Guides
Set Up SIEM Export

Set Up SIEM Export

Export governance events to Splunk, Datadog, or other SIEM platforms.

Prerequisites

  • A Xilos account with admin access
  • A SIEM platform that can receive webhook events (Splunk, Datadog, IBM QRadar, etc.)

Supported Formats

Xilos supports three output formats for SIEM integration:

FormatDescriptionBest For
CEF (Common Event Format)Industry-standard format for SIEMSplunk, ArcSight, IBM QRadar
SyslogTraditional syslog formatLegacy SIEM, log aggregators
JSONStructured JSON payloadDatadog, Elastic, custom integrations

Event Types

SIEM webhooks fire on the same events as regular webhooks, plus additional governance events:

  • query.completed — Query processed successfully
  • query.blocked — Query blocked by restriction rule
  • query.cached — Query served from cache
  • query.compressed — Compression applied
  • restriction.triggered — A restriction rule was triggered (block, mask, or flag)
  • guardrail.alert — A guardrail detected PII or potential injection

Step 1: Create a SIEM Webhook

  1. Navigate to SIEM in the sidebar.
  2. Click Create SIEM Webhook.
  3. Fill in the form:
    • Name — Descriptive name (e.g., "Splunk Forwarder")
    • URL — Your SIEM's HTTP event collector URL
    • Format — CEF, Syslog, or JSON
    • Event Types — Select which events to forward
  4. Click Save.

Step 2: Configure Your SIEM

Splunk

Configure an HTTP Event Collector (HEC):

  1. In Splunk, go to Settings > Data Inputs > HTTP Event Collector.
  2. Create a new token.
  3. Set the endpoint URL as your SIEM webhook URL in Xilos.
  4. Use JSON format for easiest parsing.

Datadog

Use Datadog's webhook integration:

  1. In Datadog, go to Integrations > Webhooks.
  2. Create a new webhook endpoint.
  3. Copy the URL and paste it into Xilos SIEM webhook config.
  4. Use JSON format.

Elastic

Use Elastic's HTTP input:

  1. Configure an HTTP input in Logstash or Elastic Agent.
  2. Set the listening port and path.
  3. Point the Xilos SIEM webhook URL to your Elastic endpoint.
  4. Use JSON format.

Step 3: Verify Events

  1. Send a test query through Xilos.
  2. Check your SIEM platform for the incoming event.
  3. Verify the event format is correct.

Example JSON Payload

{
  "event_type": "query.blocked",
  "timestamp": "2026-07-06T12:00:00Z",
  "organization_id": "uuid",
  "rule_name": "API-Key-Exposed-Block",
  "severity": "high",
  "action": "block",
  "query_summary": "Query contained high-entropy string matching API key pattern",
  "user_id": "uuid",
  "user_email": "user@example.com"
}

Example CEF Payload

CEF:0|Xilos|Gateway|2.0|100|Query Blocked|High|rt=2026-07-06T12:00:00Z suser=user@example.com act=block cs1Label=Rule cs1=API-Key-Exposed-Block cs2Label=Severity cs2=high msg=Query contained high-entropy string matching API key pattern

Step 4: Create Alerts in Your SIEM

Use the forwarded events to create alerts:

  • Blocked query spike — Alert when blocked queries exceed a threshold
  • PII detection — Alert on any PII detection event
  • Prompt injection attempt — Alert on any injection attempt
  • Cost anomaly — Alert when spending deviates from baseline

Info: SIEM events include the user email, rule name, severity, and action — giving your security team full context for investigation.

Best Practices

  • Use JSON format for modern SIEM platforms (easiest to parse)
  • Forward all event types to your SIEM for complete audit trail
  • Create alerts for high-severity events (blocks, injections)
  • Review blocked queries weekly to identify patterns
  • Use the Audit Logs page in Xilos alongside your SIEM for investigation
  • Set retention policies in your SIEM to meet compliance requirements