SIEM Export
RADAR continuously forwards evidence events to your SIEM. Every trace, finding, review action, and retention event is structured for ingestion into Splunk, or any syslog-compatible platform.
Splunk
RADAR forwards structured JSON events to Splunk HTTP Event Collector (HEC).
docker exec radar radar siem add splunk \
--url https://splunk.example.com:8088 \
--token your-hec-token \
--index radar-evidence
docker exec radar radar siem status
Generic syslog
RFC 5424 syslog forwarding to any syslog-compatible platform.
docker exec radar radar siem add syslog \
--endpoint siem.internal \
--port 514 --protocol tcp \
--format rfc5424
Alerting rules
Alert on specific evidence patterns to trigger SIEM events or escalation workflows.
- Name
PII exposure — HIGH- Description
Alert when confidence exceeds 0.95 or sensitive categories (SSN, credit card, health) are detected in agent prompts or outputs.
- Name
Policy violation — HIGH- Description
Alert when agent action is blocked by policy. Repeated violations from the same agent or session trigger escalation.
- Name
Cost anomaly — MEDIUM- Description
Alert when per-agent or per-session token spend exceeds configured threshold.
- Name
Missing review — HIGH- Description
Alert when high-risk action requiring human approval is not reviewed within the configured SLA window.