SIEM Export

RADAR continuously forwards evidence events to your SIEM. Every trace, finding, review action, and retention event is structured for ingestion into Splunk, or any syslog-compatible platform.

Splunk

RADAR forwards structured JSON events to Splunk HTTP Event Collector (HEC).

docker exec radar radar siem add splunk \
  --url https://splunk.example.com:8088 \
  --token your-hec-token \
  --index radar-evidence

docker exec radar radar siem status

Generic syslog

RFC 5424 syslog forwarding to any syslog-compatible platform.

docker exec radar radar siem add syslog \
  --endpoint siem.internal \
  --port 514 --protocol tcp \
  --format rfc5424

Alerting rules

Alert on specific evidence patterns to trigger SIEM events or escalation workflows.

  • Name
    PII exposure — HIGH
    Description

    Alert when confidence exceeds 0.95 or sensitive categories (SSN, credit card, health) are detected in agent prompts or outputs.

  • Name
    Policy violation — HIGH
    Description

    Alert when agent action is blocked by policy. Repeated violations from the same agent or session trigger escalation.

  • Name
    Cost anomaly — MEDIUM
    Description

    Alert when per-agent or per-session token spend exceeds configured threshold.

  • Name
    Missing review — HIGH
    Description

    Alert when high-risk action requiring human approval is not reviewed within the configured SLA window.

Was this page helpful?