Syslog & API reference

Two integration surfaces: syslog for the event stream, REST API for query and SOAR action.

CybrIQ exposes two integration surfaces to a security engineer's detection pipeline. Syslog ships events as they happen; that's what your SIEM ingests and what your correlation rules fire on. The REST API answers "what's on the network right now," "what changed on this port over the last 30 days," and "give me a framework-evidence pack for PCI 4.0 control 12.5.1." This page is the reference for both.

What's not on this list. No webhooks, no STIX/TAXII feeds. The push surface is syslog and only syslog; the pull surface is the REST API. If a vendor in your evaluation queue is matching CybrIQ on functionality but pitching webhooks or STIX, that's a different product.

Part 1, Syslog event stream

1. Transport and delivery

The control plane ships CybrIQ events as syslog to whatever destination(s) you configure in the dashboard. Three transports supported:

UDP/514. Best for low-volume sites that don't need delivery guarantees.
TCP/1468. Reliable delivery; the default for production.
TCP+TLS/6514. Encrypted; the default for cross-network or SaaS-SIEM destinations.

Destinations are registered in the dashboard. You can register multiple destinations per tenant (production SIEM + a dev SIEM + a ticketing-bridge daemon, for example). Each destination receives the same event stream; filtering is a SIEM-side concern.

2. Message format (RFC 5424)

Every CybrIQ event is a single RFC 5424 syslog message. Structured-data fields carry the event payload; the MSG portion carries a human-readable summary for compatibility with line-oriented log viewers.

<134>1 2026-05-10T17:08:12.482Z ese-bldg-3 cybriq 4231 device-substituted
  [event@29051 event_id="evt_01HQ8M9N..." event="device-substituted" severity="high"
   timestamp="2026-05-10T17:08:12Z" site="hq-bldg-3" switch="core-sw-02"
   port="Gi1/0/24" previous_dna="dna:5f8d2a1b..." current_dna="dna:7e9c4d2f..."
   similarity="0.31" threshold="0.65" previous_vendor="Cisco IP Phone 8851"
   current_vendor="unknown" mitre="T1200,T1556" controls="PCI-4.0/12.5.1,SOC2/CC6.1"]
Substituted device on port Gi1/0/24, switch core-sw-02, site hq-bldg-3. Severity high.

Facility 16 (PRI 134 = facility 16, severity 6) by default; configurable in the dashboard. The structured-data ID is event@29051; the SDID enterprise number is CybrIQ's PEN.

3. Event types and sample messages

Twelve event types in the taxonomy. Full MITRE mappings and analyst response patterns are on Detection and Playbook; the entries below are reference-only for parser writers.

device-substituted P1 / high

Device DNA on a port no longer matches the historical signature. Similarity below substitution threshold. Canonical swap-attack signal.

device-substituted
  [event@29051 event="device-substituted" severity="high"
   port="Gi1/0/24" previous_dna="dna:5f8d2a1b..." current_dna="dna:7e9c4d2f..."
   similarity="0.31" threshold="0.65" mitre="T1200,T1556"
   controls="PCI-4.0/12.5.1,SOC2/CC6.1"]
Substituted device on port Gi1/0/24.

ndaa-prohibited-detected P1 / compliance

Reference-database lookup resolved to a vendor on the NDAA Section 889 banned list at confidence at or above 0.85.

ndaa-prohibited-detected
  [event@29051 event="ndaa-prohibited-detected" severity="high"
   port="Gi2/0/06" vendor="Hikvision DS-2CD2T" confidence="0.91"
   ndaa_status="prohibited" mitre="T1199"
   controls="NDAA-889,CMMC-L2/CM.L2-3.4.1,NIST-800-171/3.4.1"]
NDAA-prohibited device detected on port Gi2/0/06.

port-topology-changed P2 / medium

An additional hop appeared between wall jack and endpoint. Usually an unauthorized switch.

