Skip to main content

Overview

This guide walks you through configuring Meter’s SIEM integration to export intrusion detection events to your AWS Kinesis stream. Once configured, Meter will continuously stream security events from your network to your chosen SIEM platform for analysis, alerting, and compliance.

Prerequisites

Before configuring the integration in Dashboard, you must:
  • Have an AWS account with permissions to create IAM roles, policies, and Kinesis streams
  • Create an AWS Kinesis Data Stream in your AWS account
  • Configure IAM roles and trust policies (see Terraform configuration examples)

Setup

Gather required information

Before starting, collect the following from your AWS account:
  1. AWS Kinesis ARN: The ARN of your Kinesis Data Stream (format: arn:aws:kinesis:region:account-id:stream/stream-name)
  2. Role ARN: The ARN of the IAM role Meter will assume to write to your stream (format: arn:aws:iam::account-id:role/role-name)
  3. External ID: A unique secret string you generated for secure role assumption (recommended: 64+ character random string)

How-to

Configure the integration

  1. Navigate to Settings > Organization > Integrations > Services in Dashboard
  2. Locate the SIEM integration card and click Configure
  3. Enter the required information:
    • AWS Kinesis ARN: The full ARN of your Kinesis Data Stream
    • Role ARN: The IAM role ARN that Meter will assume to write to your stream
    • External ID: The secret string you generated and configured in the IAM role’s trust policy
  4. Click Save

Verify the integration

After saving, the SIEM card displays a status badge:
  • Active (green): Events are being successfully delivered
  • Unauthorized (red): Authentication failed - verify your credentials
  • Unknown (gray): Initial state before first event delivery

Test the integration

  1. Click Configuration on the SIEM card
  2. Click Send test event
  3. Verify the test event appears in your AWS Kinesis Console or SIEM platform
The test event will have type: "TYPE_TEST" for easy identification.

Configuration options

FieldRequiredDescriptionExample
AWS Kinesis ARNYesThe full ARN of your Kinesis Data Streamarn:aws:kinesis:us-east-1:123456789012:stream/meter-siem
Role ARNYesThe IAM role ARN that Meter will assumearn:aws:iam::123456789012:role/MeterSIEMRole
External IDYesSecret string for secure role assumption9167190a... (64+ chars)

Best practices

Monitoring

  • Check status regularly: Monitor the integration status badge in Dashboard to detect delivery failures quickly
  • Set up alerts: Configure CloudWatch alarms on your Kinesis stream’s IncomingRecords metric to alert if event flow stops
  • Test after changes: Always send a test event after modifying IAM policies, Kinesis stream configurations, or rotating credentials

Operational

  • Document your configuration: Keep a record of your AWS Kinesis ARN, Role ARN, and when the External ID was last rotated
  • Plan for downtime: If you need to delete and recreate the integration, events generated during the gap will not be backfilled
  • Validate downstream: After initial setup, verify events are reaching your SIEM platform and being parsed correctly

Troubleshooting

Integration status shows “Unauthorized”

Cause: Meter cannot assume the IAM role you specified. Solutions:
  • Verify the Role ARN is correct and the role exists in your AWS account
  • Check the IAM role’s trust policy allows Meter’s service role ARN to assume it
  • Confirm the External ID in Dashboard exactly matches the one in the IAM trust policy (no extra spaces or characters)
  • Ensure the IAM role has permissions to write to the Kinesis stream (see Terraform examples)

Test event succeeds but no events appear in my SIEM

Cause: Events are reaching Kinesis but not being consumed by your downstream system. Solutions:
  • Verify your Kinesis consumer (Lambda, Firehose, etc.) is running and has permissions to read from the stream
  • Check CloudWatch Logs for your consumer for parsing errors
  • Confirm your SIEM platform is configured to ingest from the correct Kinesis stream
  • Review the event schema in the technical overview to ensure your parser handles CloudEvents format

Integration status never updates from “Unknown”

Cause: No IDS events have been generated yet, or the integration was just created. Solutions:
  • Wait for network activity to trigger IDS detections (this can take minutes to hours depending on traffic)
  • Click Send test event to immediately trigger a status update
  • Verify your network has IDS features enabled (contact Meter support if unsure)

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/29/2025