GoodTime SIEM Agent
Last updated: July 17, 2026
The GoodTime SIEM Agent provides organizations with a centralized, tamper-resistant audit trail of security activity across the GoodTime platform. It automatically records security-relevant events; such as user logins, permission changes, API key updates, and administrative actions, and stores them for a configurable retention period (30 days by default). In addition to providing administrators with a searchable history of these events for auditing and compliance purposes, the SIEM Agent can forward events in real time to external security and monitoring platforms, including popular SIEM solutions such as Splunk, Microsoft Sentinel, Elastic, Google Chronicle, and AWS Security Lake. This enables security teams to incorporate GoodTime activity into their existing monitoring, alerting, and incident response workflows while maintaining a complete and immutable record of security events.
NOTE: If your Super Admin users do not see the 'SECURITY > SIEM Settings' menu item in your GoodTime account please speak to your GoodTime CSM to activate this feature in your account.
What is the GoodTime SIEM agent?
The SIEM Agent is GoodTime's audit and event-forwarding system. It has three jobs:
Record security events. Every time something security-relevant happens in the platform — a user logs in, a role is granted — the Security Service receives that event and stores it. These records are immutable: once written, they cannot be edited or deleted before their retention window expires.
Expose event history. The stored events can be browsed and searched through a read API, allowing the frontend to show administrators a full audit trail filtered by user, event type, or time range, with cursor-based pagination for large result sets.
Forward events to external systems. Customers can configure rules that send copies of these events, in real time, to a URL of their choice (a SIEM tool, a Slack webhook, a custom endpoint, etc.). This is done through Webhook Rules.
Each event captures:
What happened — the event type (e.g. user.login.failed)
When it happened
Who did it — the user or system that triggered the action
Which organization it belongs to
Details — a structured payload with context specific to that event type
How it all fits together
Event Bridge
│
▼
Security Service
│
│
├─ siem_enabled = false? → drop event
├─ event type not in allowed_event_types? → drop event
│
├─ Store event (immutable, retained for data_retention_days)
│
└─ Match against Webhook Rules
│
├─ Rule A (format: ecs, url: elastic-endpoint) → deliver
└─ Rule B (format: ocsf, url: aws-security-lake) → deliver
│
└─ on failure: retry with backoff (up to maxRetries)Webhook Configuration
A Webhook Rule tells the Security Service: "when an event of type X arrives for our
organization, send it to this URL.”
The system tracks a health score per rule based on the last 10 delivery attempts. A rule with fewer than 70% successful deliveries is considered unhealthy. The frontend can surface this to help administrators identify failing destinations.
Each rule has the following options:
Configuration Fields
Enabled: Rules can be toggled without deleting them. Disabled rules receive no events.
Event Filter:
Wildcard (*) — every event, regardless of type, triggers this rule - Default
Single type — e.g. user.login.failed — only that specific event
List of types — e.g. ["user.login.failed", "user.account.locked"] — any of those types
Destination URL: The HTTPS endpoint where events are delivered. Must be a valid URL.
Payload format: The Security Service can transform events into several industry-standard formats before sending them, so they are ready for import into popular SIEM and log management tools without additional processing.
Format key | Standard | Description | Reference |
raw | Raw (default) | Original SiemEvent as ingested — no transformation applied. | N/A |
cim | Splunk CIM | Common Information Model used by Splunk for normalizing data across different sources. | Docs ↗ |
ecs | Elastic ECS v8.11.0 | Elastic Common Schema — standard field set for ingestion into Elastic search and Kibana | Docs ↗ |
asim | Microsoft ASIM | Advanced Security Information Model for Microsoft Sentinel normalization. | Docs ↗ |
ocsf | OCSF v1.1.0 | Open Cybersecurity Schema Framework — vendor-neutral schema for security telemetry. | Docs ↗ |
chronicle_udm | Chronicle UDM | Unified Data Model used by Google Security Operations (Chronicle) for threat detection. | Docs ↗ |
Max retries: How many times the system will retry a failed delivery before marking it as permanently failed. Range: 0–10. Default: 3.
Attempt → Delay before retry
1st retry → 15 seconds
2nd retry → 30 seconds
3rd retry → 1 min 30 sec
4th retry → 4 minutes
5th retry → 7 min 30 sec
6th–10th → Up to 4 hours
Delivery Statuses
Each delivery attempt for a rule shows one of these statuses:
Status | Meaning |
pending | Waiting to be sent |
processing | Currently being sent |
success | Delivered and acknowledged |
retrying | Failed, scheduled for another attempt |
failed | All retry attempts exhausted |
Failed deliveries can also be retried manually from the frontend.
