Skip to main content

Overview

Meter’s SIEM integration enables real-time export of network security events from your Meter infrastructure to your organization’s security monitoring and analysis tools. This integration uses AWS Kinesis Data Streams to deliver intrusion detection system (IDS) events in CloudEvents format, allowing you to incorporate Meter network telemetry into your existing security operations workflow.

Use cases

  • Centralize security event monitoring across your entire technology stack in a single SIEM platform
  • Enable custom alerting and correlation rules based on network-level security events
  • Meet compliance requirements for security event logging and retention
  • Build custom analytics and dashboards for network security insights
  • Integrate Meter security detections with incident response automation

Prerequisites

  • AWS account with permissions to create and manage Kinesis streams and IAM roles
  • Meter Dashboard access with SIEM integration permissions
  • Basic understanding of AWS IAM cross-account role assumption
  • Familiarity with JSON data processing and CloudEvents specification

Event schema

Events are formatted according to the CloudEvents v1.0 specification with Meter-specific data payloads.

CloudEvents envelope

{
  "specversion": "1.0",
  "id": "b79aa958-147d-58fd-9c5b-40f683ada52b",
  "source": "https://meter.com",
  "type": "com.meter.ids.detection",
  "subject": "0196b087-9ba3-aefe-5c83-96b6bbb3c976",
  "datacontenttype": "application/json",
  "time": "2025-05-08T15:33:19.46948Z",
  "data": { ... }
}
FieldDescription
specversionCloudEvents specification version (always 1.0)
idDeterministic UUIDv5 based on network UUID, device UUID, and timestamp
sourceEvent origin (always https://meter.com)
typeEvent type identifier (always com.meter.ids.detection)
subjectNetwork UUID that generated the event
datacontenttypeContent type of the data field (always application/json)
timeISO 8601 timestamp when the event was observed
dataIDS event details (see below)

IDS event data structure

The data field contains detailed information about the security event: 
{
  "src_ip": "192.168.1.100",
  "src_port": 54321,
  "dest_ip": "93.184.216.34",
  "dest_port": 443,
  "src_mac": "aa:bb:cc:dd:ee:ff",
  "dst_mac": "11:22:33:44:55:66",
  "flow_id": "1234567890",
  "app_proto": "tls",
  "protocol": "IANA_PROTOCOL_TCP",
  "direction": "DIRECTION_TO_SERVER",
  "type": "TYPE_OOB_PROTECT",
  "alert": {
    "action": "ACTION_ALLOWED",
    "gid": 1,
    "sid": 2024001,
    "rev": 3,
    "signature": "ET MALWARE Suspicious TLS Certificate",
    "category": "A Network Trojan was detected",
    "severity": 1
  },
  "http": {
    "hostname": "example.com",
    "url": "/api/v1/data",
    "user_agent": "Mozilla/5.0...",
    "method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "content_type": "application/json",
    "length": "1024"
  },
  "flow": {
    "pkts_toserver": "15",
    "pkts_toclient": "12",
    "bytes_toserver": "4096",
    "bytes_toclient": "8192",
    "reason": "timeout"
  }
}

Data field reference

FieldTypeDescription
src_ipstringSource IP address of the flow
src_portuint32Source port number
dest_ipstringDestination IP address
dest_portuint32Destination port number
src_macstringSource MAC address
dst_macstringDestination MAC address
flow_iduint64Unique identifier for the network flow
app_protostringApplication layer protocol (e.g., http, tls, dns)
protocolstringTransport protocol enum: IANA_PROTOCOL_TCP, IANA_PROTOCOL_UDP, IANA_PROTOCOL_ICMP, IANA_PROTOCOL_ESP, IANA_PROTOCOL_AH, IANA_PROTOCOL_ANY
directionstringFlow direction: DIRECTION_TO_SERVER or DIRECTION_TO_CLIENT
typestringDetection type: TYPE_IDS (passive detection), TYPE_OOB_PROTECT (out-of-band firewall), TYPE_IB_PROTECT (inline IPS)

Alert object

FieldTypeDescription
actionstringAction taken: ACTION_ALLOWED, ACTION_BLOCKED
giduint32Generator ID from the rule
siduint32Signature ID from the rule
revuint32Rule revision number
signaturestringHuman-readable alert signature
categorystringAlert category description
severityuint32Severity level (1=high, 2=medium, 3=low)

HTTP object (when applicable)

FieldTypeDescription
hostnamestringHTTP Host header value
urlstringRequest URL path
user_agentstringUser-Agent header
methodstringHTTP method (GET, POST, etc.)
protocolstringHTTP protocol version
statusuint32HTTP response status code
content_typestringContent-Type header
lengthstringContent length in bytes

Flow object

FieldTypeDescription
pkts_toserverstringPacket count to server
pkts_toclientstringPacket count to client
bytes_toserverstringByte count to server
bytes_toclientstringByte count to client
reasonstringFlow termination reason

Best practices

Performance optimization

  • Kinesis shard capacity: Ensure your Kinesis stream has adequate shard capacity. Each shard supports 1 MB/sec or 1,000 records/sec. Monitor the IncomingBytes and IncomingRecords CloudWatch metrics.
  • Consumer scaling: If processing events with AWS Lambda or other consumers, ensure they can handle the event rate during peak traffic periods.
  • Data retention: Configure appropriate retention periods on your Kinesis stream (default 24 hours, maximum 365 days).

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/29/2025
I