Feed AI Events to Your SIEM
Forwarding AI governance events to your SIEM provides centralized visibility, correlation with other security telemetry, and a durable audit trail. This guide covers integration with Splunk, Elasticsearch, and Microsoft Sentinel.
Use this page when
- You want to forward Keeptrusts AI governance events to Splunk, Elasticsearch, or Microsoft Sentinel.
- You need webhook-based real-time forwarding or batch export ingest for your SIEM.
- You are writing detection rules and correlation queries for AI policy violations.
- You need a durable audit trail of all governance decisions in your centralized security platform.
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
Architecture overview
Keeptrusts Gateway
→ POST /v1/events (decision events)
→ Keeptrusts API (event store)
→ /v1/webhooks → SIEM ingest endpoint
OR
→ kt export → scheduled batch export → SIEM file ingest
OR
→ OTel Collector sidecar → OTLP → SIEM backend
Choose the integration method that matches your SIEM's preferred ingest pattern: webhooks for real-time push, scheduled exports for batch, or OTel for trace-enriched telemetry.
Common event fields
Every Keeptrusts event includes these fields for SIEM mapping:
| Field | Type | Description |
|---|---|---|
event_id | string | Unique event identifier |
timestamp | ISO 8601 | Event creation time |
event_type | string | request, blocked, escalated, redacted |
action | string | Policy action taken (allow, block, escalate, redact) |
policy_name | string | Name of the triggering policy |
model | string | Target LLM model |
gateway_id | string | Gateway that processed the request |
user_id | string | Requesting user or service identity |
org_id | string | Organization scope |
Splunk integration
HTTP Event Collector (HEC)
- In Splunk, go to Settings → Data Inputs → HTTP Event Collector
- Create a new token with source type
_json - Note the HEC endpoint URL and token
Configure a Keeptrusts webhook pointing to Splunk HEC:
curl -X POST https://api.keeptrusts.com/v1/webhooks \
-H "Authorization: Bearer $KEEPTRUSTS_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://splunk.example.com:8088/services/collector/event",
"description": "Forward all events to Splunk HEC",
"event_types": ["event.*"],
"active": true,
"headers": {
"Authorization": "Splunk <HEC_TOKEN>"
}
}'
Splunk search queries
# All blocked AI requests in the last 24h
index=keeptrusts action="block" earliest=-24h
| stats count by policy_name, model
# Top users triggering escalations
index=keeptrusts event_type="escalated"
| top limit=10 user_id
# Policy violation trend
index=keeptrusts action!="allow"
| timechart span=1h count by action
Splunk detection rule
# Alert: High volume of blocked requests from single user
index=keeptrusts action="block"
| stats count as block_count by user_id
| where block_count > 50
Elasticsearch integration
Ingest via webhook-to-Logstash pipeline
Configure Logstash to receive Keeptrusts webhooks:
# logstash.conf
input {
http {
port => 8089
codec => json
}
}
filter {
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
add_field => { "source" => "keeptrusts" }
}
}
output {
elasticsearch {
hosts => ["https://elasticsearch.example.com:9200"]
index => "keeptrusts-events-%{+YYYY.MM.dd}"
user => "elastic"
password => "${ES_PASSWORD}"
}
}
Point the Keeptrusts webhook at Logstash:
curl -X POST https://api.keeptrusts.com/v1/webhooks \
-H "Authorization: Bearer $KEEPTRUSTS_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://logstash.example.com:8089",
"description": "Forward events to Elasticsearch via Logstash",
"event_types": ["event.*"],
"active": true
}'
Index template
{
"index_patterns": ["keeptrusts-events-*"],
"template": {
"settings": {
"number_of_replicas": 1,
"index.lifecycle.name": "keeptrusts-retention-90d"
},
"mappings": {
"properties": {
"event_id": { "type": "keyword" },
"timestamp": { "type": "date" },
"event_type": { "type": "keyword" },
"action": { "type": "keyword" },
"policy_name": { "type": "keyword" },
"model": { "type": "keyword" },
"gateway_id": { "type": "keyword" },
