SIEM Export

Forward AKIOS Pro evidence events to your SIEM for centralized monitoring, alerting, and correlation with existing security signals.

Overview#

AKIOS Pro continuously forwards evidence events to your SIEM. Every trace, finding, review action, and retention event is structured for ingestion into Splunk, Microsoft Sentinel, or any syslog-compatible platform.

What gets forwarded

Session traces (LLM calls, tool invocations), policy findings (PII, violations, anomalies), review decisions (approvals, escalations, rejections), and system events (retention, export, configuration changes).

Splunk#

AKIOS Pro forwards structured JSON events to Splunk HTTP Event Collector (HEC). Each event includes session context, finding metadata, and control mappings.

bash

# Configure Splunk HEC forwarder
docker exec akios-pro akios siem add splunk \
  --url https://splunk.example.com:8088 \
  --token your-hec-token \
  --index akios-evidence

# Verify forwarding
docker exec akios-pro akios siem status
# Forwarding: active
# Last event: 2s ago
# Event count: 1,247

Event schema

json

{
  "event_type": "trace.completed",
  "session_id": "sess_8f7d3a1e",
  "agent": "customer-support-v2",
  "framework": "langchain",
  "model": "gpt-4o",
  "tool_calls": 3,
  "tokens_total": 1247,
  "latency_ms": 3400,
  "policy_evaluations": 4,
  "findings": [
    {
      "type": "pii_detected",
      "severity": "high",
      "pattern": "credit_card",
      "confidence": 0.97
    }
  ],
  "timestamp": "2026-05-04T14:23:11Z"
}

Microsoft Sentinel#

Forward AKIOS Pro evidence to Microsoft Sentinel via Log Analytics API or syslog forwarder.

bash

# Configure Sentinel forwarding (Log Analytics)
docker exec akios-pro akios siem add sentinel \
  --workspace-id your-workspace \
  --primary-key your-key \
  --table AKIOS_Evidence_CL

# Configure syslog-based forwarding
docker exec akios-pro akios siem add syslog \
  --endpoint sentinel-syslog.internal \
  --port 514 \
  --protocol tcp

Generic Syslog#

AKIOS Pro supports RFC 5424 syslog forwarding to any syslog-compatible platform.

bash

# Configure syslog forwarding
docker exec akios-pro akios siem add syslog \
  --endpoint siem.internal \
  --port 514 \
  --protocol tcp \
  --format rfc5424

# Test the connection
docker exec akios-pro akios siem test

Alerting Rules#

Configure AKIOS Pro to alert on specific evidence patterns. Alerts can trigger SIEM events, webhook notifications, or escalation workflows.

PII exposure

HIGH

Alert when PII confidence exceeds 0.95 or when sensitive categories (SSN, credit card, health data) are detected in agent prompts or outputs.

Policy violation

HIGH

Alert when an agent action is blocked by policy. Repeated violations from the same agent or session trigger escalation.

Cost anomaly

MEDIUM

Alert per-agent or per-session when token spend exceeds configured threshold. Helps detect runaway agents or cost spikes.

Missing review

HIGH

Alert when a high-risk action requiring human approval has not been reviewed within the configured SLA window.