XTD SIEM API Integration Guide

Overview

This section provides a guide to integrating the XTD SIEM endpoint API with your security infrastructure. It covers authentication, data ingestion, formatting requirements, use cases, and best practices to ensure smooth and secure API interaction.

The SIEM API provides a direct way to ingest XTD analytics information into a 3rd party infrastructure in a streaming fashion, getting access to all the relevant data in near real-time.

In addition, the API provides basic filtering of events to narrow the scope of the information retrieved from the API.

Ingest into 3rd Party SIEM Systems

In order to use the data retrieved from the SIEM API, you usually have to configure and/or write custom data processing modules using SIEM specific integration code. This could involve a simple HTTP retriever plugin or a custom, daemon like process to perform the pulling of the data and doing a subsequent push to the SIEM in question. This API provides the means to pull the data from the SIEM API but does not integrate directly into any SIEM vendor specific ingest system.

Data Retention

The API provides a 24 hour, rolling window view of the data available to the customer. This means, that at any given point, a request to the API has at most 24 hours of data available to it. A subsequent request will mean that the rolling window has moved, and the data at the back of that window will no longer be available.

The fact that the data is available in a rolling window manner means that any access to the data must take this into consideration. If a continuous set of data is required, the caller must ensure that data is polled at regular intervals.

API versions

2 API versions are provided:

• V2 provides regular data
• V3 provides detailed data

V2 API

Data Description

The data available in the response:

JSON response

{
  "status": "Ok",
  "pagination": {
    "last": "<cursor-value>"
  },
  "detections": [
    {
      "id": "<detection id>",
      "riskLevel": "HIGH",
      "spuid": "SP::acme-vuit",
      "detectedType": "OverlayDetected",
      "createdAt": "2024-05-21T16:33:16.504Z",
      "appId": "com.acme.application",
      "aiid": "726F93C5-EAB8-AEF8-293B-CD8BB388A81E",
      "os": "ANDROID",
      "model": "pixel 6",
      "geoip": {
        "city": "San Diego",
        "continentName": "North America",
        "countryCode": "US",
        "countryName": "United States",
        "regionCode": "US-CA",
        "lat": 32.7157,
        "lng": 117.1611
      },
      "ip": "127.0.0.0"
    }
  ]
}

Pagination

The JSON response will contain a pagination.last property if there are more records available at the backend. To retrieve them, this value must be used in a new request as a cursor query parameter:

GET /[v2|v3]/siem/detections?cursor=<cursor-value>
Accept: application/json
...
{
// Response body
}

Comma Separated Values (CSV)

id,riskLevel,detectedType,createdAt,appId,aiid,spuid,os,model,geoip,ip
<detection id>,HIGH,HookingDetected,2024-05-21T16:33:16.504Z,com.acme.application,726F93C5-EAB8-AEF8-293B-CD8BB388A81E,SP::acme-vuit,ANDROID,pixel 6,San Diego North America US United States 32.7157 117.1611" +

V3 API

Data Description

Main data available in the response:

deviceInformation data available in the response:

protectionInformation data available in the response:

detectionDetails data available in the response:

RootingDetails

VPNDetails

MITMDetectionDetailsV2

DNSConsensusInconsistencyDetectionDetails

PuddleReportDetails

CounterspyDetails

locationInformation data available in the response:

references data available in the response:

JSON response

{
  "status": "Ok",
  "pagination": {
    "last": "<cursor-value>"
  },
  "detections": [
    {
      "id": "YTk4NWQzNzItMGMxZS00MGQxLTllZGUtNjlmZWNjYTNiNWM4OjqLc7SP9qhP2akosvq3w60_CFitP-J4tRRmWMblZT6qtw",
      "riskLevel": "SUSPICIOUS",
      "detectedType": "RootingDetected",
      "createdAt": "2026-05-07T16:55:59.103Z",
      "appId": "com.verimatrix.arc.integrationtest.siem.detections",
      "aiid": "a985d372-0c1e-40d1-9ede-69fecca3b5c8",
      "spuid": "SP::abcde",
      "origin": "device",
      "protectionInformation": {
        "analyticsAgentVersion": "1.0.0-ARC",
        "applicationVersion": "1.0/1",
        "protectedBuildId": "ece094ff-01ed-49e1-b469-786fdf39fa5c"
      },
      "deviceInformation": {
        "os": "ANDROID",
        "osVersion": "11",
        "model": "aosp on flame",
        "manufacturer": "google",
        "architecture": "arm64-v8a",
        "kernelVersion": "4.14.212",
        "apiLevel": 30,
        "devicePatchLevel": "2021-06-05",
        "vendorPatchLevel": "2021-06-05",
        "memory": 5731123200,
        "systemTimezone": "America/New_York",
        "typeAllocationCode": "35293110",
        "developerModeEnabled": true
      },
      "locationInformation": {
        "ip": "72.239.229.0",
        "geoip": {
          "city": "Merritt Island",
          "continentName": "North America",
          "countryCode": "US",
          "countryName": "United States",
          "regionCode": "US-FL",
          "lat": 28.3888,
          "lng": -80.7301
        }
      },
      "detectionDetails": {
        "indicators": [
          "Files"
        ]
      },
      "references": {
        "management": "https://apis.protectmyapp.com/v3/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8/manage",
        "instance": "https://apis.protectmyapp.com/v2/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8",
        "detections": "https://apis.protectmyapp.com/v2/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8/detections",
        "detection": "https://apis.protectmyapp.com/v2/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8/detections/YTk4NWQzNzItMGMxZS00MGQxLTllZGUtNjlmZWNjYTNiNWM4OjqLc7SP9qhP2akosvq3w60_CFitP-J4tRRmWMblZT6qtw"
      }
    }
  ]
}

