SIEM Integration
| Field | Value |
|---|---|
| Document ID | ASCEND-ENT-006 |
| Version | 2026.04 |
| Last Updated | April 2026 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 10 minutes | Skill Level: Advanced
Overview
ASCEND integrates with enterprise SIEM platforms to provide centralized security monitoring. Export security events in Splunk CIM, Datadog metrics, or custom formats for real-time visibility into AI governance.
warning
SIEM integration exports security events containing action metadata, risk scores, and agent identifiers. Verify your SIEM ingestion pipeline and index configuration can handle the expected event volume before enabling.
Supported SIEM Platforms
| Platform | Format | Features |
|---|---|---|
| Splunk | CIM (Common Information Model) | Full event taxonomy |
| Datadog | Metrics + Logs | Custom dashboards |
| Wiz | JSON | Cloud security |
| Generic | Syslog/JSON | Any SIEM |
Architecture
+---------------------------------------------------------------------------------+
| SIEM INTEGRATION FLOW |
+---------------------------------------------------------------------------------+
| |
| ASCEND PLATFORM |
| +-------------------------------------------------------------------------+ |
| | | |
| | Events Generated: | |
| | - Action submissions - Policy changes | |
| | - Approvals/denials - Security alerts | |
| | - Agent registrations - Anomaly detections | |
| | - Authentication events - Configuration changes | |
| | | |
| +-------------------------------------------------------------------------+ |
| | |
| v |
| +-------------------------------------------------------------------------+ |
| | EVENT TRANSFORMATION | |
| | | |
| | Format Selection: | |
| | - Splunk CIM -> src, dest, action, status, severity | |
| | - Datadog -> metrics.* + logs with tags | |
| | - JSON -> Raw structured events | |
| | | |
| +-------------------------------------------------------------------------+ |
| | |
| v |
| +------------------------+ +------------------------+ +---------------+ |
| | SPLUNK | | DATADOG | | CUSTOM | |
| | HEC Endpoint | | API Endpoint | | Webhook | |
| | Index: ascend_* | | Tags: env, service | | Your SIEM | |
| +------------------------+ +------------------------+ +---------------+ |
| |
+---------------------------------------------------------------------------------+
Splunk Integration
Configure HEC (HTTP Event Collector)
# Enable Splunk SIEM integration
curl -X POST "https://pilot.owkai.app/api/siem/configure" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"provider": "splunk",
"hec_url": "https://splunk.company.com:8088/services/collector",
"hec_token": "your-hec-token",
"index": "ascend_security",
"source": "ascend:governance",
"sourcetype": "_json",
"ssl_verify": true
}'
Splunk CIM Event Format
{
"time": 1702656000,
"host": "ascend-api",
"source": "ascend:governance",
"sourcetype": "ascend:action",
"index": "ascend_security",
"event": {
"action": "action.submitted",
"src": "agent-001",
"src_user": "trading-bot",
"dest": "trade_executor",
"dest_port": null,
"status": "pending_approval",
"severity": "medium",
"risk_score": 65,
"category": "AI Governance",
"vendor_product": "ASCEND",
"signature": "High-risk action submitted",
"user": "system@company.com",
"organization_id": 1,
"correlation_id": "act_abc123"
}
}
Splunk Search Examples
# High-risk actions in last 24 hours
index=ascend_security sourcetype=ascend:action risk_score>=70
| stats count by src, action, severity
| sort -count
# Denied actions by agent
index=ascend_security sourcetype=ascend:action status=denied
| timechart span=1h count by src
# Security anomalies
index=ascend_security sourcetype=ascend:security category="Anomaly"
| table _time, src_user, signature, severity, risk_score
Datadog Integration
Configure Datadog API
# Enable Datadog integration
curl -X POST "https://pilot.owkai.app/api/siem/configure" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"provider": "datadog",
"api_key": "your-datadog-api-key",
"app_key": "your-datadog-app-key",
"site": "datadoghq.com",
"service": "ascend-governance",
"env": "production",
"tags": ["team:security", "compliance:soc2"]
}'
Datadog Metrics Format
# Metrics sent to Datadog
[
{
"metric": "ascend.actions.submitted",
"type": "count",
"points": [[timestamp, 1]],
"tags": [
"agent:trading-bot",
"risk_level:high",
"status:pending_approval",
