Overview
Ocean’s SIEM/SOAR integration forwards email security events from your tenant to an external destination. Events are delivered as structured JSON over HTTPS, near real time, so you can power SIEM dashboards, alerting, and SOC investigation workflows alongside the rest of your telemetry.
You configure destinations in the Ocean Portal. Each destination subscribes to one or more event scopes, runs on a per-destination schedule, and reports its delivery health back to the Portal.
What gets forwarded
When you set up a destination, you choose which events to forward. Pick only what your SOC needs:
| Event | What you get |
|---|
| Inbound Protection — malicious cases | Inbound emails Ocean classified as malicious. |
| Inbound Protection — spam cases | Inbound emails Ocean classified as spam. |
| AI Response — report phishing | User-reported phishing emails after Ocean’s AI Response has triaged them. |
| AI Response — quarantine release | Quarantine release decisions — released, denied, or reviewed. |
| Audit Logs | User and admin actions in the Ocean Portal and API — logins, email access, searches, verdict changes, settings and integration changes, and more. |
Delivery
- Events are forwarded near real time in small batches.
- A failed batch is retried automatically; Ocean only advances once the destination confirms receipt, so no events are dropped.
- If your SIEM is unreachable for a while, Ocean catches up automatically once it’s back.
- Each destination is independent — an issue with one does not affect the others.
Event payload reference
All timestamps are in UTC (ISO 8601). Optional fields are omitted when they don’t apply — they aren’t sent as null or empty strings, so your parsers can rely on the field’s presence as a signal.
inbound_protection
Emitted when Ocean finishes processing an inbound message.
{
"event_type": "inbound_protection",
"message": {
"id": "AAMkAGI2...",
"internet_message_id": "<CAJ8...@mail.gmail.com>"
},
"sender": {
"address": "alice@example.com",
"name": "Alice Example"
},
"recipient": {
"address": "user@your-org.com",
"name": "User Name",
"user_id": "u-1234"
},
"subject": "URGENT: Wire transfer",
"received_at": "2026-05-21T14:20:00.000000000Z",
"processed_at": "2026-05-21T14:20:03.421000000Z",
"verdict": "malicious",
"is_remediated": true,
"remediation_action": "quarantine",
"attack_type": "Phishing for Credential Theft",
"addressed_to": {
"to": ["user@your-org.com", "user2@your-org.com"],
"cc": ["cc@your-org.com"]
},
"has_attachments": true
}
| Field | Type | Required | Description |
|---|
event_type | string | yes | Always inbound_protection. |
message.id | string | yes | Provider message ID (Microsoft Graph or Gmail ID). |
message.internet_message_id | string | yes | RFC 5322 Message-Id header value. |
sender.address | string | yes | Envelope sender address. |
sender.name | string | optional | Display name, if present in the message. |
recipient.address | string | yes | Primary recipient address (the mailbox Ocean processed). |
recipient.name | string | optional | Display name. |
recipient.user_id | string | optional | Internal user ID for the recipient mailbox. |
subject | string | yes | Email subject. |
received_at | string | yes | When the message arrived in the mailbox. |
processed_at | string | yes | When Ocean finished analysis. |
verdict | string | yes | Final Ocean verdict (e.g. malicious, spam). |
is_remediated | bool | yes | true when Ocean took a remediation action on the message. |
remediation_action | string | optional | The action taken — one of trash, spam, quarantine. Omitted when no action was taken. |
attack_type | string | optional | Threat category Ocean assigned — e.g. Phishing for Credential Theft, Business Email Compromise, Domain Impersonation. Omitted when not applicable. |
addressed_to.to | string[] | optional | All To: recipients on the original message. |
addressed_to.cc | string[] | optional | All Cc: recipients. |
addressed_to.bcc | string[] | optional | All Bcc: recipients visible to Ocean. |
has_attachments | bool | yes | Whether the email has one or more attachments. |
Use is_remediated to drive dashboards and alerting — it is always present, while remediation_action is only sent when a concrete action was taken.
report_phishing
Emitted when Ocean’s AI Response processes a user-reported phishing email.
{
"event_type": "report_phishing",
"report": {
"id": "rp-abc123",
"received_at": "2026-05-21T14:21:00.000000000Z",
"reporting_method": "AdaptiveDetector",
"received_via_mailbox": "abuse@your-org.com"
},
"reporter": {
"address": "user@your-org.com",
"name": "Reporting User"
},
"original_email": {
"message_id": "AAMkAGI2...",
"internet_message_id": "<CAJ8...@mail.gmail.com>",
"sender_address": "phisher@malicious.example",
"sender_name": "IT Helpdesk",
"subject": "Action required: password reset",
"received_at": "2026-05-21T13:55:00.000000000Z",
"to": ["user@your-org.com"],
"cc": [],
"bcc": []
},
"analysis": {
"verdict": "malicious",
"analysis_reasoning": "Sender domain spoof of internal IT; credential harvest link."
