SIEM Integration

Professional

Integrate Containment.AI with your Security Information and Event Management (SIEM) platform to correlate AI governance events with your broader security monitoring.

Supported Platforms

Native Integrations

• Splunk - Direct HTTP Event Collector (HEC)
• Sumo Logic - HTTP source integration
• Datadog - API-based forwarding
• Microsoft Sentinel - Log Analytics integration
• Elastic/ELK - Logstash/Elasticsearch output

Generic Integration

• Syslog - RFC 5424 format
• Webhook - Custom HTTP endpoints
• AWS S3 - Log file export

Setup Guide

Splunk

1. Create HEC Token in Splunk

   • Go to Settings > Data Inputs > HTTP Event Collector
   • Create new token
   • Note the token value

2. Configure in Containment.AI

   • Go to Integrations > SIEM
   • Select Splunk
   • Enter:
     • Splunk URL: https://your-splunk:8088
     • HEC Token: your-token
     • Index: containment_ai (optional)

3. Test Connection

   • Click Test
   • Verify events appear in Splunk

Sumo Logic

1. Create HTTP Source in Sumo Logic

   • Go to Manage Data > Collection
   • Add Collector > Hosted Collector
   • Add HTTP Logs & Metrics Source
   • Copy the endpoint URL

2. Configure in Containment.AI

   • Select Sumo Logic
   • Enter Source URL
   • Test and save

Custom Webhook

1. Prepare Your Endpoint

   • Must accept POST requests
   • Return 200 on success
   • Handle JSON payload

2. Configure in Containment.AI

   • Select Custom Webhook
   • Enter endpoint URL
   • Add authentication headers if needed
   • Select events to forward

Event Format

Common Event Format (CEF)

CEF:0|Containment.AI|AIGovernance|1.0|alert.created|Policy Violation|7|
src=user@company.com dst=chatgpt.com act=blocked policy=ssn-detection
msg=Sensitive data detected

JSON Format

{
  "event_type": "alert.created",
  "timestamp": "2024-01-15T10:30:00Z",
  "severity": "high",
  "organization": "company-org-id",
  "user": {
    "email": "user@company.com",
    "id": "user-id"
  },
  "policy": {
    "id": "policy-id",
    "name": "SSN Detection"
  },
  "action": "blocked",
  "platform": "chatgpt",
  "details": {
    "pattern_matched": "ssn",
    "confidence": 0.95
  }
}

Event Types

Configure which events to forward:

Alert Events

• alert.created - New policy violation
• alert.acknowledged - Admin acknowledged
• alert.resolved - Alert resolved
• alert.dismissed - Alert dismissed

Policy Events

• policy.enabled - Policy turned on
• policy.disabled - Policy turned off
• policy.modified - Settings changed

Admin Events

• admin.login - Admin signed in
• admin.permissions_changed - Permissions modified
• admin.settings_changed - Configuration updated

User Events

• user.extension_connected - Extension connected
• user.extension_disconnected - Extension disconnected

Filtering

By Severity

Only forward high-priority events:

• Critical only
• High and above
• Medium and above
• All events

By Event Type

Select specific event categories:

• All alerts
• Policy changes
• User events
• Admin actions

By Team/User

Limit to specific scope:

• All organization
• Specific teams
• Specific users

Enrichment

Custom Fields

Add custom fields to events:

{
  "custom_fields": {
    "environment": "production",
    "team": "security",
    "ticket_prefix": "CAI"
  }
}

Mapping

Map Containment.AI fields to your schema:

{
  "field_mapping": {
    "user.email": "src_user",
    "action": "event_action",
    "severity": "priority"
  }
}

Reliability

Retry Logic

Failed deliveries are retried:

• 3 automatic retries
• Exponential backoff
• Max 24-hour queue

Buffering

Events are buffered for:

• Network interruptions
• SIEM maintenance
• Rate limiting

Dead Letter Queue

Failed events after retries:

• Stored for 7 days
• Manual retry available
• Export for analysis

Monitoring

Integration Health

Dashboard shows:

• Events sent (success/failed)
• Latency metrics
• Error rates
• Queue depth

Alerts

Get notified of issues:

• Connection failures
• High error rates
• Queue buildup

Security

Transport Security

• TLS 1.2+ required
• Certificate validation
• IP allowlisting supported

Authentication

• API keys/tokens
• Mutual TLS (Enterprise)
• OAuth 2.0 (where supported)

Troubleshooting

Events Not Appearing

1. Check Connection

   • Test connection from integration page
   • Verify URL is correct
   • Confirm authentication

2. Check Filters

   • Review event type filters
   • Verify severity filter
   • Check scope settings

3. Check SIEM

   • Review SIEM ingestion logs
   • Check index/source config
   • Verify permissions

Delayed Events

1. Check Queue

   • View queue depth in dashboard
   • Look for delivery errors
   • Check rate limits

2. Check Network

   • Test connectivity
   • Review firewall rules
   • Check proxy settings

Best Practices

Performance

• Filter to necessary events
• Use appropriate batch sizes
• Monitor queue depth

Security

• Rotate credentials regularly
• Use dedicated service accounts
• Enable audit logging

Operations

• Set up health alerts
• Document configuration
• Test regularly

Related Topics

• Audit Logs - Event details
• Integration Overview - All integrations
• Compliance Reports - Report generation