provides powerful visualization and detection capabilities. WebDecoy integrates natively with Elasticsearch for seamless data ingestion and includes Kibana dashboards for bot attack visualization.

Configuration

Step 1: Create Elasticsearch Index

PUT /webdecoy-bot-detections
{
  "mappings": {
    "properties": {
      "@timestamp": { "type": "date" },
      "threat_score": { "type": "integer" },
      "bot_classification": { "type": "keyword" },
      "src_ip": { "type": "ip" },
      "geo": {
        "properties": {
          "location": { "type": "geo_point" },
          "country": { "type": "keyword" },
          "asn": { "type": "keyword" }
        }
      },
      "ja3": { "type": "keyword" },
      "ja4": { "type": "keyword" },
      "mitre_attack": { "type": "keyword" }
    }
  }
}

Step 2: Configure WebDecoy

{
  "integration": "elasticsearch",
  "hosts": ["https://elasticsearch.yourcompany.com:9200"],
  "api_key": "your-api-key",
  "index_pattern": "webdecoy-bot-detections-{YYYY.MM.DD}",
  "pipeline": "webdecoy-enrichment",
  "bulk_size": 500,
  "flush_interval_ms": 5000
}

Elastic SIEM Detection Rules

Deploy these detection rules for automated alerting:

High-Volume Credential Stuffing

{
  "name": "WebDecoy: Credential Stuffing Attack",
  "risk_score": 85,
  "severity": "high",
  "query": "bot_classification:credential_stuffing AND threat_score >= 80",
  "threshold": {
    "field": "src_ip",
    "value": 50,
    "cardinality": []
  },
  "interval": "5m"
}

TLS Fingerprint Mismatch

{
  "name": "WebDecoy: Bot Tool Detected via TLS Mismatch",
  "risk_score": 70,
  "severity": "medium",
  "query": "signals.user_agent_mismatch:true AND ja3_match:*",
  "actions": ["slack-notify", "create-case"]
}

Kibana Dashboards

WebDecoy provides importable Kibana dashboards:

• Bot Attack Map: Real-time geographic visualization of attack origins
• Attack Classification Breakdown: Pie charts and trends by bot type
• TLS Fingerprint Analysis: Top bot tools detected via JA3/JA4
• MITRE ATT&CK Heat Map: Coverage visualization across techniques

Machine Learning Job Templates

Elastic ML can detect anomalies in bot patterns:

{
  "job_id": "webdecoy-attack-velocity-anomaly",
  "analysis_config": {
    "detectors": [{
      "function": "high_count",
      "partition_field_name": "bot_classification"
    }],
    "bucket_span": "15m"
  },
  "data_description": {
    "time_field": "@timestamp"
  }
}

CrowdStrike Falcon LogScale Integration

For organizations using CrowdStrike’s security ecosystem, WebDecoy integrates with Falcon LogScale (formerly Humio) to correlate bot activity with endpoint telemetry.

Configuration

{
  "integration": "crowdstrike_logscale",
  "ingest_endpoint": "https://cloud.humio.com/api/v1/ingest/raw",
  "ingest_token": "your-ingest-token",
  "repository": "webdecoy",
  "parser": "webdecoy-bot-detection",
  "tags": {
    "source": "webdecoy",
    "environment": "production"
  }
}

Humio Query Language (HQL) Examples

Real-Time Attack Dashboard

#source=webdecoy
| threat_score >= 70
| timeChart(bot_classification, function=count)

Correlate with Falcon Endpoint Data

#source=webdecoy threat_score >= 80
| join({#source=falcon_endpoint}, field=src_ip, include=[endpoint_name, os_version])
| table(@timestamp, src_ip, endpoint_name, bot_classification, threat_score)

Top Attack Sources

#source=webdecoy
| groupBy(geo.country, function=[count(), avg(threat_score)])
| sort(_count, order=desc, limit=20)

Falcon Fusion Workflow Triggers

Automate response with Falcon Fusion:

1. WebDecoy detection event with threat_score >= 90
2. Falcon Fusion workflow triggers
3. Cross-reference with Falcon endpoint data
4. If associated endpoint found: isolate for investigation
5. Add IP to CrowdStrike IOC blocklist
6. Create incident in Falcon Investigation dashboard

Syslog Integration (RFC 5424)

For maximum compatibility, WebDecoy supports standard Syslog output compatible with any SIEM that accepts syslog input.

Configuration

TCP with TLS (Recommended)

{
  "integration": "syslog",
  "protocol": "tcp",
  "tls": {
    "enabled": true,
    "verify_certificate": true,
    "ca_cert": "/path/to/ca.pem"
  },
  "host": "siem.yourcompany.com",
  "port": 6514,
  "facility": "local0",
  "severity_mapping": {
    "high": "alert",
    "medium": "warning",
    "low": "notice"
  },
  "app_name": "webdecoy",
  "structured_data": true
}

UDP for High-Volume Scenarios

{
  "integration": "syslog",
  "protocol": "udp",
  "host": "siem.yourcompany.com",
  "port": 514,
  "facility": "local0",
  "structured_data": true,
  "max_message_size": 65507
}

Syslog Message Format

WebDecoy generates RFC 5424-compliant messages with structured data:

<134>1 2025-11-27T08:14:22.000Z webdecoy-edge-01 webdecoy - bot_detection
[webdecoy@52000 threat_score="87" verdict="block" bot_classification="credential_stuffing"
src_ip="192.168.1.100" ja3="e7d705a3286e19ea42f587b344ee6865"
mitre_attack="T1110.001,T1110.003"] Bot detection event: credential_stuffing attack blocked

Structured Data Elements

Facility and Severity Mapping

WebDecoy maps threat scores to syslog severities:

CEF (Common Event Format) Integration

For ArcSight, QRadar, and other CEF-compatible SIEMs, WebDecoy outputs events in standard CEF format.