device-appeared P2 / medium

New Device DNA observed on a port. unenrolled flag fires when the device hasn't authenticated within the grace window (default 4 hours).

device-departed P3 / low

Previously stable device no longer responding on its port. Usually benign; meaningful when correlated.

device-firmware-shift P3 / low

Similarity in the 0.65 to 0.85 range, consistent with a firmware update. Logged; doesn't page by default.

device-class-mismatch P2 / medium

Resolved identity doesn't match the expected device class for the port (e.g., a corporate laptop on an AV-only port).

device-silent-extended P3 / operational

Device link-up for an extended period without expected control-plane activity. Default threshold: 7 days. Marginal security signal alone; meaningful when correlated.

unenrolled-flagged P3 / medium

Device that previously authenticated stops, or never does, beyond the grace window. Often correlates with device-appeared.

vendor-hint-confidence-changed P4 / informational

Reference-database confidence for a port's identity has shifted by more than the configured delta.

port-orphaned P4 / informational

Port that previously carried a device has gone fully dark past the orphan-threshold (default 14 days). Useful for inventory reclamation.

compliance-control-drift P2 / compliance

A port's framework-control coverage has changed. Compliance-flow event; routes to GRC.

4. Field reference

Every event ships some subset of these structured-data fields. The first six are present on every event; the rest are event-type-specific.

Field	Always present	Meaning
`event_id`	yes	ULID; unique across the deployment
`event`	yes	One of the twelve event types above
`severity`	yes	high / medium / low
`timestamp`	yes	RFC 3339 UTC
`site`	yes	Customer-assigned site identifier
`port`	yes	Switch + interface ID
`switch`	most events	Switch hostname or management identifier
`device_dna`	device-scoped events	Current Device DNA
`previous_dna`	change events	Prior Device DNA on the same port
`similarity`	change events	0 to 1; current vs. previous
`threshold`	change events	Configured substitution threshold
`vendor`	identity-resolved events	Resolved vendor + model from the reference database
`confidence`	identity-resolved events	0 to 1; reference-database match confidence
`ndaa_status`	NDAA events	One of `prohibited`, `clean`, `unknown`
`mitre`	most security events	Comma-separated MITRE technique IDs
`controls`	most events	Comma-separated framework-control IDs the port carries
`change_window_match`	change events	Boolean; whether an approved change ticket covers the event time/port

5. SIEM-side parsing notes

Platform-specific parser snippets live on the integrations page. A few cross-platform notes:

Use event_id for de-duplication. ULIDs are unique across the deployment.
Parse mitre as comma-separated. Most events carry one technique; a few carry two.
controls is also comma-separated.
MSG is for humans. Don't write regex against the MSG; parse the structured data.
Time zones. All timestamps UTC. RFC 5424 header timestamp and the timestamp structured-data field agree to the millisecond.

Part 2, REST API for query and SOAR action

The pull surface. Inventory state, drift history, framework-evidence export, and the SOAR action endpoints that hand off to your NAC. Auth is bearer-token; transports are TLS only.

6. Authentication and key scoping

Every endpoint requires a bearer token. Tokens are issued per integration, per scope, per source-IP allowlist. There's no "admin token that does everything."

Defaults the platform enforces. Tokens are scoped (read, write, soar-action) at issue and the scope can't be widened without re-issue. Default expiry 90 days; issuing user is emailed at 30, 7, and 1 day. Source-IP allowlists are mandatory for write and soar-action tokens.

POST /api/v1/auth/token

Exchange a one-time issue code (from the dashboard) for a bearer token. Single-use; burns on first call.

$ curl -X POST https://api.cybriq.io/api/v1/auth/token \
    -H "Content-Type: application/json" \
    -d '{"issue_code": "ic_a1b2c3d4..."}'

{
  "token": "cbq_live_pk_5f8d...",
  "scope": ["events:read", "inventory:read"],
  "expires_at": "2026-08-09T00:00:00Z",
  "ip_allowlist": ["198.51.100.0/24"],
  "rotation_deadline": "2026-07-25T00:00:00Z"
}

GET /api/v1/auth/whoami

Returns the calling token's scope and remaining validity. Use in integration startup-checks to fail fast if the token was narrowed or revoked.

