Skip to content
Jericho Trusted Operator Runbooks

Verify SIEM event publishing

Use this when a customer asks whether Jericho is publishing simulation, training, or campaign events to their SIEM.

Before you begin

Section titled “Before you begin”

You need:

  • Customer organization.
  • SIEM destination type, such as Splunk webhook.
  • Event type they expected to receive.
  • Approximate timestamp.

Steps

Section titled “Steps”
  1. Open ActiveAdmin.
  2. Find the customer organization.
  3. Check whether SIEM/webhook integration status is visible.
  4. Record visible configuration state only. Do not expose secrets.

ActiveAdmin organization detail page for a synthetic tenant; use this to confirm tenant identity before escalating SIEM delivery questions.

  1. Ask the customer for the destination-side evidence:
    • Missing event type.
    • Expected timestamp.
    • Error from their SIEM, if any.
  2. If there is no ActiveAdmin visibility, say so plainly and escalate with the customer-provided details.

Expected result

Section titled “Expected result”

You can determine whether support has enough browser-visible evidence to answer, or whether engineering must verify delivery.

Escalate when

Section titled “Escalate when”
  • Webhook credentials are involved.
  • Delivery attempts or failures are not visible in ActiveAdmin.
  • The customer needs event payload examples not already in public docs.