Skip to main content

Overview

Meter’s SIEM integration enables real-time export of network security events from your Meter infrastructure to your organization’s security monitoring and analysis tools. This integration uses AWS Kinesis Data Streams to deliver intrusion detection system (IDS) events and DHCP events in CloudEvents format, allowing you to incorporate Meter network telemetry into your existing security operations workflow.

Use cases

  • Centralize security event monitoring across your entire technology stack in a single SIEM platform
  • Enable custom alerting and correlation rules based on network-level security events
  • Track DHCP assignments and client network activity for forensics and troubleshooting
  • Meet compliance requirements for security event logging and retention
  • Build custom analytics and dashboards for network security insights
  • Integrate Meter security detections with incident response automation

Prerequisites

  • AWS account with permissions to create and manage Kinesis streams and IAM roles
  • Meter Dashboard access with SIEM integration permissions
  • Basic understanding of AWS IAM cross-account role assumption
  • Familiarity with JSON data processing and CloudEvents specification

Event schema

Events are formatted according to the CloudEvents v1.0 specification with Meter-specific data payloads. Meter exports multiple event types including intrusion detection system (IDS) events and DHCP events.

CloudEvents envelope

{
  "specversion": "1.0",
  "id": "b79aa958-147d-58fd-9c5b-40f683ada52b",
  "source": "https://meter.com",
  "type": "com.meter.ids.detection",
  "subject": "0196b087-9ba3-aefe-5c83-96b6bbb3c976",
  "datacontenttype": "application/json",
  "time": "2025-05-08T15:33:19.46948Z",
  "data": { ... }
}
FieldDescription
specversionCloudEvents specification version (always 1.0)
idUnique event identifier
sourceEvent origin (always https://meter.com)
typeEvent type identifier (e.g., com.meter.ids.detection, com.meter.dhcp)
subjectNetwork UUID that generated the event
datacontenttypeContent type of the data field (always application/json)
timeISO 8601 timestamp when the event was observed
dataEvent details (see below for event-specific schemas)

Top-level event structure

All events follow this base structure:
FieldTypeDescription
network_uuidstringUUID of the network that generated the event
idstringUnique event identifier
timestamptimestampEvent timestamp
eventoneofEvent payload (one of: ids_event, dhcp_event, test_event)
network_slugstringHuman-readable network identifier

IDS event data structure

When the event type is ids_event, the data field contains detailed information about the security event: 
{
  "src_ip": "192.168.1.100",
  "src_port": 54321,
  "dest_ip": "93.184.216.34",
  "dest_port": 443,
  "src_mac": "aa:bb:cc:dd:ee:ff",
  "dst_mac": "11:22:33:44:55:66",
  "flow_id": 1234567890,
  "app_proto": "tls",
  "protocol": "IANA_PROTOCOL_TCP",
  "direction": "DIRECTION_TO_SERVER",
  "type": "TYPE_OOB_PROTECT",
  "alert": {
    "action": "ACTION_ALLOWED",
    "gid": 1,
    "sid": 2024001,
    "rev": 3,
    "rule": "alert tcp any any -> any any (msg:\"ET MALWARE...\"; ...)",
    "signature": "ET MALWARE Suspicious TLS Certificate",
    "category": "A Network Trojan was detected",
    "severity": 1
  },
  "http": {
    "hostname": "example.com",
    "url": "/api/v1/data",
    "user_agent": "Mozilla/5.0...",
    "method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "content_type": "application/json",
    "length": 1024
  },
  "flow": {
    "pkts_toserver": 15,
    "pkts_toclient": 12,
    "bytes_toserver": 4096,
    "bytes_toclient": 8192,
    "start": "2025-05-08T15:33:10.123Z",
    "end": "2025-05-08T15:33:19.456Z",
    "reason": "timeout"
  }
}

IDS event field reference

FieldTypeDescription
src_ipstringSource IP address of the flow
src_portuint32Source port number
dest_ipstringDestination IP address
dest_portuint32Destination port number
src_macstringSource MAC address
dst_macstringDestination MAC address
flow_iduint64Unique identifier for the network flow
app_protostringApplication layer protocol (e.g., http, tls, dns)
protocolenumTransport protocol: IANA_PROTOCOL_UNSPECIFIED (0), IANA_PROTOCOL_ICMP (1), IANA_PROTOCOL_TCP (6), IANA_PROTOCOL_UDP (17), IANA_PROTOCOL_ESP (50), IANA_PROTOCOL_AH (51), IANA_PROTOCOL_ANY (256)
directionenumFlow direction: DIRECTION_UNSPECIFIED (0), DIRECTION_TO_CLIENT (1), DIRECTION_TO_SERVER (2)
typeenumDetection type: TYPE_UNSPECIFIED (0), TYPE_DETECT (1) - passive detection, TYPE_OOB_PROTECT (2) - out-of-band firewall, TYPE_IB_PROTECT (3) - inline IPS
alertobjectAlert details (see Alert object below)
httpobjectHTTP-specific metadata when applicable (see HTTP object below)
flowobjectNetwork flow statistics (see Flow object below)

Alert object

FieldTypeDescription
actionenumAction taken: ACTION_UNSPECIFIED (0), ACTION_ALLOWED (1), ACTION_BLOCKED (2)
categorystringAlert category description
giduint32Generator ID from the rule
siduint32Signature ID from the rule
revuint32Rule revision number
rulestringFull rule definition that triggered the alert
severityuint32Severity level (1=high, 2=medium, 3=low)
signaturestringHuman-readable alert signature

HTTP object (when applicable)

FieldTypeDescription
hostnamestringHTTP Host header value
urlstringRequest URL path
user_agentstringUser-Agent header
content_typestringContent-Type header
methodstringHTTP method (GET, POST, etc.)
protocolstringHTTP protocol version
statusuint32HTTP response status code
lengthuint64Content length in bytes

Flow object

FieldTypeDescription
pkts_toserveruint64Packet count to server
pkts_toclientuint64Packet count to client
bytes_toserveruint64Byte count to server
bytes_toclientuint64Byte count to client
starttimestampFlow start timestamp
endtimestampFlow end timestamp
reasonstringFlow termination reason

DHCP event data structure

When the event type is dhcp_event, the data field contains DHCP transaction information: 
{
  "packet_type": "PACKET_ACK",
  "tid": 12345678,
  "client_mac": "aa:bb:cc:dd:ee:ff",
  "client_ip": "192.168.1.100",
  "relay_ip": "192.168.1.1",
  "vlan_id": 10
}

DHCP event field reference

FieldTypeDescription
packet_typeenumDHCP packet type: PACKET_UNSPECIFIED (0), PACKET_DISCOVER (1), PACKET_OFFER (2), PACKET_REQUEST (3), PACKET_DECLINE (4), PACKET_ACK (5), PACKET_NACK (6), PACKET_RELEASE (7), PACKET_INFORM (8)
tiduint32DHCP transaction ID
client_macstringMAC address of the DHCP client
client_ipstringIP address assigned to or requested by the client
relay_ipstringIP address of the DHCP relay agent (if applicable)
vlan_idint32VLAN ID associated with the DHCP transaction

Best practices

Performance optimization

  • Kinesis shard capacity: Ensure your Kinesis stream has adequate shard capacity. Each shard supports 1 MB/sec or 1,000 records/sec. Monitor the IncomingBytes and IncomingRecords CloudWatch metrics.
  • Consumer scaling: If processing events with AWS Lambda or other consumers, ensure they can handle the event rate during peak traffic periods.
  • Data retention: Configure appropriate retention periods on your Kinesis stream (default 24 hours, maximum 365 days).

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/29/2025