POST /api/v1/auth/rotate

Mints a successor token with identical scope and allowlist. Old token remains valid for 24 hours to give you a deploy window.

7. Rate limits

Read endpoints: 600 requests per minute per token. Write and SOAR endpoints: 60 per minute per token. Burst tolerance 2x for 10 seconds. Headers X-Rate-Limit-Remaining and X-Rate-Limit-Reset on every response. 429 responses include Retry-After in seconds.

8. Inventory query

The current authoritative view of every observed device. Reconcile your CMDB against this.

GET /api/v1/inventory

List every observed device. Filters: site, vlan, vendor, ndaa_status, first_seen_after, last_seen_before. Cursor-paginated.

GET /api/v1/inventory?ndaa_status=prohibited
Authorization: Bearer cbq_live_pk_5f8d...

{
  "devices": [
    {
      "device_dna": "dna_sha256:a3b1...",
      "site": "hq-bldg-1",
      "switch": "edge-sw-04",
      "port": "Gi0/12",
      "vendor": "Hikvision DS-2CD camera (NDAA Section 889)",
      "ndaa_status": "prohibited",
      "first_seen": "2026-03-21T08:14:00Z",
      "last_seen": "2026-05-09T14:00:00Z"
    }
  ],
  "next_cursor": null
}

GET /api/v1/inventory/diff

Diff current inventory against a baseline timestamp. Returns added, removed, and changed devices. Powers the auditor's "what changed since last quarter" question without a spreadsheet.

$ curl -s "https://api.cybriq.io/api/v1/inventory/diff?baseline=2026-02-01T00:00:00Z" \
    -H "Authorization: Bearer cbq_live_pk_5f8d..."

{
  "baseline_at": "2026-02-01T00:00:00Z",
  "current_at":  "2026-05-10T17:30:00Z",
  "added":   [ { "port": "sw3-fl2/port-19", "device_dna": "dna:8c2e...", ... } ],
  "removed": [ { "port": "sw3-fl2/port-04", "device_dna": "dna:4f5c...", ... } ],
  "changed": [ { "port": "sw3-fl2/port-47", "from": "dna:7a4f...", "to": "dna:5b8e...", "similarity": 0.31 } ]
}

GET /api/v1/inventory/count

Lightweight count endpoint. Useful for dashboards and health checks.

9. Device detail

GET /api/v1/devices/{device_dna}

Full record for a single device: collected signal set, reference-database identity, similarity-score history, attached event IDs, per-port telemetry timeline. The endpoint a SOC analyst clicks into from a SIEM event.

$ curl -s "https://api.cybriq.io/api/v1/devices/dna:7a4f-1c91-..." \
    -H "Authorization: Bearer cbq_live_pk_5f8d..."

{
  "device_dna":   "dna:7a4f-1c91-...",
  "port":         "sw3-fl2/port-47",
  "site":         "hq-bldg-3",
  "vendor":       "Crestron DM-MD8x8",
  "confidence":   0.92,
  "ndaa_status":  "clean",
  "first_seen":   "2026-02-12T14:08:33Z",
  "last_seen":    "2026-05-10T17:01:00Z",
  "controls":     ["PCI-4.0/12.5.1", "SOC2/CC6.1"],
  "events":       [ "evt_01HQ8M9N..." ]
}

GET /api/v1/devices/{device_dna}/timeline

Per-port time-series. Useful when an analyst wants "was this thing behaving differently in the 48 hours before the drift event?"

10. Drift history

All drift events for a port or device over time. The audit-trail endpoint that maps to PCI 4.0 Req 12.5 and SOC 2 CC6.x change-management evidence.

GET /api/v1/drift/by-port

Every drift event on every port across a site, chronological. Filters: site, switch, port, since, until.

