SIEM Integration
OCSF mapping, outbox pattern, and delivery to Splunk and Sentinel
The SIEM integration delivers Aegis attestations to enterprise security information and event management (SIEM) systems using the OCSF (Open Cybersecurity Schema Framework) standard. Any SIEM that speaks OCSF can ingest Aegis decisions natively.
How It Works
OCSF Mapping (siem_mapper.py)
The attestation_to_ocsf_2001() function maps Aegis attestation fields to OCSF Class 2001 (Security Finding):
Outbox Pattern (siem_enqueue.py)
SIEM delivery uses the transactional outbox pattern for reliability:
- When an attestation is recorded,
siem_enqueuewrites a pending delivery row to theaegis_siem_outboxtable for each active SIEM destination - A background worker reads pending rows and delivers them to the configured SIEM endpoints
- Successful deliveries are marked as delivered; failures are retried with exponential backoff
This pattern ensures SIEM delivery never blocks the attestation hot path. The attestation is always recorded even if SIEM delivery fails.
SIEM Connectors (siem_connectors.py)
Two built-in connectors:
Splunk HEC (HTTP Event Collector):
- Sends OCSF events to the Splunk HEC endpoint
- Supports batching for throughput
- Uses stdlib
urllib.request(no external dependencies)
Microsoft Sentinel:
- Sends OCSF events to the Azure Monitor HTTP Data Collector API
- Supports HMAC-SHA256 authentication
- Uses stdlib
urllib.requestandbase64for authentication
Both connectors accept a list of OCSF events for batch delivery. Authentication configuration is decrypted by the caller before passing to the connector.
Architecture
Configuration
SIEM destinations are configured via the REST API:
Technical Details
- SIEM enqueue MUST never raise — it is wrapped in try/except in the evaluate() hot path with warning logging on failure
- The outbox table (
aegis_siem_outbox) uses nullable attestation foreign keys to support delivery of non-attestation events - OCSF Class 2001 was chosen because it maps naturally to "a security system made a finding about an action"
- Verdict-to-severity mapping: ALLOW=informational, DENY=medium, ESCALATE=high, REWRITE=low
- Connectors use stdlib only (no requests, no httpx) to minimize the security-critical dependency surface