SIEM Integration
| Field | Value |
|---|---|
| Document ID | ASCEND-ENT-006 |
| Version | 1.0.0 |
| Last Updated | December 19, 2025 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 10 minutes | Skill Level: Advanced
Overview
ASCEND integrates with enterprise SIEM platforms to provide centralized security monitoring. Export security events in Splunk CIM, Datadog metrics, or custom formats for real-time visibility into AI governance.
Supported SIEM Platforms
| Platform | Format | Features |
|---|---|---|
| Splunk | CIM (Common Information Model) | Full event taxonomy |
| Datadog | Metrics + Logs | Custom dashboards |
| Wiz | JSON | Cloud security |
| Generic | Syslog/JSON | Any SIEM |
Architecture
+---------------------------------------------------------------------------------+
| SIEM INTEGRATION FLOW |
+---------------------------------------------------------------------------------+
| |
| ASCEND PLATFORM |
| +-------------------------------------------------------------------------+ |
| | | |
| | Events Generated: | |
| | - Action submissions - Policy changes | |
| | - Approvals/denials - Security alerts | |
| | - Agent registrations - Anomaly detections | |
| | - Authentication events - Configuration changes | |
| | | |
| +-------------------------------------------------------------------------+ |
| | |
| v |
| +-------------------------------------------------------------------------+ |
| | EVENT TRANSFORMATION | |
| | | |
| | Format Selection: | |
| | - Splunk CIM -> src, dest, action, status, severity | |
| | - Datadog -> metrics.* + logs with tags | |
| | - JSON -> Raw structured events | |
| | | |
| +-------------------------------------------------------------------------+ |
| | |
| v |
| +------------------------+ +------------------------+ +---------------+ |
| | SPLUNK | | DATADOG | | CUSTOM | |
| | HEC Endpoint | | API Endpoint | | Webhook | |
| | Index: ascend_* | | Tags: env, service | | Your SIEM | |
| +------------------------+ +------------------------+ +---------------+ |
| |
+---------------------------------------------------------------------------------+
Splunk Integration
Configure HEC (HTTP Event Collector)
# Enable Splunk SIEM integration
curl -X POST "https://pilot.owkai.app/api/siem/configure" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"provider": "splunk",
"hec_url": "https://splunk.company.com:8088/services/collector",
"hec_token": "your-hec-token",
"index": "ascend_security",
"source": "ascend:governance",
"sourcetype": "_json",
"ssl_verify": true
}'
Splunk CIM Event Format
{
"time": 1702656000,
"host": "ascend-api",
"source": "ascend:governance",
"sourcetype": "ascend:action",
"index": "ascend_security",
"event": {
"action": "action.submitted",
"src": "agent-001",
"src_user": "trading-bot",
"dest": "trade_executor",
"dest_port": null,
"status": "pending_approval",
"severity": "medium",
"risk_score": 65,
"category": "AI Governance",
"vendor_product": "ASCEND",
"signature": "High-risk action submitted",
"user": "system@company.com",
"organization_id": 1,
"correlation_id": "act_abc123"
}
}
Splunk Search Examples
# High-risk actions in last 24 hours
index=ascend_security sourcetype=ascend:action risk_score>=70
| stats count by src, action, severity
| sort -count
# Denied actions by agent
index=ascend_security sourcetype=ascend:action status=denied
| timechart span=1h count by src
# Security anomalies
index=ascend_security sourcetype=ascend:security category="Anomaly"
| table _time, src_user, signature, severity, risk_score
Datadog Integration
Configure Datadog API
# Enable Datadog integration
curl -X POST "https://pilot.owkai.app/api/siem/configure" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"provider": "datadog",
"api_key": "your-datadog-api-key",
"app_key": "your-datadog-app-key",
"site": "datadoghq.com",
"service": "ascend-governance",
"env": "production",
"tags": ["team:security", "compliance:soc2"]
}'
Datadog Metrics Format
# Metrics sent to Datadog
[
{
"metric": "ascend.actions.submitted",
"type": "count",
"points": [[timestamp, 1]],
"tags": [
"agent:trading-bot",
"risk_level:high",
"status:pending_approval",
"env:production"
]
},
{
"metric": "ascend.actions.risk_score",
"type": "gauge",
"points": [[timestamp, 65]],
"tags": [
