Event Hub is a new capability that streams real-time, structured security events from Red Sift products into the platforms security teams already use: SIEMs, SOARs, XDRs, ticketing tools, messaging platforms, and cloud storage.
It enables faster, more consistent response by pushing telemetry directly into the workflows where detection, triage, and remediation already happen. Whether it’s an unauthorized IP flagged in a DMARC report, a suspicious lookalike domain, or an unexpected certificate issue, Event Hub ensures Red Sift signals are delivered the moment they occur without a UI login, polling, or delays.
Push-based delivery, structured for seamless integration
Event Hub uses a push-based architecture to stream events as they’re generated. Once configured, it delivers telemetry directly to your chosen destinations.
Event structures/schemas are based on Open Cybersecurity Schema Framework (OCSF), providing a consistent format across Red Sift products, including OnDMARC, Brand Trust, and Certificates. This standardization reduces integration effort, simplifies automation, and supports interoperability across modern security ecosystems.
Supporting audit visibility from day one
The first release of Event Hub focuses on audit logs—streaming user and account activity from Red Sift products into your existing security and compliance tools. These events include actions such as user logins, domain additions, and configuration changes, along with associated metadata like IP addresses.
This visibility helps teams answer key questions such as:
- Who accessed the account and from where?
- Was that login consistent with expected behavior?
- When did a configuration change occur, and who made it?
Whether you’re monitoring for unusual activity, maintaining an audit trail for compliance, or storing logs for future investigations, Event Hub ensures these events are available in real time, without needing to manually extract data from the Red Sift UI.
Sometimes, seeing is believing. Check out our VP of Customer Engineering, Billy McDiarmid, walk through the setup of Event Hub and how audit events are displayed in your chosen platforms.
What systems can Event Hub stream to?
At launch, audit logs can be streamed to Splunk, Microsoft Sentinel, Slack, Amazon S3, and ServiceNow, with custom webhooks also supported.
- In Microsoft Sentinel, Red Sift telemetry becomes part of your centralized security analytics, helping correlate account activity with other identity, device, and cloud signals.
- In Splunk, audit logs can be stored, queried, and visualized alongside other infrastructure and application events supporting investigations and compliance reporting.
What’s coming next: expanded signals and integrations
While audit logs are available today, Event Hub is built for more. Future releases will add support for real-time detection events, for example:
- When OnDMARC detects an unauthorized sending source, a SOAR playbook can trigger automated remediation using the Red Sift API
- Brand Trust alerts can be routed to XDR platforms for correlation and investigation
- Certificate telemetry can be logged to a SIEM for early warning of misconfigurations or expiring assets
- MSSPs can centralize multi-tenant logs into a shared security data lake
Additionally, upcoming integrations include:
- Cisco XDR
Now available for Red Sift customers
To enable Event Hub in your environment or learn more, contact your Red Sift account team.
