Security

Cloud SIEM / Findings

One pane for SIEM events, secret scans, vuln scans, workload alerts.

▸ How it works

Anything security-relevant lands on `POST /v1/findings` with a `source` (cloudtrail, secret_scanner, vuln_scanner, workload, sds, waap), severity, title, target, and detail. Findings are deduped by fingerprint and grouped by source in the UI. Each finding can be acknowledged, assigned, or auto-link to an incident.

▸ What this lets you do

✓ Unified inbox across Trivy, GitHub Secret Scanning, Falco, CloudTrail
✓ Severity-based filtering and assignee workflow
✓ Webhook delivery to PagerDuty / Slack on `critical` findings
✓ Trend graphs: open count, MTTR, severity mix over time

▸ Get it running

1 POST to `/v1/findings` from any scanner / SIEM agent
2 See the Integrations page for vendor-specific recipes (Trivy, Falco, CloudTrail, GitHub)
3 Open `Findings` to triage

▸ Code examples

trivy fs --format json --output trivy.json .

jq -c '.Results[]?.Vulnerabilities[]? | {
  source:   "vuln_scanner",
  severity: (.Severity | ascii_downcase),
  title:    (.VulnerabilityID + " in " + .PkgName),
  target:   .PkgName,
  detail:   (.Title // .Description // "")
}' trivy.json | while read -r body; do
  curl -sS -X POST https://funnel.example.com/v1/findings \
    -H "Authorization: Bearer st_YOUR_KEY" \
    -H "Content-Type: application/json" \
    -d "$body"
done

Where to find it

/app/p/:org/:project/findings

Open in app →