Skip to main content

SIEM Integration

Enterprise
note

SIEM integration is a roadmap capability delivered as a custom engagement, not a self-serve GA feature today. The product currently surfaces SIEM as an enterprise integration type that routes to a sales conversation; there is no self-serve platform picker, connection form, or "Test Connection" flow in the app yet. If forwarding AI-governance events into your SIEM is a requirement for your deployment, contact your account manager so we can scope what is available for your environment.

Containment.AI is designed to integrate with your Security Information and Event Management (SIEM) platform so you can correlate AI governance events with your broader security monitoring.

Target Platforms

SIEM forwarding is designed to target the common enterprise platforms, including:

  • Splunk (HTTP Event Collector)
  • Sumo Logic (HTTP source)
  • Datadog (API-based forwarding)
  • Microsoft Sentinel (Log Analytics)
  • Elastic/ELK (Logstash/Elasticsearch output)
  • Generic Syslog (RFC 5424), Webhook, and AWS S3 export

The exact set of supported platforms and transport options is confirmed per engagement.

Event Format

Events are designed to be delivered in either Common Event Format (CEF) or JSON. These illustrative shapes show the intended structure:

Common Event Format (CEF)

CEF:0|Containment.AI|AIGovernance|1.0|alert.created|Policy Violation|7|
src=user@company.com dst=chatgpt.com act=blocked policy=ssn-detection
msg=Sensitive data detected

JSON Format

{
"event_type": "alert.created",
"timestamp": "2024-01-15T10:30:00Z",
"severity": "high",
"organization": "company-org-id",
"user": {
"email": "user@company.com",
"id": "user-id"
},
"policy": {
"id": "policy-id",
"name": "SSN Detection"
},
"action": "blocked",
"platform": "chatgpt",
"details": {
"pattern_matched": "ssn",
"confidence": 0.95
}
}

Getting Started

SIEM integration requires a custom implementation with your security and infrastructure teams. Contact your Containment.AI account manager or sales team to begin:

  1. Requirements gathering - Discuss your SIEM platform, transport, and event scope
  2. Architecture review - Confirm format (CEF/JSON), filtering, and field mapping
  3. Implementation - Configure and connect forwarding
  4. Testing - Verify events arrive and parse correctly in your SIEM
  5. Production - Go live with monitoring