Exporting Audit Logs to a SIEM

Pylon's Audit Logs API lets you programmatically pull security and operational events into your SIEM (Splunk, Datadog, Sentinel, Elastic, etc.) for centralized monitoring and compliance.

Prerequisites

• Enterprise plan (audit logs feature required)

• API token created by an Admin user — generate one from Settings > Developer > API Tokens (authentication docs)

• Your SIEM configured to ingest JSON via a custom script or log collector

How It Works

The Audit Logs API is a pull-based, cursor-paginated REST endpoint. To integrate with your SIEM, set up a scheduled job (cron, Lambda, Cloud Function, etc.) that periodically polls for new events and forwards them to your SIEM's ingestion endpoint.

See the full API reference for request parameters and response schema.

Event Types Covered

Handling Rate Limits

If you receive a 429 response, check the X-Retry-After header for the number of seconds to wait before retrying. The X-Rate-Limit-Remaining header tells you how many requests remain in the current window.

Recommendations

• Persist the cursor between polling runs so you resume where you left off instead of re-fetching events

• Use a page size of 500 to reduce API calls while staying under the 999 max

• Poll every 1–5 minutes — this uses only a handful of requests per interval, leaving plenty of rate limit headroom

• Set up SIEM alerts for security-relevant actions like LoginFailed, APITokenCreated, UserDeleted, and OrganizationAccessSettingsUpdated

Common SIEM Destinations

The API returns standard JSON, which is compatible with most SIEM ingestion methods:

• Splunk — forward via HTTP Event Collector (HEC)

• Datadog — forward via the Logs HTTP intake API

• Elastic / OpenSearch — forward via Filebeat or the bulk ingest API

• AWS S3 — write JSON files to a bucket for any SIEM that reads from S3 (CloudTrail Lake, Athena, etc.)

• Microsoft Sentinel — forward via the Data Collector API