Skip to main content

Overview

This guide walks you through configuring Meter’s SIEM integration to export intrusion detection events to your AWS Kinesis stream. Once configured, Meter will continuously stream security events from your network to your chosen SIEM platform for analysis, alerting, and compliance.

Prerequisites

Before configuring the integration in Dashboard, you must:
  • Have an AWS account with permissions to create IAM roles, policies, and Kinesis streams
  • Create an AWS Kinesis Data Stream in your AWS account
  • Configure IAM roles and trust policies (see Terraform configuration examples)
  • Have Dashboard access with SIEM integration write permissions
  • Screenshot callout: Verify you have the proper permissions by checking Settings > Organization > Integrations is accessible

Use cases

  • Integrate Meter network security events with Splunk, Sumo Logic, or other SIEM platforms
  • Stream events to AWS Security Lake for centralized security data management
  • Process events with custom AWS Lambda functions for automated incident response
  • Archive security events to S3 via Kinesis Firehose for long-term retention

Setup

Gather required information

Before starting, collect the following from your AWS account:
  1. AWS Kinesis ARN: The ARN of your Kinesis Data Stream (format: arn:aws:kinesis:region:account-id:stream/stream-name)
  2. Role ARN: The ARN of the IAM role Meter will assume to write to your stream (format: arn:aws:iam::account-id:role/role-name)
  3. External ID: A unique secret string you generated for secure role assumption (recommended: 64+ character random string)
Screenshot callout: Show AWS Console with Kinesis stream details page highlighting the ARN field.

How-to

  1. Log in to Meter Dashboard at https://dashboard.meter.com
  2. Click Settings in the left navigation menu
  3. Select Organization from the Settings submenu
  4. Click the Integrations tab
  5. Click the Services sub-tab
Screenshot callout: Show Dashboard navigation path with Settings > Organization > Integrations > Services highlighted.

Configure the integration

  1. In the Services section, locate the SIEM integration card
  2. Click the Configure button on the SIEM card
Screenshot callout: Show the Services page with the SIEM integration card and Configure button visible.
  1. A drawer will open titled “Configure SIEM”
  2. Fill in the required fields: AWS Kinesis ARN
    • Paste the full ARN of your Kinesis Data Stream
    • Example: arn:aws:kinesis:us-east-1:123456789012:stream/meter-siem-events
    Role ARN
    • Paste the ARN of the IAM role in your AWS account
    • This role must trust Meter’s service role and have permissions to write to the Kinesis stream
    • Example: arn:aws:iam::123456789012:role/MeterSIEMIntegrationRole
    External ID
    • Paste the external ID you generated and configured in the IAM role’s trust policy
    • This secret prevents the confused deputy security problem
    • Example: 9167190a4095f18bb33c84d75f9596366ee0cd392332e72f130f66da38c320d3
Screenshot callout: Show the Configure SIEM drawer with all three fields filled in with example values.
  1. Click Save to create the integration
Screenshot callout: Show the Save button at the bottom of the drawer.

Verify integration status

  1. After saving, you’ll return to the Services page
  2. The SIEM integration card now displays:
    • A Configuration button (replaces the Configure button)
    • An integration status badge showing the current state
Screenshot callout: Show the SIEM card with the Configuration button and a status badge displaying “Active” with a green checkmark.
  1. Integration status indicators:
    • Active (green checkmark): Events are being successfully delivered
    • Unauthorized (red X): Authentication failed - verify your Role ARN, External ID, and IAM trust policy
    • Unknown (gray): Initial state before first event delivery attempt
  2. Hover over the status badge to see the last status update time
Screenshot callout: Show tooltip appearing on hover with relative timestamp (e.g., “2 minutes ago”).

Send a test event

  1. Click the Configuration button to open the integration details
  2. In the configuration drawer, locate the Send test event button
  3. Click Send test event
Screenshot callout: Show the configuration drawer with the Send test event button highlighted.
  1. A test IDS detection event will be immediately sent to your Kinesis stream
  2. A success notification will appear if the test event was delivered
  3. If the test fails, an error notification will display with details about the failure (e.g., “Unauthorized - check your Role ARN and External ID”)
Screenshot callout: Show success notification banner at top of screen: “Test event sent successfully”.
  1. Verify the test event arrived in your Kinesis stream:
    • Use the AWS Kinesis Console to view recent records
    • Or check your downstream SIEM platform for a test event with type: "TYPE_TEST"

Delete the integration

  1. From the configuration drawer, click the Delete button at the bottom
  2. A confirmation dialog will appear: “Are you sure you want to delete this SIEM integration?”
Screenshot callout: Show the destructive confirmation dialog with Delete and Cancel buttons.
  1. Click Delete to confirm removal
  2. The integration will be immediately deleted and event delivery will stop
  3. You can create a new integration at any time by clicking Configure again

Configuration options

FieldRequiredDescriptionExample
AWS Kinesis ARNYesThe full ARN of your Kinesis Data Streamarn:aws:kinesis:us-east-1:123456789012:stream/meter-siem
Role ARNYesThe IAM role ARN that Meter will assumearn:aws:iam::123456789012:role/MeterSIEMRole
External IDYesSecret string for secure role assumption9167190a... (64+ chars)

Best practices

Monitoring

  • Check status regularly: Monitor the integration status badge in Dashboard to detect delivery failures quickly
  • Set up alerts: Configure CloudWatch alarms on your Kinesis stream’s IncomingRecords metric to alert if event flow stops
  • Test after changes: Always send a test event after modifying IAM policies, Kinesis stream configurations, or rotating credentials

Operational

  • Document your configuration: Keep a record of your AWS Kinesis ARN, Role ARN, and when the External ID was last rotated
  • Plan for downtime: If you need to delete and recreate the integration, events generated during the gap will not be backfilled
  • Validate downstream: After initial setup, verify events are reaching your SIEM platform and being parsed correctly

Troubleshooting

Integration status shows “Unauthorized”

Cause: Meter cannot assume the IAM role you specified. Solutions:
  • Verify the Role ARN is correct and the role exists in your AWS account
  • Check the IAM role’s trust policy allows Meter’s service role ARN to assume it
  • Confirm the External ID in Dashboard exactly matches the one in the IAM trust policy (no extra spaces or characters)
  • Ensure the IAM role has permissions to write to the Kinesis stream (see Terraform examples)

Test event succeeds but no events appear in my SIEM

Cause: Events are reaching Kinesis but not being consumed by your downstream system. Solutions:
  • Verify your Kinesis consumer (Lambda, Firehose, etc.) is running and has permissions to read from the stream
  • Check CloudWatch Logs for your consumer for parsing errors
  • Confirm your SIEM platform is configured to ingest from the correct Kinesis stream
  • Review the event schema in the technical overview to ensure your parser handles CloudEvents format

Integration status never updates from “Unknown”

Cause: No IDS events have been generated yet, or the integration was just created. Solutions:
  • Wait for network activity to trigger IDS detections (this can take minutes to hours depending on traffic)
  • Click Send test event to immediately trigger a status update
  • Verify your network has IDS features enabled (contact Meter support if unsure)

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/29/2025
I