Comma Separated Values (CSV)

id,riskLevel,detectedType,createdAt,appId,aiid,spuid,origin,protectionInformation,deviceInformation,locationInformation,detectionDetails,references
<detection id>,LOW,DNSConsensusInconsistencyDetected,2026-05-08T14:56:55.734Z,com.verimatrix.arc.integrationtest.siem.detections,a985d372-0c1e-40d1-9ede-69fecca3b5c8,SP::abcde,device,1.0.0-ARC 1.0/1  ece094ff-01ed-49e1-b469-786fdf39fa5c,ANDROID 11 aosp on flame google arm64-v8a 4.14.212 30 2021-06-05 2021-06-05 5731123200 America/New_York 35293110 true   ,72.239.229.0 [object Object],www.microsoft.com SYSTEM 23.200.189.225 23.200.189.225,https://apis.protectmyapp.com/v3/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8/manage https://apis.protectmyapp.com/v2/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8 https://apis.protectmyapp.com/v2/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8/detections https://apis.protectmyapp.com/v2/air/a985d372-0c1e-40d1-9ede-69fecca3b5c8/detections/<detection id>" +

V2 / V3 API Pagination Header

To maintain a valid CSV format of the returned payload, CSV response will in addition contain a special header, x-pagination-last-event, that signals the pagination last event. This is the same as pagination.last property of the JSON response.

API Usage

Authentication

Authentication of the API endpoint is secured using API keys. These API keys can be generated in the portal, under Settings → API Key Manager.

The API keys are exchanged for a short-lived access token, which in turn is used when calling the XTD SIEM API.

More details on how to create and use API keys can be found at .

Using Access Tokens

Once an access token has been obtained, it is passed to the APIs using an ‘Authorization’ header, with the value being the access token in question.

GET /[v2|v3]/siem/detections
...
Authorization: <access token>

Basic Request

Basic requests are made to the SIEM API URL using a GET request. The request should be made to:

https://apis.protectmyapp.com/[v2|v3]/siem/detections

The accept header indicates which response format is requested

GET /[v2|v3]/siem/detections
Accept: application/json
...
{
// Response body
}

Filtering

The API provides filtering capabilities to reduce the response data returned to the caller. All parameters are currently passed to the API as query parameters (on the URL).

Filtering Example

The following example filters out the results to include only detections which have been deemed high risk.

GET /[v2|v3]/siem/detections?riskLevel=HIGH
Accept: application/json
...
{
// Response body
}

Data Polling

To ensure timely consumption of SIEM data, customer must call the SIEM API in a polling fashion.

In addition to polling the data regularly, with set to/from filtering, the API may at time return more data than can fit in the response (more than the limit specified or the max limit allowed by the API). In those cases, the API will return ‘pagination’ information, allowing the caller to retrieve all the data for that interval.

Data De-duplication

There is a chance that the data retrieval has overlaps in the data set returned and that some de-duplication may be necessary. The identifier of the detection can be used for this as it's a unique property of the detection.

Rate Limits

Rate limits exist on the API and will be enforced if significant amounts of requests are deemed to break those limits. The typical usage of the API however is a low-rate, long-running polls, which should not typically impact the overall rate limiting.

API Documentation

OpenAPI specifications for the APIs are available in the integration documentation bundle. The latest version of this can always be retrieved using an authenticated GET request to:

https://apis.protectmyapp.com/v2/openapi

The request should be made to the

GET /v2/openapi
...
{
// OpenAPI documentation
}