Skip to content
IntelliAuth

Stream to a destination

For long-term retention, centralised security monitoring, or compliance pipelines that need every event — stream audit events out of the platform as they happen.

Configure a stream

Section titled “Configure a stream”

Audit → Streaming → New destination. Pick one:

  • Webhook — plain HTTP POST per event. Simplest; works with anything.
  • Splunk HEC — HTTP Event Collector. Drop in your HEC URL + token.
  • Datadog Logs — Datadog log intake URL + API key.
  • Elastic / OpenSearch — point at your Elastic cluster's _bulk endpoint.

Each integration has its own configuration form. Save. The stream activates immediately.

Delivery semantics

Section titled “Delivery semantics”
  • At-least-once. Your destination may see the same event twice in rare retry scenarios. Dedupe by event id on your side.
  • Bounded lag. Events typically arrive within seconds. Spikes of activity may push lag to ~minute. Configurable per-tenant.
  • Per-destination buffer. If your destination is unhealthy, the platform buffers up to 1 hour of events. Past that, events are dropped (and audit.stream_buffer_full lands in the local audit). The stream is not the source of truth — the in-console audit log is.

The wire format

Section titled “The wire format”

Webhooks receive JSON, one event per POST:

{
  "event_id": "evt_01HZ...",
  "event_type": "user.signed_in",
  "occurred_at": "2026-05-17T08:00:00Z",
  "tenant": { "id": "tnt_01HZ...", "slug": "production-cymmetri" },
  "actor": { "kind": "user", "id": "usr_01HZX...", "label": "anita@cymmetri.com" },
  "target": { "kind": "session", "id": "ses_01HZY..." },
  "outcome": "success",
  "data": { "amr": ["pwd"], "acr": "aal2" },
  "context": { "ip": "203.0.113.45", "user_agent": "Chrome 132 on macOS", "request_id": "req_01HZ..." },
  "stream": { "destination_id": "strm_01HZ...", "attempt": 1, "first_attempted_at": "..." }
}

Each delivery is signed: X-IntelliAuth-Stream-Signature is HMAC-SHA256 over the body with a per-destination secret. Verify before processing. Same pattern as webhook subscriptions; see Verify webhook signature.

Splunk / Datadog / Elastic integrations format the payload per their respective APIs. The audit content is identical; the wrapper differs.

Per-destination filtering

Section titled “Per-destination filtering”

You can scope a stream to specific event types:

  • All events (default).
  • Only auth.* family.
  • Only security.* events (for a security-team-only feed).
  • Only events with outcome == failure (for an anomaly-monitoring pipeline).

Filter at the destination's config; the platform sends only matching events. Less noise for your SIEM; cleaner queries downstream.

Multiple destinations

Section titled “Multiple destinations”

You can configure multiple streams. Common pattern:

  • Stream 1 → Datadog (operational monitoring; all events).
  • Stream 2 → Splunk (security team; security events only).
  • Stream 3 → Webhook to your archive system (long-term retention; all events).

Each destination receives independently; failures in one don't affect the others.

Test a destination

Section titled “Test a destination”

Each destination's detail page has a Send test event button. Sends a synthetic event of type test.audit_stream with data.test: true. Your destination accepts; you confirm receipt.

Useful when:

  • Setting up a new destination.
  • After a destination credential rotation.
  • After your destination team reports "we stopped seeing IntelliAuth events" — confirms whether the issue is in the platform or downstream.

Retry + dead-letter

Section titled “Retry + dead-letter”

If a destination fails (non-2xx response, timeout, TLS error):

  • Retry at 30s / 2m / 10m / 1h / 4h backoff.
  • After 5 failures, the event lands in the destination's dead-letter queue (visible in the destination's detail page).
  • DLQ retains entries for 7 days.

You can replay DLQ entries manually from the destination detail page → DLQ → Replay.

Disable / delete a destination

Section titled “Disable / delete a destination”
  • Disable — pause the stream without losing config. New events stop being sent; the platform doesn't buffer past the standard window. Re-enable any time.
  • Delete — remove the destination entirely. Buffered events for this destination are dropped; the destination's secret is invalidated.

Audit logs the lifecycle: audit.stream_destination_created, audit.stream_destination_disabled, etc.

Common patterns

Section titled “Common patterns”

"Send every event to Splunk for security correlation"

Section titled “"Send every event to Splunk for security correlation"”

Splunk HEC destination. No filter. Set up an index for IntelliAuth audit; let Splunk's correlation engine do its thing.

"Only alert me on failures"

Section titled “"Only alert me on failures"”

Webhook destination → your alerting system. Filter: outcome == failure. Your alerting receives only the failures; saves on noise.

"Long-term archive in S3"

Section titled “"Long-term archive in S3"”

Webhook destination → AWS Lambda that writes to S3. The Lambda is essentially a thin "verify signature → S3.put_object" handler. Cheap; reliable; queryable later with Athena / similar.

"Multi-region replication"

Section titled “"Multi-region replication"”

Two webhook destinations, each pointing at a different region's ingest endpoint. Half-baked HA — if one region is down, the other still receives events. Be aware of the at-most-once-on-failure semantics.

Audit-of-audit-streaming

Section titled “Audit-of-audit-streaming”

The streaming configuration itself is audited:

  • audit.stream_destination_created / _updated / _disabled / _deleted.
  • audit.stream_event_delivered / _failed (per-attempt; can be high-volume; consider suppressing in your own downstream filtering).

For verifying "is the stream actually running?" without checking your downstream: filter audit on audit.stream_event_delivered for the destination.