Observability / SIEM

Every governed call, detection, policy verdict, and tool invocation is written to the TapPass audit trail. Ship it downstream so it lives alongside the rest of your security telemetry.

Shipped destinations

Destination	Format	Go to
Splunk HEC	CEF or JSON	Splunk HEC
Azure Sentinel	Log Analytics HTTP Data Collector	Azure Sentinel
Generic webhook	JSON	Webhooks

Pipeline

audit events  ──▶  format (CEF | JSON)  ──▶  filter  ──▶  redact  ──▶  destination

Format — CEF for SIEMs that parse it natively (Splunk, ArcSight, QRadar); JSON for everything else.
Filter — severity, agent, time window, event kind.
Redact — strip PII before export (emails, SSNs, credit cards).
Batching — all destinations support batch mode; tune in config/observability.yaml.

Minimal config

exports:
  - name: security-splunk
    destination: splunk_hec
    format: cef
    splunk:
      url: https://splunk.example.com:8088/services/collector
      hec_token: "${SPLUNK_HEC_TOKEN}"
      sourcetype: "tappass:cef"
    filters:
      min_severity: warn
      event_kinds: [detection, policy_block, auth_fail]

Event schema

Each audit event contains:

Field	Type	Description
`audit_id`	string	Globally unique event ID
`timestamp`	RFC3339	Event time
`event_kind`	enum	`chat`, `tool_call`, `detection`, `policy_block`, `auth_fail`, …
`agent_id`	string	The agent that triggered the event
`session_id`	string	Groups multi-turn interactions
`provider`	string	LLM or data provider involved
`model`	string	Model name, when relevant
`detections`	list	PII / prompt injection findings with category + severity
`policy_result`	object	`allow` / `deny`, which rule fired
`severity`	enum	`info`, `warn`, `error`, `critical`
`cost`	object	Token counts + $ estimate

Full schema in schemas/audit-event.json.

Coming soon

Datadog (HTTP intake)
Elastic (HTTPS bulk)
CloudWatch Logs (AWS SDK)
Grafana Loki (Loki HTTP API)

Ping support@tappass.ai if you need one urgently.