Public API
The Security Service exposes a read API so the frontend (or any authorized client) can browse and search the organization's stored event history.
Access requirement: requests must carry a token that includes the siem scope. A valid session alone is not enough — tokens without this scope receive a 403.
List events
Returns a page of events for the authenticated organization, ordered from newest to oldest.
Filters — all optional, can be combined:
Parameter | What it does |
eventType | Return only events of this type (e.g. user.login.failed) |
userId | Return only events triggered by this user |
from | Earliest timestamp to include (ISO 8601 date-time) |
to | Latest timestamp to include (ISO 8601 date-time) |
Pagination — the response includes links.next and links.prev cursor URLs ready to
use:
Parameter | What it does |
limit | Number of events per page. Min 10, max 200, default 50 |
after | Cursor from links.next — fetches the next (older) page |
before | Cursor from links.prev — fetches the previous (newer) page |
after and before are mutually exclusive — only one can be used per request.
Payload format — the format parameter controls the shape of each event's payload field, using the same six formats supported by webhook rules (raw, cim, ocsf, ecs, asim,
chronicle_udm). Default is raw.
Get a single event
Returns the full details of one event by its ID. Accepts the same format parameter as the list endpoint.
Global Settings for Organization
These settings apply to the entire organization and control whether and how events are processed. They can be read, changed, or removed through the Settings API.
SIEM enabled
A master on/off switch. When disabled, no events for that organization are processed or stored
— they are silently dropped as they arrive.
Default: enabled (events are recorded)
Options: true (record events) / false (drop all events)
Use case: an organization that wants to temporarily pause event collection, or that prefers to opt in rather than opt out.
Allowed event types
A filter that limits which event types are recorded for the organization. Events not on the list are dropped before storage — they will also never be forwarded to webhooks.
Default: all event types are accepted (no filtering)
Format: comma-separated list of event type strings, e.g.
user.login.failed,user.account.locked
Empty value: same as default — accepts all types
Use case: an organization that only cares about authentication failures and account lockouts, and does not want noise from administrative events.
Data retention
How many days of events, webhook deliveries, and delivery attempt logs are kept before being automatically purged. Once data is purged it cannot be recovered.
Default: 30 days (system-wide default, not stored per org)
Format: positive whole number of days, e.g. 90
Effect of deleting the setting: reverts to the 30-day system default
Supported Event types
Events are grouped into four categories. The exact string values listed below are what the system uses internally. They matter when configuring webhook rules or event-type filters.
Authentication
Covers logins, logouts, and multi-factor authentication.
Event type | Label | Description |
user.login.succeeded | Login Succeeded | A user successfully authenticated. |
user.login.failed | Login Failed | An authentication attempt was rejected. |
user.logout | Logged Out | A user ended their session. |
user.account.locked | Account Locked | Account locked after repeated failures. |
user.account.unlocked | Account Unlocked | A locked account was re-enabled |
mfa.challenge | MFA Challenge | An MFA prompt was issued to the user. |
mfa.succeeded | MFA Succeeded | The MFA challenge was passed. |
mfa.failed | MFA Failed | The MFA challenge was not passed. |
Access Control
Covers permissions, roles, and who can see or do what.
Event type | Label | Description |
access.granted | Access Granted | A resource access request was approved. |
access.denied | Access Denied | A resource access request was blocked. |
role.assigned | Role Assigned | A role was granted to a user. |
role.revoked | Role Revoked | A role was removed from a user. |
permission.updated | Permission Updated | A permission set was changed. |
API Keys & Tokens
Covers programmatic access credentials.
Event type | Label | Description |
api.key.created | API Key Created | A new API key was generated. |
api.key.deleted | API Key Deleted | An API key was revoked and removed. |
api.key.rotated | API Key Rotated | An API key was replaced with a new one. |
token.created | Token Created | An access token was issued. |
token.revoked | Token Revoked | An access token was invalidated. |
Administrative
Covers organization-level and settings changes.
Event type | Label | Description |
organization.updated | Organization Updated | Org-level settings were modified. |
security.settings.upda ted | Security Settings Updated | Security configuration was changed. |
integration.created | Integration Created | A new third-party integration was added. |
integration.updated | Integration Updated | An existing integration was modified. |
integration.deleted | Integration Deleted | An integration was removed. |
References