Getting Started
- Overview & Company
  - About Identity and Access Management
  - About Evo Security
- Initial Setup & Requirements
  - Evo Prerequisites & Supported Operating Systems
  - Getting Started: MSP Onboarding Guide
  - Evo Authenticator Mobile App 5.1.x (iOS and Android)
  - Evo Supported Authentication Methods
Product Release Notes
- Product Release Notes
  - Product Release Notes
Directory Integrations
- Environments
  - What type of Directory do I need?
  - Directory Integration: Entra ID (formerly Azure Active Directory)
  - Set up Evo on Active Directory (LDAP)
  - Sync with Google Workspace
  - Evo Cloud: Directory-As-A-Service Setup and Installation
  - Unsupported - Microsoft Azure Virtual Desktop
Deployment & Configuration
- Scripts & Automation
  - Deploy & Uninstall Evo Agent via PowerShell
  - Deploying the Evo Agent using ConnectWise RMM
- Branding & Customization
  - How do I update the Logos to match my company brand? (Web Page and Agent)
Product Information
- MFA
  - Getting Started: Multi-Factor Authentication
  - Setting up Microsoft Authenticator for MFA
  - Email Campaigns for Onboarding Users
- SSO/ SAML
  - What SAML integrations are available?
  - Passwordless Login
  - How do I add a rule for single sign-on (SSO) expiration
  - Identity Provider (IdP) Login
  - Connect Web Apps via SAML with Evo: Version 3
  - Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
  - Azure AD - Federating Microsoft 365 domain
  - WS-Federation integration for Office 365 login
  - Setting up SAML with Salesforce
  - Setting up SAML with Dropbox
  - Setting up SAML with Liongard
  - Setting up SAML with Auvik
  - Setting up SAML with Domotz
  - Integrating Evo with IT Glue
- Tech Elevation
  - Getting Started: Technician Elevation
  - Technician Elevation: Extended User Access Control session
  - Technician Elevation: Just-in-Time Accounts
  - Local Admin Accounts
  - Web Accounts
- End User Elevation
  - Getting Started: End User Elevation
  - Usage Guide: End User Elevation
  - End User Elevation: Custom Branding
- Help Desk Verification
  - Getting Started: Help Desk Verification
  - Help Desk Verification with Microsoft Authenticator and Evo Secure Login
- Agents
  - Windows Agent Deployment
  - LDAP Agent Settings Editor
  - macOS Agent Deployment
  - How do I update Evo software?
  - How to protect Remote Desktop using Evo Security (RDP Support)
- RADIUS
  - Getting Started: RADIUS Server
  - RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)
Evo Portal
- Navigation & Managment
  - Welcome to the Evo Portal!
  - Policies Page
  - Deployment Tokens
  - Access Tokens
  - Keys (Hardware Keys) Page
  - Role-Based Permissions / List of Roles
- User & Directory Management
  - How do I manage my user licenses? (Billing and Administration)
  - Self Service Password Reset (SSPR)
Integrations
- PSA & Password Sync Integrations
  - Evo Password Integration with ITGlue
  - Integrating Evo with Halo PSA
  - Evo Password Integration with Hudu
  - Evo Integration with Autotask
  - Evo Integration with ConnectWise
- Microsoft EAM Integration
  - Microsoft EAM integration
- SIEM
  - Beta: SIEM Integration
User Onboarding & Guidance
- MFA & Access Behavior
  - How does the "MFA Status" toggle work?
  - MFA Grace Period
  - Temporary Authentication Lockout
- Account Management
  - How do I reset my Evo password?
  - How do I see authentication activity?
  - How do I convert user types?
  - How do I manage my users / users devices?
- End User Documentation
  - How do I register my device?
  - Evo Authenticator watch app
  - Using Evo Secure Login (End User)
  - Using Evo Security (End User) - Azure AD
  - Using Evo Security (End User) - Active Directory
Troubleshooting & FAQs
- Directories Troubleshooting
  - Troubleshoot issues with the Evo LDAP Agent
  - On-prem AD Virtual Machine hosted on Azure (timeout settings)
- Secure Login Troubleshooting
  - Error: Login Denied due to Temporary Lockout
  - Error Message: the account is disabled or not found
  - How to Fix Secure Login Always Requests Offline Code
  - How to use Offline code to login to Windows machine without Internet
  - Evo Secure Login for Windows / Troubleshooting Secure Login
- Elevated Access Troubleshooting
  - Error: The user has not been granted the requested logon type at this computer
  - How to Troubleshoot Elevated Access / Domain Accounts
- Mobile App Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
- End User Troubleshooting
  - User cannot login after changing email
Support & Resources
- Support & Resources
  - Support & Feature Requests
  - Common Support Issues
More

Beta: SIEM Integration

Last updated on May 20, 2026

Overview

The SIEM Integration feature allows Evo to forward tenant audit events to an external SIEM platform using a customer-provided webhook endpoint. This enables organizations to centralize audit logging, improve visibility, and support monitoring, alerting, and compliance workflows within their existing SIEM solution.

Evo delivers audit events as JSON payloads in batched HTTPS POST requests. Note: This is currently in Beta and requires you joining our Discord and opting into the beta to get access.

Requirements

To configure and manage SIEM integrations, the following are required:

Must have the following role permission:

Integrations → Manage SIEM Integrations

Configuring a SIEM Integration

Navigate to:

Evo Admin → Integrations → SIEM

Select the desired tenant

Create a new SIEM configuration

Required Configuration

Setting	Description
Webhook URL	The HTTPS endpoint Evo will send audit events to

Optional Configuration

Setting	Description
Authorization Headers	Custom headers used for authentication, such as API tokens or bearer tokens
Signing Secret	Used to generate request signatures for webhook verification
Excluded Audit Actions	Exact audit action names that should not be forwarded to the SIEM

After saving the configuration, use Test Saved Webhook to verify that the external endpoint successfully accepts Evo webhook requests.

Webhook Delivery

Evo sends audit events as JSON payloads using batched HTTP POST requests.

Delivery Characteristics

Delivery model is at-least-once

Duplicate events may occur

Receivers should implement event deduplication using the event UUID

Webhook Headers

The following headers are included with webhook requests:

Header	Description
`X-Evo-Delivery-Id`	Unique delivery trace identifier
`X-Evo-Signature-256`	HMAC SHA-256 request signature. Only included when a signing secret is configured

Webhook Payload Format

Example webhook payload:

{
	"schema_version": "1",
	"events": [
		{
			"event_type": "create",
			"table": "events",
			"timestamp": "2024-01-15T10:30:00.000Z",
			"data": {
				"uuid": "evt-abc123",
				"action": "User login",
				"status": "Success",
				"actor": {
					"kind": "User",
					"name": "user@example.com"
				},
				"origin": {
					"hostname": "DESKTOP-ABC",
					"ipaddr": "192.168.1.100"
				},
				"target": {
					"kind": "User",
					"name": "user@example.com"
				},
				"ts": 1706000000000000000,
				"created_at": 1706000000000000000
			}
		}
	],
"count": 1,
"generated_at": "2024-01-15T10:30:05.123Z"
}

Did this answer your question?

😞

😐

🤩

Microsoft EAM integration How does the "MFA Status" toggle work?