Integration surface

It plugs into the
SIEM, the IdP, and
the posture stack
you already run.

Tether ships first-class adapters for the four security-stack surfaces a CISO cares about — SIEM, SCIM, posture export, and webhooks. Every adapter is in production today; every claim below points at a line on master.

Three SIEM adapters.
Same fan-out path.

Register a per-vendor config at POST /api/v1/siem-adapters and every event in the stream fans out automatically. Shared 5-attempt exponential-backoff retry. Adapters live next to webhook delivery for one operational surface.

Splunk HEC

Shipped
POST → <splunk-host>/services/collector/event
  • Native Splunk HTTP Event Collector. Token in your Splunk Cloud or on-prem instance — Tether holds it write-only.
  • Per-event JSON envelope with policyVersion, identity, agent, host, verdict, deterministic match, judge verdict.
  • Built-in retry (5 attempts, exponential backoff up to ~5.5 min) and delivery log.
siem-adapters.js:267-282

Microsoft Sentinel

Shipped
POST → Log Analytics Data Collector API (HMAC-signed)
  • SharedKey HMAC-SHA256 authentication against Log Analytics api-version=2016-04-01.
  • Workspace ID + key configured per-adapter. No app registration required.
  • Custom log type per event family so Sentinel rules can target Tether's stream directly.
siem-adapters.js:290-312

Syslog RFC 5424

Shipped
UDP datagram → <syslog-host>:514
  • UDP only in v1. Targets on-prem Splunk, rsyslog, or any RFC 5424-compatible collector.
  • Air-gap-clean: the syslog path has no internet dependency. Pair with on-prem Overwatch and local Ollama for a true air-gap configuration.
  • Same retry semantics as the other adapters.
siem-adapters.js:333-355

Outbound webhooks (HMAC-SHA256)

Shipped
POST → <your-receiver> · X-Tether-Signature: sha256=<hex>
  • HMAC of timestamp + "." + body. Constant-time comparison on your side.
  • Per-webhook filters on eventTypes and verdicts so receivers only see what they care about.
  • Secret is write-only at registration; redacted in list and show endpoints.
webhook-store.js:174-240

Operator seats from your IdP.
No manual user-management in Tether.

BoxyHQ Jackson handles SAML and OIDC. Directory-sync arrives via a signed webhook. Group membership maps to role; every event lands in the audit trail.

SSO via Jackson

Shipped
/api/v1/auth/sso/{start, callback, scim}
  • SAML 2.0 and OIDC supported through Jackson. Upload IdP metadata; SSO is live.
  • WorkOS provider implementation also available — Jackson is the default for self-hosted.
  • Bearer tokens issued per session; per-role scope (admin / operator / viewer).
auth-providers/jackson.js

SCIM directory sync

Shipped
Jackson dsync webhook · X-DSync-Signature HMAC-SHA256
  • Push-model via Jackson webhook (not a SCIM2 endpoint). HMAC of the body verified before applying.
  • Handles user.created, user.updated, user.deleted.
  • Group → role mapping: SCIM_GROUP_ADMIN / SCIM_GROUP_OPERATOR / SCIM_GROUP_VIEWER env vars.
  • Every provision, update, and deprovision emits an audit event.
jackson.js:205-291

Tether posture
plugs into the format your IdP reads.

Four export formats. No converter to write. Each format mirrors the receiver's existing schema so your Okta or Entra team does not have to translate.

Tether-native JSON

Shipped
GET /api/v1/devices/posture/export?format=tether
  • Per-host: OS, arch, MACs, proxy + workspace-daemon versions, config hash, last-applied policy version, compliance heuristic.
  • Filters: ?compliantOnly=true and ?since=<ISO>.
  • Read-only. Long-polled by your conditional-access broker or pulled on a schedule.
posture-export.js:79-101

Okta Device Trust

Shipped
GET /api/v1/devices/posture/export?format=okta
  • Attestation envelope shape Okta Device Trust ingests directly.
  • attestations.tether namespace carries Tether-specific signals (policy version applied, time-since-heartbeat, daemon liveness).
  • Drop into Okta's existing conditional-access rule set without a custom integration.
posture-export.js:111-135

Microsoft Graph managedDevice

Shipped
GET /api/v1/devices/posture/export?format=entra
  • Mirrors GET /deviceManagement/managedDevices from Microsoft Graph.
  • Tether posture lives under extensions.aiSecurityPosture — out of the way of existing Intune signals.
  • Entra Conditional Access reads it without a Graph schema change.
posture-export.js:145-172

CSV (RFC 4180)

Shipped
GET /api/v1/devices/posture/export?format=csv
  • Proper RFC 4180 quoting. No surprises when an analyst opens it in a spreadsheet.
  • For ad-hoc audits, compliance evidence packets, and incident-response timelines.
posture-export.js:177-212

Append-only policy audit.
Pull it on a schedule.

policy-audit.jsonl

GET /api/v1/policy/audit · file: $TETHER_DATA_DIR/policy-audit.jsonl
  • Append-only JSONL of every policy publish, revert, and adoption ACK. Actor, reason, before-hash, after-hash.
  • Reads against your SOC 2 CC8 change-management evidence requirement directly.
  • SQLite-backed durable stores are post-GA; today the file lives in TETHER_DATA_DIR (your GCS bucket or EFS file system).
PILOT.md

Stand up an adapter in an afternoon.

A platform engineer who knows Splunk or Sentinel registers the adapter in one call. We can pair on it during the pilot.

Book a 30-min walkthrough ↗