CEF Message Format

CEF:0|WebDecoy|BotDetection|1.0|BOT_DETECTED|Bot Detection Event|8|
src=192.168.1.100 dst=app.yourcompany.com dpt=443
request=/api/v1/auth/login requestMethod=POST
cs1Label=bot_classification cs1=credential_stuffing
cs2Label=ja3_fingerprint cs2=e7d705a3286e19ea42f587b344ee6865
cs3Label=ja3_match cs3=python-requests/2.28
cs4Label=mitre_attack cs4=T1110.001,T1110.003
cn1Label=threat_score cn1=87
cn2Label=confidence cn2=95
flexString1Label=verdict flexString1=block
flexString2Label=country flexString2=RU
deviceCustomDate1Label=detection_time deviceCustomDate1=2025-11-27T08:14:22Z

CEF Field Mapping

Configuration

{
  "integration": "cef",
  "transport": "syslog_tcp",
  "host": "arcsight.yourcompany.com",
  "port": 514,
  "device_vendor": "WebDecoy",
  "device_product": "BotDetection",
  "device_version": "1.0",
  "severity_mapping": {
    "high": 8,
    "medium": 5,
    "low": 3
  }
}

Use Case: Correlating Bot Attacks Across Your Security Stack

The true power of SIEM integration emerges when you correlate bot detections with other security data.

Scenario: Credential Stuffing Leading to Account Takeover

Timeline of Attack

1. 03:00 - WebDecoy detects credential stuffing from botnet (200 IPs, threat_score: 92)
2. 03:15 - Botnet rotates to fresh IP range, continues attack
3. 03:22 - Attackers successfully compromise 3 accounts (weak passwords)
4. 03:25 - Compromised accounts accessed from attacker IPs
5. 03:30 - Fraudulent transactions initiated

Without WebDecoy Integration

Your SIEM sees:

• Elevated authentication failures (normal during password resets)
• Three successful logins (looks legitimate)
• Three financial transactions (within normal parameters)

No alert fires. Fraud discovered days later during reconciliation.

With WebDecoy Integration

Your SIEM correlates:

index=webdecoy bot_classification=credential_stuffing threat_score>=80
| stats values(src_ip) as bot_ips by _time span=1h
| join type=inner [
  search index=auth action=login_success
  | eval attack_window=relative_time(now(), "-2h")
  | where _time > attack_window
]
| where src_ip IN (bot_ips)
| alert title="Account Compromised During Bot Attack"

Alert fires at 03:26. SOC responds immediately:

• Compromised accounts locked
• Fraudulent transactions reversed
• Attacker IPs blocked across perimeter

Estimated savings: $50,000 in prevented fraud, 47 hours of investigation time.

MITRE ATT&CK Correlation Example

WebDecoy’s MITRE mappings enable threat-centric correlation:

index=webdecoy mitre_attack=*
| mvexpand mitre_attack
| join type=outer mitre_attack [
  search index=endpoint mitre_technique=*
  | rename mitre_technique as mitre_attack
]
| stats count as web_count, count(eval(index="endpoint")) as endpoint_count by mitre_attack
| where web_count > 0 AND endpoint_count > 0
| sort -web_count

This query identifies attack techniques observed both in bot traffic AND endpoint telemetry - a strong indicator of multi-stage attack campaigns.

Getting Started

Deploying WebDecoy SIEM integration takes under 30 minutes:

Step 1: Enable Integration

Navigate to WebDecoy Dashboard → Integrations → SIEM and select your SIEM platform.

Step 2: Configure Credentials

Enter your SIEM endpoint URL, authentication credentials, and target index/repository.

Step 3: Test Connection

Click Test Connection to verify WebDecoy can reach your SIEM. A sample event will be sent.

Step 4: Deploy Dashboards

Download our pre-built dashboards and saved searches for your platform. Import via your SIEM’s management interface.

Step 5: Configure Alerts

Set up alerting rules based on the examples above. Start with high-confidence detections (threat_score >= 80) and tune from there.

Step 6: Integrate with SOAR

Connect WebDecoy events to your SOAR platform for automated response workflows.

Key Takeaways

For SOC Analysts: WebDecoy eliminates bot blind spots. Every detection includes the context you need - threat scores, TLS fingerprints, geo-IP, behavioral signals, and MITRE mappings. No more guessing whether those failed logins are a botnet or forgetful users.

For Security Engineers: Native integrations with Splunk, Elastic, CrowdStrike, and universal formats mean deployment in minutes, not months. Pre-built dashboards and detection rules accelerate time-to-value.

For Security Leaders: WebDecoy provides the audit trail compliance requires. Every bot interaction is logged with full context, mapped to MITRE ATT&CK, and retained in your SIEM for forensic analysis.

Bot attacks do not happen in isolation. Neither should your detection. WebDecoy plus your SIEM equals complete visibility.

Ready to eliminate bot blind spots in your SOC? Start your free trial and see enriched bot detections flowing into your SIEM within the hour.

Questions about integration? Contact our security engineering team or join our Discord for live support.

Share this post

Like this post? Share it with your friends!

• Share on Facebook, opens in a new tab
• Share on Twitter, opens in a new tab
• Share on LinkedIn, opens in a new tab