"agent:trading-bot",
"action_type:trade_execution"
]
}
]
Datadog Dashboard Widgets
# Recommended dashboard configuration
DASHBOARD_WIDGETS = {
"action_volume": {
"type": "timeseries",
"query": "sum:ascend.actions.submitted{*}.as_count()"
},
"approval_rate": {
"type": "query_value",
"query": "sum:ascend.actions.approved{*}/sum:ascend.actions.submitted{*}*100"
},
"risk_distribution": {
"type": "toplist",
"query": "sum:ascend.actions.risk_score{*} by {agent}"
},
"pending_approvals": {
"type": "query_value",
"query": "sum:ascend.actions.pending{*}"
}
}
Export Diagnostics to SIEM
Manual Export
# Export diagnostic data in Splunk CIM format
curl -X POST "https://pilot.owkai.app/api/diagnostics/export" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"format": "splunk_cim",
"start_date": "2025-12-01T00:00:00Z",
"end_date": "2025-12-15T23:59:59Z",
"include_details": true
}'
Response:
{
"status": "success",
"format": "splunk_cim",
"records_exported": 1250,
"data": [
{
"time": 1702656000,
"correlation_id": "diag_1_20251215_103045_a1b2c3d4",
"diagnostic_type": "full_diagnostic",
"status": "success",
"health_score": 98.5,
"severity": "INFO",
"src": "ascend-diagnostics",
"action": "health_check",
"category": "System Health"
}
]
}
Datadog Metrics Export
# Export in Datadog metrics format
curl -X POST "https://pilot.owkai.app/api/diagnostics/export" \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"format": "datadog_metrics",
"start_date": "2025-12-01T00:00:00Z",
"end_date": "2025-12-15T23:59:59Z"
}'
Event Types
Security Events
| Event Type | Severity | Description |
|---|---|---|
auth.login | INFO | User login |
auth.logout | INFO | User logout |
auth.failure | WARNING | Authentication failure |
auth.lockout | HIGH | Account locked |
security.alert | HIGH | Security alert triggered |
security.anomaly | MEDIUM | Anomaly detected |
Governance Events
| Event Type | Severity | Description |
|---|---|---|
action.submitted | INFO | Action submitted |
action.approved | INFO | Action approved |
action.denied | MEDIUM | Action denied |
action.executed | INFO | Action executed |
policy.created | LOW | Policy created |
policy.updated | LOW | Policy updated |
Agent Events
| Event Type | Severity | Description |
|---|---|---|
agent.registered | INFO | Agent registered |
agent.deactivated | MEDIUM | Agent deactivated |
agent.killed | HIGH | Kill-switch activated |
Compliance Mapping
| Standard | Requirement | SIEM Support |
|---|---|---|
| SOC 2 CC7.2 | Incident response | Alert routing |
| SOC 2 CC7.3 | Anomaly monitoring | Real-time detection |
| PCI-DSS 10.2 | Event logging | Full audit trail |
| PCI-DSS 10.6 | Log review | Automated analysis |
| HIPAA 164.312(b) | Audit controls | Immutable logging |
| NIST AU-6 | Audit review | SIEM correlation |
Best Practices
1. Index Strategy
# Recommended Splunk index structure
INDEXES = {
"ascend_security": "Security events",
"ascend_governance": "Governance decisions",
"ascend_audit": "Audit trail",
"ascend_diagnostics": "Health metrics"
}
2. Retention Configuration
# SIEM retention by event type
RETENTION = {
"security_events": "7 years", # SOX compliance
"governance_events": "6 years", # HIPAA
"diagnostic_events": "1 year"
}
3. Alert Rules
# Recommended SIEM alerts
ALERT_RULES = [
{
"name": "High-Risk Action Spike",
"query": "risk_score>=80 | stats count | where count>10",
"severity": "high",
"action": "pagerduty"
},
{
"name": "Kill-Switch Activated",
"query": "action=agent.killed",
"severity": "critical",
"action": "immediate"
},
{
"name": "Authentication Anomaly",
"query": "auth.failure | stats count by src_user | where count>5",
"severity": "medium",
"action": "email"
}
]
Troubleshooting
Verify Connection
# Test SIEM connectivity
curl "https://pilot.owkai.app/api/siem/test" \
-H "Authorization: Bearer <admin_jwt>"
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Events not appearing | HEC token expired | Rotate token |
| SSL errors | Certificate mismatch | Verify CA bundle |
| Rate limiting | Too many events | Batch events |
| Missing fields | Format mismatch | Check CIM mapping |
Next Steps
- ServiceNow - ITSM integration
- System Diagnostics - Health monitoring
- Webhooks - Custom integrations
Document Version: 1.0.0 | Last Updated: December 2025