},
"action": {
"sent": true,
"sent_at": "2026-05-21T14:21:45.000000000Z",
"sent_to": ["user@your-org.com"],
"auto_triage_triggered": true
}
}
| Field | Type | Required | Description |
|---|
event_type | string | yes | Always report_phishing. |
report.id | string | yes | Ocean-internal report ID. |
report.received_at | string | yes | When the report was received by Ocean. |
report.reporting_method | string | optional | How the report was detected — one of MicrosoftNativeDetector, AdaptiveDetector, KnowBe4Detector, CofenseDetector. |
report.received_via_mailbox | string | optional | Mailbox the report arrived in, when applicable. |
reporter.address | string | yes | Address of the user who reported. |
reporter.name | string | optional | Display name. |
original_email.message_id | string | yes | Provider message ID of the reported email. |
original_email.internet_message_id | string | optional | RFC 5322 Message-Id header. |
original_email.sender_address | string | yes | Sender of the reported email. |
original_email.sender_name | string | optional | Display name. |
original_email.subject | string | yes | Subject of the reported email. |
original_email.received_at | string | yes | When the original email was received. |
original_email.to / .cc / .bcc | string[] | optional | Recipient lists from the reported email. |
analysis.verdict | string | yes | Ocean’s analysis verdict (malicious, safe, unknown, etc.). |
analysis.analysis_reasoning | string | optional | Short reasoning for the verdict. |
action.sent | bool | yes | Whether Ocean sent an automated reply to the reporter. |
action.sent_at | string | optional | When the reply was sent. |
action.sent_to | string[] | optional | Recipients of the reply. |
action.auto_triage_triggered | bool | yes | Whether auto-triage logic ran for this report. |
quarantine_release
Emitted when a quarantine release request is processed (released, denied, or reviewed).
{
"event_type": "quarantine_release",
"quarantine": {
"id": "q-456",
"source": "Microsoft",
"created_at": "2026-05-21T13:00:00.000000000Z"
},
"email": {
"message_id": "AAMkAGI2...",
"sender_address": "marketing@example.com",
"subject": "Newsletter",
"received_at": "2026-05-21T12:50:00.000000000Z",
"recipients": ["user@your-org.com"]
},
"analysis": {
"verdict": "safe",
"analysis_reasoning": "Legitimate marketing sender; bulk newsletter.",
"completed_at": "2026-05-21T13:00:30.000000000Z"
},
"action": {
"released": true,
"released_at": "2026-05-21T13:05:00.000000000Z",
"released_to": ["user@your-org.com"],
"reply_sent": true,
"quarantined_users": ["user@your-org.com"]
},
"review_details": {
"reviewer_type": "admin",
"decision": "release",
"reviewer_verdict": "safe",
"reviewer_id": "admin-1",
"reviewer_name": "Security Admin",
"completed_at": "2026-05-21T13:04:50.000000000Z"
}
}
| Field | Type | Required | Description |
|---|
event_type | string | yes | Always quarantine_release. |
quarantine.id | string | yes | Ocean’s quarantine record ID. |
quarantine.source | string | yes | Where the quarantine originated (e.g. Microsoft). |
quarantine.created_at | string | yes | When the quarantine record was created. |
email.message_id | string | yes | Provider message ID of the quarantined email. |
email.sender_address | string | yes | Sender of the quarantined email. |
email.subject | string | yes | Subject. |
email.received_at | string | yes | When the email was originally received. |
email.recipients | string[] | optional | Recipients of the quarantined email. |
analysis.verdict | string | yes | Ocean’s analysis verdict. |
analysis.analysis_reasoning | string | optional | Reasoning for the verdict. |
analysis.completed_at | string | optional | When analysis finished. |
action.released | bool | yes | Whether the email was released from quarantine. |
action.released_at | string | optional | When release happened. Only present if released is true. |
action.released_to | string[] | optional | Recipients the email was released to. Only present if released is true. |
action.reply_sent | bool | yes | Whether a reply was sent to the requesting user. |
action.quarantined_users | string[] | yes | Users whose quarantine the email was in. |
review_details | object | optional | Present when a human reviewer acted on the request. |
review_details.reviewer_type | string | optional | Type of reviewer (e.g. admin, analyst). |
review_details.decision | string | optional | Reviewer’s decision. |
review_details.reviewer_verdict | string | optional | Reviewer’s verdict. |
review_details.reviewer_id | string | optional | Reviewer ID. |
review_details.reviewer_name | string | optional | Reviewer display name. |
review_details.completed_at | string | optional | When the review finished. |
error | string | optional | Error message if the release request failed. |
audit_log
Emitted when a user or admin performs an audited action in the Ocean Portal or API — for compliance, access review, and security monitoring.