"env:production"
]
},
{
"metric": "ascend.actions.risk_score",
"type": "gauge",
"points": [[timestamp, 65]],
"tags": [
"agent:trading-bot",
"action_type:trade_execution"
]
}
]
Datadog Dashboard Widgets
# Recommended dashboard configuration
DASHBOARD_WIDGETS = {
"action_volume": {
"type": "timeseries",
"query": "sum:ascend.actions.submitted{*}.as_count()"
},
"approval_rate": {
"type": "query_value",
"query": "sum:ascend.actions.approved{*}/sum:ascend.actions.submitted{*}*100"
},
"risk_distribution": {
"type": "toplist",
"query": "sum:ascend.actions.risk_score{*} by {agent}"
},
"pending_approvals": {
"type": "query_value",
"query": "sum:ascend.actions.pending{*}"
}
}
Export Diagnostics to SIEM
Manual Export
# Export diagnostic data in Splunk CIM format
curl -X POST "https://pilot.owkai.app/api/diagnostics/export" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"format": "splunk_cim",
"start_date": "2025-12-01T00:00:00Z",
"end_date": "2025-12-15T23:59:59Z",
"include_details": true
}'
Response:
{
"status": "success",
"format": "splunk_cim",
"records_exported": 1250,
"data": [
{
"time": 1702656000,
"correlation_id": "diag_1_20251215_103045_a1b2c3d4",
"diagnostic_type": "full_diagnostic",
"status": "success",
"health_score": 98.5,
"severity": "INFO",
"src": "ascend-diagnostics",
"action": "health_check",
"category": "System Health"
}
]
}
Datadog Metrics Export
# Export in Datadog metrics format
curl -X POST "https://pilot.owkai.app/api/diagnostics/export" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"format": "datadog_metrics",
"start_date": "2025-12-01T00:00:00Z",
"end_date": "2025-12-15T23:59:59Z"
}'
Event Types
Security Events
| Event Type | Severity | Description |
|---|---|---|
auth.login | INFO | User login |
auth.logout | INFO | User logout |
auth.failure | WARNING | Authentication failure |
auth.lockout | HIGH | Account locked |
security.alert | HIGH | Security alert triggered |
security.anomaly | MEDIUM | Anomaly detected |
Governance Events
| Event Type | Severity | Description |
|---|---|---|
action.submitted | INFO | Action submitted |
action.approved | INFO | Action approved |
action.denied | MEDIUM | Action denied |
action.executed | INFO | Action executed |
policy.created | LOW | Policy created |
policy.updated | LOW | Policy updated |
Agent Events
| Event Type | Severity | Description |
|---|---|---|
agent.registered | INFO | Agent registered |
agent.deactivated | MEDIUM | Agent deactivated |
agent.killed | HIGH | Kill-switch activated |
Compliance Mapping
| Standard | Requirement | SIEM Support |
|---|---|---|
| SOC 2 CC7.2 | Incident response | Alert routing |
| SOC 2 CC7.3 | Anomaly monitoring | Real-time detection |
| PCI-DSS 10.2 | Event logging | Full audit trail |
| PCI-DSS 10.6 | Log review | Automated analysis |
| HIPAA 164.312(b) | Audit controls | Immutable logging |
| NIST AU-6 | Audit review | SIEM correlation |
Best Practices
1. Index Strategy
# Recommended Splunk index structure
INDEXES = {
"ascend_security": "Security events",
"ascend_governance": "Governance decisions",
"ascend_audit": "Audit trail",
"ascend_diagnostics": "Health metrics"
}
2. Retention Configuration
# SIEM retention by event type
RETENTION = {
"security_events": "7 years", # SOX compliance
"governance_events": "6 years", # HIPAA
"diagnostic_events": "1 year"
}
3. Alert Rules
# Recommended SIEM alerts
ALERT_RULES = [
{
"name": "High-Risk Action Spike",
"query": "risk_score>=80 | stats count | where count>10",
"severity": "high",
"action": "pagerduty"
},
{
"name": "Kill-Switch Activated",
"query": "action=agent.killed",
"severity": "critical",
"action": "immediate"
},
{
"name": "Authentication Anomaly",
"query": "auth.failure | stats count by src_user | where count>5",
"severity": "medium",
"action": "email"
}
]
Troubleshooting
Verify Connection
# Test SIEM connectivity
curl "https://pilot.owkai.app/api/siem/test" \
-H "Authorization: Bearer <admin_jwt>"
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Events not appearing | HEC token expired | Rotate token |
| SSL errors | Certificate mismatch | Verify CA bundle |
| Rate limiting | Too many events | Batch events |
| Missing fields | Format mismatch | Check CIM mapping |
Next Steps
- ServiceNow - ITSM integration
- System Diagnostics - Health monitoring
- Webhooks - Custom integrations
Document Version: 2026.04 | Last Updated: April 2026