"user_id": { "type": "keyword" },
"org_id": { "type": "keyword" }
}
}
}
}
Kibana detection rule
Create a detection rule in Security → Rules → Create New Rule:
{
"name": "High Volume AI Policy Blocks",
"description": "Detects users with over 50 blocked AI requests in 1 hour",
"type": "threshold",
"index": ["keeptrusts-events-*"],
"query": "action:block",
"threshold": { "field": "user_id", "value": 50 },
"severity": "high",
"interval": "1h"
}
Microsoft Sentinel integration
Data connector via Logic App
- Create a Logic App with an HTTP trigger
- Add a step to send data to the Log Analytics workspace via the Data Collector API
- Point the Keeptrusts webhook at the Logic App HTTP endpoint
KQL queries
// All blocked requests in the last 24 hours
KeeptrustsEvents_CL
| where TimeGenerated > ago(24h)
| where action_s == "block"
| summarize count() by policy_name_s, model_s
// Escalation trend
KeeptrustsEvents_CL
| where event_type_s == "escalated"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
// Anomalous user behavior
KeeptrustsEvents_CL
| where action_s == "block"
| summarize BlockCount = count() by user_id_s
| where BlockCount > 50
Sentinel analytics rule
KeeptrustsEvents_CL
| where action_s == "block"
| summarize BlockCount = count() by user_id_s, bin(TimeGenerated, 1h)
| where BlockCount > 50
Batch export alternative
For SIEMs that prefer file-based ingest, use scheduled exports:
# Export events as JSON for the last 24 hours
kt export create --format json --window 24h
# Download the export artifact
kt export download --id exp_abc123 --output /data/siem-ingest/
# Or use the API directly
curl -s https://api.keeptrusts.com/v1/exports \
-H "Authorization: Bearer $KEEPTRUSTS_API_TOKEN" \
-d '{"format":"json","window":"24h"}' | jq '.export_id'
Automate with cron or a scheduled CI job.
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| Events not appearing in Splunk | HEC token invalid or disabled | Verify token in Splunk Data Inputs |
| Logstash pipeline errors | JSON parsing failure | Check codec is set to json in Logstash input |
| Sentinel data missing fields | Custom log schema mismatch | Verify field names match the Data Collector API schema |
| Webhook delivery failures | SIEM endpoint unreachable | Check network connectivity and firewall rules |
For AI systems
- Canonical terms: Keeptrusts events,
/v1/webhooks,kt export, Splunk HEC, Elasticsearch/Logstash, Microsoft Sentinel Data Collector API, detection rules, audit trail. - Key config: Webhook
event_types: ["event.*"], Splunk HEC token, Logstashjsoncodec, Sentinel workspace ID and shared key. - Event fields for SIEM mapping:
event_id,timestamp,event_type,action,policy_name,model,gateway_id,user_id,org_id. - Best next pages: Datadog observability, PagerDuty incident response, Slack & Teams alerting.
For engineers
- Prerequisites: SIEM platform with ingest endpoint (Splunk HEC, Logstash HTTP input, Sentinel Data Collector API), Keeptrusts organization with webhook permissions.
- Validate: Create a webhook, trigger a policy block, verify the event appears in your SIEM index within 60 seconds.
- Detection rules: Alert on > 50 blocks per user per hour (account takeover indicator) or sudden spike in escalation volume (policy regression).
- Batch alternative: Use
kt export create --format json --window 24hfor SIEMs preferring file-based ingest via cron.
For leaders
- Centralized audit: AI governance decisions join your existing security telemetry for unified compliance reporting.
- Threat detection: Correlate AI policy violations with other security events (credential abuse, data exfiltration) to detect insider threats.
- Retention: SIEM-stored events meet long-term retention requirements (7 years for some regulations) independent of Keeptrusts event retention.
- SOC integration: AI governance events appear in the same dashboards and alert workflows your security team already monitors.
Next steps
- Monitor with Datadog for APM and custom metrics
- Automate incident response with PagerDuty
- Set up Slack & Teams alerts for real-time notifications