SIEM Connectors: Stream AI Security Events to Splunk, Datadog & Sentinel in Real Time
Your SOC team has dashboards for everything — network intrusions, endpoint alerts, cloud misconfigurations. But when an AI application leaks a Social Security Number or an agent enters an infinite retry loop burning $100/hour, where does that alert go?
“We need AI security events in Splunk. Not a separate dashboard we have to remember to check — the same pane of glass we use for everything else.”
SIEM Connectors solve this. AI Security Gateway now streams security events — PII blocks, prompt injection attempts, budget exhaustion, agent loops — directly to Splunk, Datadog, or Microsoft Sentinel in each platform's native format.
Why AI Events Belong in Your SIEM
AI security events are fundamentally different from traditional application logs. They represent policy enforcement decisions that your security team needs to correlate with other signals:
- ✓Correlation — a PII block from the AI gateway + a data exfiltration alert from your DLP = an insider threat investigation
- ✓Unified alerting — your on-call rotation already monitors Splunk/Datadog, not a separate AI dashboard
- ✓Retention & compliance — SIEM platforms handle log retention, immutability, and chain-of-custody for audit
- ✓Automation — trigger SOAR playbooks when AI security events match severity thresholds
Supported Platforms
Splunk HEC
HTTP Event Collector. Events arrive as structured JSON with configurable sourcetype and index. Severity maps to Splunk severity levels (1-6).
Datadog Logs
Logs API v2. Events tagged with source:aisg, service mapped to project, severity mapped to Datadog status levels (Emergency/Alert/Critical/Warning/Info).
Microsoft Sentinel
Azure Monitor Data Collection Endpoint (DCE). Events formatted for Log Analytics custom tables with Sentinel-native severity (High/Medium/Low/Informational).
Event Types & Severity
Every security-relevant action in AI Security Gateway generates a structured event. You choose which events to stream to your SIEM:
| Event | Severity | What It Means |
|---|---|---|
| dlp.pii_blocked | High | Request blocked because PII was detected and policy is set to block |
| dlp.injection_blocked | Critical | Prompt injection attempt detected and blocked |
| dlp.pii_redacted | Medium | PII detected and automatically redacted before forwarding |
| budget.exhausted | Medium | Project or user budget limit reached — further requests blocked |
| loop.detected | High | Agent infinite retry loop detected and killed |
You can subscribe to all events (*) or pick specific ones. Most teams start with dlp.pii_blocked and dlp.injection_blocked for critical alerts, then add others as they build out their AI security runbooks.
What the Payloads Look Like
Each platform receives events in its native format. No log parsing rules to write, no custom field extractors to configure:
{
"event": {
"event_type": "dlp.pii_blocked",
"project_id": "proj_abc123",
"request_id": "req_xyz789",
"severity": "high",
"source": "aisg",
"timestamp": "2026-06-08T20:15:30Z",
"details": {
"entities_found": ["SSN", "CREDIT_CARD"],
"action": "blocked",
"model": "gpt-4.1"
}
},
"sourcetype": "aisg:security",
"index": "main"
}[{
"ddsource": "aisg",
"ddtags": "env:production,service:proj_abc123",
"hostname": "aisg-proxy",
"message": "budget.exhausted",
"service": "proj_abc123",
"status": "warn",
"event_type": "budget.exhausted",
"project_id": "proj_abc123",
"severity": "medium",
"timestamp": "2026-06-08T20:15:30Z"
}]Setup: Three Steps
1. Choose your SIEM platform
Select Splunk, Datadog, or Microsoft Sentinel from the dropdown. Each platform shows its specific configuration fields.
2. Enter your connection details
Provide your SIEM endpoint URL and authentication token. For Splunk: HEC endpoint + HEC token. For Datadog: Logs API endpoint + API key. For Sentinel: DCE endpoint + bearer token. Tokens are stored in AWS Secrets Manager — never in the database.
3. Select events to stream
Choose which event types to forward. Click "Send Test Event" to verify connectivity before saving. A synthetic event is sent to your SIEM so you can confirm it arrives.
Security Architecture
Secrets Manager Storage
SIEM authentication tokens are stored in AWS Secrets Manager with automatic encryption. The proxy fetches tokens at startup and caches them with a 5-minute TTL.
HTTPS Only
All SIEM delivery uses TLS. Plain HTTP endpoints are rejected at configuration time.
No Content Forwarding
SIEM events contain metadata about what happened (entity types detected, action taken) — never the actual prompt or response content.
Fail-Open Delivery
If SIEM delivery fails, the security action (block/redact) still completes. SIEM is informational — it never gates request processing.
How SIEM Connectors Fit the Enterprise Stack
SIEM Connectors complement the existing webhook system. Webhooks are great for real-time operational alerts (Slack, PagerDuty). SIEM Connectors are for security analytics and compliance:
| Webhooks | SIEM Connectors | |
|---|---|---|
| Best for | Slack, PagerDuty, custom apps | Splunk, Datadog, Sentinel |
| Format | Generic JSON + HMAC | Platform-native format |
| Scope | Per-project | Per-organization (all projects) |
| Auth | HMAC signature | Platform API key/token |
| Severity mapping | No | Yes — platform-native levels |
FAQ
Does SIEM delivery affect request latency?
No. SIEM events are dispatched asynchronously in the background after the proxy has already returned the response. Request latency is unaffected.
Can I use SIEM Connectors and Webhooks at the same time?
Yes. They're independent systems. Webhooks operate per-project, SIEM operates per-organization. The same event can be sent to both.
What happens if my SIEM endpoint is down?
Events are attempted once. If delivery fails, the failure is logged but the security action (block/redact) is not affected. The proxy never blocks on SIEM delivery.
Is the SIEM configuration per-project or per-organization?
Per-organization. When configured, SIEM receives events from all projects in the organization. You filter by event type at configuration time.
Can I use a custom SIEM platform?
Currently Splunk, Datadog, and Microsoft Sentinel are supported with native format adapters. For other platforms, use webhooks with a custom endpoint to transform the generic JSON format.
Ready to stream AI events to your SIEM?
SIEM Connectors are available on the Enterprise plan. Connect Splunk, Datadog, or Sentinel in under 5 minutes.
Related Articles
SAML SSO for AI Security Gateway: Enterprise Authentication
Connect Okta, Azure AD, or Google Workspace to the AI governance dashboard. Centralized access, auto-provisioning, and compliance-ready authentication.
Real-Time Webhook Alerts for Every PII Leak and Injection Attack
HMAC-signed webhook alerts for PII blocks, prompt injections, budget exhaustion, and agent loops — delivered to Slack, PagerDuty, or any endpoint.
Hybrid VPC: Enterprise AI Firewall Where Prompts Never Leave Your Network
A compiled Go proxy that runs inside your VPC — DLP, PII redaction, and budget enforcement locally, cloud dashboard for policies.
Join the Community