$ curl -s "https://api.cybriq.io/api/v1/drift/by-port?site=hq-bldg-3&since=2026-05-01" \
    -H "Authorization: Bearer cbq_live_pk_5f8d..."

{
  "events": [
    {
      "event_id":     "evt_01HQ8M9N...",
      "event":        "device-substituted",
      "severity":     "high",
      "timestamp":    "2026-05-10T17:08:12Z",
      "port":         "sw3-fl2/port-47",
      "previous_dna": "dna:7a4f-1c91-...",
      "current_dna":  "dna:5b8e-2a4f-...",
      "similarity":   0.31,
      "mitre":        ["T1200", "T1556"],
      "controls":     ["PCI-4.0/12.5.1", "SOC2/CC6.1"]
    }
  ],
  "next_cursor": null
}

GET /api/v1/drift/by-device/{device_dna}

Drift events tied to a specific device fingerprint across its lifetime, including moves between ports.

11. Compliance evidence export

Turns six weeks of audit prep into a 30-second download. Framework-mapped evidence pack (PDF plus signed JSON) over the requested timeframe and scope.

POST /api/v1/compliance/export

Initiates an evidence-pack generation job. Body specifies framework (one of pci-4.0, soc-2-type-ii, hipaa-security, nist-800-171, cmmc-l2, nist-csf-2.0, ndaa-889), scope, and timeframe. Returns a job ID.

POST /api/v1/compliance/export
Authorization: Bearer cbq_live_pk_5f8d...

{
  "framework": "pci-4.0",
  "scope": ["hq-bldg-1", "hq-bldg-3", "datacenter-east"],
  "timeframe": {"since": "2026-02-01", "until": "2026-05-01"}
}

{
  "job_id": "exp_01HQ9N3M5R6T7V8W9X0Y1Z2A",
  "status": "queued",
  "eta_seconds": 45
}

GET /api/v1/compliance/export/{job_id}

Poll for export status. When ready, the response includes signed download URLs (PDF and JSON) valid for 60 minutes. PDF goes to the auditor; JSON goes into your GRC tool.

12. SOAR action endpoints

CybrIQ is a detection tool, not an enforcement tool. These endpoints are where your SOAR playbook acknowledges, tags, or suppresses events, and where we hand off to a NAC for the actual quarantine.

POST /api/v1/events/{event_id}/acknowledge

Mark an event acknowledged. Body includes operator identity, reason, free-form note. Becomes part of the event's audit trail.

POST /api/v1/events/{event_id}/suppress

Suppress repeated events for a device-port pair for a stated duration. Logged in the audit trail. Requires events:write scope.

POST /api/v1/integrations/forescout/quarantine

Hand off to Forescout for port quarantine. We don't quarantine ports ourselves; we ask Forescout to. Body specifies event ID and Forescout policy name. Returns Forescout's job ID. Requires soar-action scope and an active Forescout integration.

POST /api/v1/integrations/cisco-ise/quarantine

Same shape, Cisco ISE. Body specifies event ID and ISE authorization-policy name.

13. Errors and pagination

Structured JSON errors: error.code, error.message, and (for validation errors) error.fields. HTTP status always set. Common codes:

401 invalid_token, bad or expired bearer token
403 scope_insufficient, token doesn't carry the scope this endpoint requires
403 ip_not_allowed, source IP isn't on the token's allowlist
404 not_found, event, device, or job ID not found (or outside the 60-day window)
422 validation_failed, body or query parameters didn't validate
429 rate_limited, back off, respect Retry-After
5xx, retry with exponential backoff

Pagination is cursor-based on every list endpoint. The next_cursor field is opaque; don't construct it. null means end of results.

Want to wire this up against your specific SIEM and SOAR?

Tell us which SIEM and which SOAR. We'll walk through the parser config, the correlation rules, and the specific endpoints you'd be hitting. Working session is half an hour, engineering team on the call.

Book a syslog & API walkthrough