{
"event_type": "audit_log",
"event_id": "8abf8590-3021-4b68-986b-36ded685785d",
"created_at": "2026-06-02T14:48:11.233015Z",
"user_email": "analyst@your-org.com",
"user_roles": ["Admin"],
"action_category": "verdict",
"action_type": "change_verdict",
"resource_type": "email",
"resource_id": "<CAJ8...@mail.gmail.com>",
"resource_before": {
"internetMessageId": "<CAJ8...@mail.gmail.com>",
"oldVerdict": "spam"
},
"resource_after": {
"internetMessageId": "<CAJ8...@mail.gmail.com>",
"newVerdict": "safe"
},
"source": "Decision Center",
"ip_address": "203.0.113.7"
}
| Field | Type | Required | Description |
|---|
event_type | string | yes | Always audit_log. |
event_id | string | yes | Unique ID for this audit entry. |
created_at | string | yes | When the action occurred. |
user_email | string | yes | Email of the user who performed the action. |
user_roles | string[] | yes | The user’s roles at the time of the action — one or more of Admin, Analyst, AnalystReadOnly. Always present — an empty array when the user has no roles. |
action_category | string | yes | High-level category of the action — one of authentication, email_access, search, verdict, settings, security. |
action_type | string | yes | The specific action — e.g. login, logout, view_email_content, view_email_attachment, download_email, search_query, change_verdict, bulk_verdict_change, change_settings, api_key_created, api_key_revoked, unauthorized_access_attempt. |
resource_type | string | optional | Type of resource the action affected — one of email, user, remediation, graymail, ai_phishing, ai_response, quarantine, api_key, integration, allow_deny_list. Omitted when not applicable. |
resource_id | string | optional | ID of the affected resource. Omitted when not applicable. |
resource_before | object | optional | Structured snapshot of the resource before the change. Omitted when not applicable. |
resource_after | object | optional | Structured snapshot of the resource after the change. Omitted when not applicable. |
details | object | optional | Additional structured context about the action. Omitted when empty. |
source | string | yes | The Portal area the action originated from — one of Authentication, Settings, Threats, Decision Center, Integrations, Phishing Reports, Quarantine Release Requests, API. |
ip_address | string | yes | Client IP address the action came from. |
resource_before, resource_after, and details are nested JSON objects (not escaped strings), and their keys are emitted as-is by the originating service — often camelCase, unlike the snake_case top-level fields. Their shape varies by action_type, so treat them as free-form context rather than a fixed schema. For example:
change_verdict → resource_before: { "internetMessageId": "<…>", "oldVerdict": "spam" }, resource_after: { "internetMessageId": "<…>", "newVerdict": "safe" }login → details: { "method": "otp" }search_query → details: { "search_query": { "PageSize": 20, "Start": "2026-05-21T21:00:00Z" } }
Set up a destination
To start forwarding, configure a destination in the Ocean Portal:
Open the Integrations page
In the Ocean Portal, navigate to Integrations and find the SIEM section.
Pick a vendor
Click Connect on the relevant vendor card to open the configuration drawer.
Configure the destination
Save
Save the destination to start forwarding. The first events arrive within a few minutes.
Monitoring & troubleshooting
Each destination shows a health indicator on the SIEM page:
| Indicator | Meaning |
|---|
| All recent runs healthy | Most recent exports succeeded. |
| Latest run failed | The last export attempt failed — see the error category for guidance. |
| Awaiting first run | The destination was just created; the first export has not run yet. |
| Status unavailable | Ocean does not have recent run data for this destination. |
| Category | What it means | What to do |
|---|
| Authentication failed | The credentials are invalid or expired. | Re-issue the HEC token (Splunk) or the source URL (Sumo Logic) and update the destination. |
| Permission denied | The destination rejected the request because the credentials lack required permissions. | Check the HEC token scopes / source permissions. |
| Endpoint unreachable | Ocean could not reach the destination URL. | Confirm the URL is correct and reachable from the public internet. |
| Rate limited | The destination is throttling requests. | No action required — Ocean retries automatically. |
| Invalid request | The destination rejected the event format. | Contact Ocean support. |
Allowlisting Ocean’s egress IPs
All production outbound traffic to your destination comes from a small set of stable, reserved IP addresses. If your SIEM receiver sits behind a firewall, IP allowlist, or network ACL, add these addresses so Ocean can reach it:
| Egress IP |
|---|
34.173.28.0 |
34.10.169.199 |
34.30.170.32 |
34.27.172.202 |
If a destination shows Endpoint unreachable, confirm these egress IPs are allowed on your receiver’s firewall in addition to checking the URL.
Security
- Secrets (HEC tokens, Sumo source URLs) are stored encrypted and are never displayed once saved.
- All traffic to your destination uses TLS.
