Audit Stream — SIEM Forwarding Overview¶
Forward every Aegis audit event to your existing SIEM via a standard HTTPS webhook. Configure once with a URL and an auth header — events flow continuously, with retries and dead-letter handling.
What gets forwarded¶
Every audit event Aegis writes (preflight decisions across API, SDK, browser extension, and desktop agent) is enqueued for delivery to your configured SIEM destination. The wire format is ECS-shaped JSON:
{
"@timestamp": "2026-05-15T10:33:21.456789+00:00",
"event": {
"id": "pflt_abc123",
"kind": "event",
"category": ["aegis", "preflight"],
"type": ["allowed_with_masking"],
"action": "preflight_check",
"outcome": "success",
"dataset": "aegis.preflight"
},
"aegis": {
"preflight_id": "pflt_abc123",
"decision": "ALLOWED_WITH_MASKING",
"destination": "AI_TOOL",
"summary": "Detected SSN; masked.",
"policy_version": "v1.0",
"policy_id": "pol_xyz",
"source_type": "api",
"input_type": "text",
"input_size_bytes": 200,
"finding_counts_by_type": { "SSN": 1, "EMAIL": 2 },
"actor_id": "[email protected]"
},
"organization": { "id": "org_abc" }
}
Privacy posture
Audit events are metadata-only. Finding counts by type are forwarded; raw detected values (the actual SSN, email, etc.) are never included in the payload.
How it works¶
Preflight event recorded in Aegis
│
▼
forwarding_jobs queue (Postgres)
│
│ Background worker runs every 10s
▼
HTTPS POST to your configured SIEM URL
• 2xx → marked done
• non-2xx → retry with exponential backoff (60s, 120s, 240s)
• after 3× → dead-lettered; check destination.last_error in the UI
- At-least-once delivery. Dedupe on
event.idin your SIEM if it matters to you. (Splunk HEC, Datadog, and Elastic all support this.) - Per-destination credentials encrypted at rest with AES-256-GCM. The plaintext auth header value is never logged or returned in API responses after creation.
- Retry semantics. Non-2xx HTTP responses and network errors are
retried with exponential backoff. After 3 failures, the event is
dead-lettered (status =
failed) and surfaced via the destination'slast_errorfield.
Configure from the dashboard UI¶
The fastest path is the Organization Settings page in the Aegis dashboard — no API key needed, the same fields are filled in for you per SIEM:
- Settings → SIEM Forwarding → Add destination
- Choose your SIEM. Splunk HEC, Datadog Logs, Sumo Logic, Elastic,
New Relic, or a Custom HTTPS webhook. Each preset relabels the form
in that SIEM's terminology ("HEC Token" for Splunk, "API Key" for
Datadog, etc.) and applies the required prefix (
Splunk <token>,ApiKey <encoded>) for you. - Configure. Paste your ingest URL and the auth token. A
Format hint flags the common gotchas (Splunk's required
Splunkprefix, Elastic'sApiKeyprefix, Datadog site selection, etc.). - Save & test. Aegis saves the destination disabled, then
immediately POSTs a synthetic
aegis.audit_stream.testevent to your SIEM. The result lands inline — green for 2xx, red with an action-oriented hint for 401/403/404/5xx/network errors. - Enable. A separate Start forwarding live events checkbox appears after the test. It defaults ON after a green test, OFF after a failure — opt-in either way, so a misconfiguration never silently begins streaming.
Existing destinations show a status pill (Active / Idle / Failing / Disabled) on each card with the last delivery or last error. Failing destinations get an action-oriented hint inline ("Authentication failed — check the token hasn't been revoked") with a one-click link into Edit destination.
Credentials are written through to AES-256-GCM-encrypted storage on save and never re-displayed. The Edit modal shows a "credential present (encrypted)" chip with Rotate and Remove actions — no plaintext leaks back to the browser, ever.
Configure via API¶
If you'd rather script the configuration, the same surface is available over REST.
1. Create¶
curl -X POST https://api.aegispreflight.com/api/orgs/${ORG_ID}/forwarding-destinations \
-H "Authorization: Bearer ${AEGIS_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-siem.example/ingest",
"auth_header_name": "Authorization",
"auth_header_value": "Bearer your-siem-token-here"
}'
Response:
{
"destination_id": "fwd_a1b2c3...",
"url": "https://your-siem.example/ingest",
"auth_header_name": "Authorization",
"auth_header_configured": true,
"enabled": true,
"created_at": "2026-05-15T10:30:00+00:00"
}
2. Test (synchronous probe)¶
Send a synthetic event to verify wiring:
curl -X POST https://api.aegispreflight.com/api/orgs/${ORG_ID}/forwarding-destinations/${DEST_ID}/test \
-H "Authorization: Bearer ${AEGIS_API_KEY}"
Response on success:
A aegis.audit_stream.test event lands in your SIEM. If ok is false,
check error and status_code to diagnose.
3. List / disable / delete¶
# List
GET /api/orgs/{org_id}/forwarding-destinations
# Get one
GET /api/orgs/{org_id}/forwarding-destinations/{destination_id}
# Disable (audit events stop forwarding; destination kept for re-enable)
PATCH /api/orgs/{org_id}/forwarding-destinations/{destination_id}
{ "enabled": false }
# Rotate the auth header (encrypted at rest)
PATCH /api/orgs/{org_id}/forwarding-destinations/{destination_id}
{ "auth_header_value": "Bearer new-token" }
# Clear the auth header entirely
PATCH /api/orgs/{org_id}/forwarding-destinations/{destination_id}
{ "auth_header_value": "" }
# Delete (also clears any pending queued events for this destination)
DELETE /api/orgs/{org_id}/forwarding-destinations/{destination_id}
Per-SIEM paste-and-go¶
What we don't capture¶
- Tool call arguments verbatim
- Tool call results verbatim
- Environment variable VALUES (keys-only when present)
- Credentials, tokens, certificates
- Identifiable customer data
These are enforced at the producer. The schemas are published openly under CC BY 4.0 so you can validate the contract independently.