It plugs into the
SIEM, the IdP, and
the posture stack
you already run.
Tether ships first-class adapters for the four security-stack surfaces a CISO cares about — SIEM, SCIM, posture export, and webhooks. Every adapter is in production today; every claim below points at a line on master.
Three SIEM adapters.
Same fan-out path.
Register a per-vendor config at POST /api/v1/siem-adapters and every event in the stream fans out automatically. Shared 5-attempt exponential-backoff retry. Adapters live next to webhook delivery for one operational surface.
Splunk HEC
Shipped- Native Splunk HTTP Event Collector. Token in your Splunk Cloud or on-prem instance — Tether holds it write-only.
- Per-event JSON envelope with
policyVersion, identity, agent, host, verdict, deterministic match, judge verdict. - Built-in retry (5 attempts, exponential backoff up to ~5.5 min) and delivery log.
Microsoft Sentinel
Shipped- SharedKey HMAC-SHA256 authentication against Log Analytics
api-version=2016-04-01. - Workspace ID + key configured per-adapter. No app registration required.
- Custom log type per event family so Sentinel rules can target Tether's stream directly.
Syslog RFC 5424
Shipped- UDP only in v1. Targets on-prem Splunk, rsyslog, or any RFC 5424-compatible collector.
- Air-gap-clean: the syslog path has no internet dependency. Pair with on-prem Overwatch and local Ollama for a true air-gap configuration.
- Same retry semantics as the other adapters.
Outbound webhooks (HMAC-SHA256)
Shipped- HMAC of
timestamp + "." + body. Constant-time comparison on your side. - Per-webhook filters on
eventTypesandverdictsso receivers only see what they care about. - Secret is write-only at registration; redacted in list and show endpoints.
Operator seats from your IdP.
No manual user-management in Tether.
BoxyHQ Jackson handles SAML and OIDC. Directory-sync arrives via a signed webhook. Group membership maps to role; every event lands in the audit trail.
SSO via Jackson
Shipped- SAML 2.0 and OIDC supported through Jackson. Upload IdP metadata; SSO is live.
- WorkOS provider implementation also available — Jackson is the default for self-hosted.
- Bearer tokens issued per session; per-role scope (admin / operator / viewer).
SCIM directory sync
Shipped- Push-model via Jackson webhook (not a SCIM2 endpoint). HMAC of the body verified before applying.
- Handles
user.created,user.updated,user.deleted. - Group → role mapping:
SCIM_GROUP_ADMIN/SCIM_GROUP_OPERATOR/SCIM_GROUP_VIEWERenv vars. - Every provision, update, and deprovision emits an audit event.
Tether posture
plugs into the format your IdP reads.
Four export formats. No converter to write. Each format mirrors the receiver's existing schema so your Okta or Entra team does not have to translate.
Tether-native JSON
Shipped- Per-host: OS, arch, MACs, proxy + workspace-daemon versions, config hash, last-applied policy version, compliance heuristic.
- Filters:
?compliantOnly=trueand?since=<ISO>. - Read-only. Long-polled by your conditional-access broker or pulled on a schedule.
Okta Device Trust
Shipped- Attestation envelope shape Okta Device Trust ingests directly.
attestations.tethernamespace carries Tether-specific signals (policy version applied, time-since-heartbeat, daemon liveness).- Drop into Okta's existing conditional-access rule set without a custom integration.
Microsoft Graph managedDevice
Shipped- Mirrors
GET /deviceManagement/managedDevicesfrom Microsoft Graph. - Tether posture lives under
extensions.aiSecurityPosture— out of the way of existing Intune signals. - Entra Conditional Access reads it without a Graph schema change.
CSV (RFC 4180)
Shipped- Proper RFC 4180 quoting. No surprises when an analyst opens it in a spreadsheet.
- For ad-hoc audits, compliance evidence packets, and incident-response timelines.
Append-only policy audit.
Pull it on a schedule.
policy-audit.jsonl
- Append-only JSONL of every policy publish, revert, and adoption ACK. Actor, reason, before-hash, after-hash.
- Reads against your SOC 2 CC8 change-management evidence requirement directly.
- SQLite-backed durable stores are post-GA; today the file lives in
TETHER_DATA_DIR(your GCS bucket or EFS file system).
Stand up an adapter in an afternoon.
A platform engineer who knows Splunk or Sentinel registers the adapter in one call. We can pair on it during the pilot.