Kirtonic
Get started
documentation

SIEM integration

Every governance decision and every shadow-AI discovery event Kirtonic emits can be streamed in real time to your security operations stack. Four destination shapes are supported out of the box, and a generic HTTPS sink covers everything else.

Supported destinations

Splunk

splunk_hec

HTTP Event Collector (HEC). Bearer-token auth. JSON payload wrapped in Splunk's standard event envelope. Compatible with Splunk Cloud and self-hosted Splunk Enterprise.

POST https://splunk.example.com:8088/services/collector
Authorization: Splunk <hec-token>
Content-Type: application/json

{
  "time":       1717160000,
  "host":       "kirtonic.io",
  "source":     "kirtonic",
  "sourcetype": "kirtonic:decision.rejected",
  "event":      { /* canonical JSON, see Wire formats below */ }
}

Microsoft Sentinel

sentinel

Log Analytics Data Collector API. HMAC-SHA256-signed request with shared key. Custom log table name configurable (default: KirtonicEvents).

POST https://{workspace-id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
Authorization: SharedKey <workspace-id>:<base64(hmac-sha256(string-to-sign, shared_key))>
Log-Type: KirtonicEvents
x-ms-date: Sun, 01 Jun 2026 10:13:20 GMT
time-generated-field: timestamp
Content-Type: application/json

[ { /* canonical JSON */ } ]

Elastic

elastic_http

HTTP ingest endpoint. API-key or basic-auth supported. Document shape suitable for direct indexing into any Elastic / OpenSearch cluster.

POST https://es.example.com/kirtonic/_doc
Authorization: ApiKey <base64-of-id:api_key>
Content-Type: application/json

{ /* canonical JSON */ }

Generic HTTPS (CEF / LEEF / JSON)

generic_https

For any other SIEM, syslog receiver, or log pipeline that accepts HTTPS POST. Choose the wire format the receiver expects: CEF (ArcSight / QRadar / generic syslog), LEEF (QRadar), or JSON. Optional custom auth header.

POST https://siem.example.com/intake
X-Auth: <your-header-value>
X-Kirtonic-Event: decision.rejected
X-Kirtonic-Digest: <sha256(workspace_id:event_id:body)>
Content-Type: application/json   # or text/plain for CEF / LEEF

{ /* canonical JSON, OR a single CEF / LEEF line */ }

Event types

Each destination can subscribe to all events (the default) or any subset of the following:

Event typeFires when
decision.createdA reviewer-queue entry was created (medium-severity, awaiting review).
decision.approvedA reviewer approved a borderline decision.
decision.rejectedA reviewer rejected a borderline decision.
decision.executedAn approved decision was marked executed downstream.
decision.auto_approvedA low-severity prompt was auto-approved without human review.
discovery.tool_discoveredA previously-unseen AI tool was reported by an extension installation.
discovery.tool_growingAn existing tool’s active-user count grew by ≥ 30% in the latest report window.

Wire formats

CEF (Common Event Format)

Used by ArcSight, QRadar, Splunk, and most generic syslog SIEMs. Header pipe-delimited, extension as k=v pairs.

CEF:0|Kirtonic|AIFirewall|1.0|decision.rejected|Decision rejected|9|rt=1717160000000 externalId=evt_abc cs1Label=workspace_id cs1=ws_123 enforcement=block category=pii risk_band=high

LEEF 2.0 (Log Event Extended Format)

Used by QRadar. Tab-delimited extension; ISO-8601 timestamps.

LEEF:2.0|Kirtonic|AIFirewall|1.0|decision.rejected|^|devTime=2026-06-01T10:13:20.000Z	devTimeFormat=ISO8601	externalId=evt_abc	workspaceId=ws_123	sev=9	enforcement=block	category=pii	risk_band=high

JSON (canonical)

Same shape Splunk, Sentinel, and Elastic receive. Generic HTTPS can opt into this format.

{
  "event_id":     "evt_abc",
  "event_type":   "decision.rejected",
  "workspace_id": "ws_123",
  "timestamp":    "2026-06-01T10:13:20.000Z",
  "severity":     9,
  "name":         "Decision rejected: PII high-severity",
  "vendor":       "Kirtonic",
  "product":      "AIFirewall",
  "version":      "1.0",
  "enforcement":  "block",
  "category":     "pii",
  "risk_band":    "high"
}

Security posture

  • · Credentials are encrypted at rest with AES-256-GCM using a Kirtonic-side key. Cleartext credentials never sit on the destination row.
  • · Generic HTTPS destinations carry an X-Kirtonic-Digest header containing SHA-256 of workspace_id:event_id:body. Receivers in possession of the workspace id can recompute and verify origin.
  • · Failed deliveries are recorded with the receiver's HTTP status and error message. After ten consecutive failures, the destination is automatically paused until an admin re-enables it.
  • · The dispatcher times out individual deliveries at ten seconds. A misbehaving receiver cannot back-pressure the rest of the platform.
  • · The dispatcher and the existing webhook delivery path are independent. A SIEM outage never affects webhooks, and vice versa.

Setup

  1. 1. In your workspace dashboard, open Engine → SIEM.
  2. 2. Click Add destination, choose a provider, and paste in the endpoint URL and credentials.
  3. 3. Click Send test to ship a synthetic system.test event and confirm the receiver returns 2xx.
  4. 4. Real events begin flowing immediately. Health is shown inline on the destination row.