Set Up SIEM Export
Export governance events to Splunk, Datadog, or other SIEM platforms.
Prerequisites
- A Xilos account with admin access
- A SIEM platform that can receive webhook events (Splunk, Datadog, IBM QRadar, etc.)
Supported Formats
Xilos supports three output formats for SIEM integration:
| Format | Description | Best For |
|---|---|---|
| CEF (Common Event Format) | Industry-standard format for SIEM | Splunk, ArcSight, IBM QRadar |
| Syslog | Traditional syslog format | Legacy SIEM, log aggregators |
| JSON | Structured JSON payload | Datadog, Elastic, custom integrations |
Event Types
SIEM webhooks fire on the same events as regular webhooks, plus additional governance events:
query.completed— Query processed successfullyquery.blocked— Query blocked by restriction rulequery.cached— Query served from cachequery.compressed— Compression appliedrestriction.triggered— A restriction rule was triggered (block, mask, or flag)guardrail.alert— A guardrail detected PII or potential injection
Step 1: Create a SIEM Webhook
- Navigate to SIEM in the sidebar.
- Click Create SIEM Webhook.
- Fill in the form:
- Name — Descriptive name (e.g., "Splunk Forwarder")
- URL — Your SIEM's HTTP event collector URL
- Format — CEF, Syslog, or JSON
- Event Types — Select which events to forward
- Click Save.
Step 2: Configure Your SIEM
Splunk
Configure an HTTP Event Collector (HEC):
- In Splunk, go to Settings > Data Inputs > HTTP Event Collector.
- Create a new token.
- Set the endpoint URL as your SIEM webhook URL in Xilos.
- Use JSON format for easiest parsing.
Datadog
Use Datadog's webhook integration:
- In Datadog, go to Integrations > Webhooks.
- Create a new webhook endpoint.
- Copy the URL and paste it into Xilos SIEM webhook config.
- Use JSON format.
Elastic
Use Elastic's HTTP input:
- Configure an HTTP input in Logstash or Elastic Agent.
- Set the listening port and path.
- Point the Xilos SIEM webhook URL to your Elastic endpoint.
- Use JSON format.
Step 3: Verify Events
- Send a test query through Xilos.
- Check your SIEM platform for the incoming event.
- Verify the event format is correct.
Example JSON Payload
{
"event_type": "query.blocked",
"timestamp": "2026-07-06T12:00:00Z",
"organization_id": "uuid",
"rule_name": "API-Key-Exposed-Block",
"severity": "high",
"action": "block",
"query_summary": "Query contained high-entropy string matching API key pattern",
"user_id": "uuid",
"user_email": "user@example.com"
}Example CEF Payload
CEF:0|Xilos|Gateway|2.0|100|Query Blocked|High|rt=2026-07-06T12:00:00Z suser=user@example.com act=block cs1Label=Rule cs1=API-Key-Exposed-Block cs2Label=Severity cs2=high msg=Query contained high-entropy string matching API key patternStep 4: Create Alerts in Your SIEM
Use the forwarded events to create alerts:
- Blocked query spike — Alert when blocked queries exceed a threshold
- PII detection — Alert on any PII detection event
- Prompt injection attempt — Alert on any injection attempt
- Cost anomaly — Alert when spending deviates from baseline
Info: SIEM events include the user email, rule name, severity, and action — giving your security team full context for investigation.
Best Practices
- Use JSON format for modern SIEM platforms (easiest to parse)
- Forward all event types to your SIEM for complete audit trail
- Create alerts for high-severity events (blocks, injections)
- Review blocked queries weekly to identify patterns
- Use the Audit Logs page in Xilos alongside your SIEM for investigation
- Set retention policies in your SIEM to meet compliance requirements