SIEM Integration

GOVERN integrates with major SIEM and SOAR platforms to unify AI governance events with your broader security operations.

Supported Integrations

Platform	Method	Alert Forwarding	Bidirectional
Splunk Enterprise	HEC (HTTP Event Collector)	Yes	Yes
Microsoft Sentinel	Azure Event Hub	Yes	Yes
IBM QRadar	Syslog (CEF)	Yes	No
Elastic SIEM	Elasticsearch API	Yes	Yes
Palo Alto XSOAR	REST webhook	Yes	Yes
ServiceNow SecOps	REST webhook	Yes	Yes
PagerDuty	Events API v2	Yes (critical only)	No

Splunk Configuration

1. Configure Splunk HEC

In Splunk Web:

1. Settings → Data Inputs → HTTP Event Collector
2. Create new token: govern-integration
3. Assign to index: ai_governance
4. Copy the token

2. Configure in GOVERN

govern integrations siem add \
  --type splunk \
  --url https://your-splunk-instance:8088 \
  --token $SPLUNK_HEC_TOKEN \
  --index ai_governance \
  --sourcetype govern:alert

3. Event Format

{
  "time": 1744123456,
  "host": "govern-prod",
  "source": "govern:alert",
  "sourcetype": "govern:alert",
  "index": "ai_governance",
  "event": {
    "alert_id": "alrt_01JBXYZ123",
    "severity": "high",
    "type": "policy_violation",
    "ai_system": "customer-support-bot",
    "policy_id": "GOV-POL-042",
    "timestamp": "2026-04-12T14:23:10Z",
    "status": "new",
    "score_impact": -12
  }
}

Microsoft Sentinel Configuration

1. Create Event Hub

In Azure Portal:

1. Create Event Hub namespace: govern-events
2. Create Event Hub: governance-alerts
3. Create shared access policy: govern-send with Send permission

2. Configure Data Connector

In Sentinel workspace:

1. Data connectors → Search “Custom Logs via DCR”
2. Create DCR pointing to your Event Hub

3. Configure in GOVERN

govern integrations siem add \
  --type sentinel \
  --event-hub-connection-string $AZURE_EVENT_HUB_CONNECTION_STRING \
  --event-hub-name governance-alerts

Syslog (CEF) for IBM QRadar

GOVERN can emit alerts in Common Event Format (CEF) over syslog:

govern integrations siem add \
  --type syslog-cef \
  --host your-qradar-instance.example.com \
  --port 514 \
  --protocol tcp

CEF format:

CEF:0|Archetypal AI|GOVERN|2.0|policy_violation|Policy Violation: PII_OUTPUT_PREVENTION|7|
rt=Apr 12 2026 14:23:10 UTC
src=customer-support-bot
suser=anonymous
msg=SSN pattern detected in AI output
cs1=GOV-POL-042
cs1Label=PolicyID

SOAR / Bidirectional Integration

For SOAR platforms (XSOAR, Sentinel Playbooks), GOVERN supports bidirectional updates:

• Inbound: Alert status updates (acknowledge, escalate, resolve) can be pushed from SOAR to GOVERN
• Outbound: GOVERN alert changes sync back to the SOAR ticket

Configure webhook endpoint in GOVERN:

govern integrations soar configure \
  --platform xsoar \
  --inbound-webhook-secret $WEBHOOK_SECRET

GOVERN will accept POST /api/webhooks/soar/inbound with standard XSOAR action format.

Alert Filtering

Configure which alerts are forwarded to each SIEM:

# In GOVERN admin settings
siem_integrations:
  splunk:
    forward_severities: [critical, high, medium]
    forward_types: [policy_violation, drift_event, security_event]
    exclude_types: [system_health]
  pagerduty:
    forward_severities: [critical]
    forward_types: [security_event, policy_violation]