SIEM, UEBA & SOAR

SIEM, UEBA & SOAR

The Investigate group is security operations over the gateway's event stream: search it (SIEM), learn what normal looks like and flag deviations (UEBA), and automatically contain abuse (SOAR). It requires the Pro tier — OpenSearch holds the normalized event projection that makes free-text search, facets, and large-window analytics practical.

Dashboard: Investigate ▸ SIEM / UEBA / SOAR. VIEW_SECURITY to view; MANAGE_GATEWAY to manage rules. Enabled by the Pro overlay (aim.siem.enabled).

SIEM — search the event stream

A query-agnostic explorer over every governance event: LLM calls, guardrail triggers, security actions, config changes.

  • Events — a search bar and a recursive query builder, an events-over-time histogram (24h/7d/30d or custom range), field facets, and a chart that re-renders for any group-by (source / severity / event / model / org / action) × metric (count / spend / tokens / entities) × chart type. A per-request trace drills into one request's events.
  • Detection rules — per-tenant rules that watch the stream and fire when a match crosses a count threshold over a window. They compile to OpenSearch Alerting / Security Analytics, and their siem.detection events can be routed to notifications or acted on by SOAR.
  • Sigma rules — bring standard Sigma detections; they compile to the same backend.

The match-expression grammar

You build a tree of conditions combined with ALL (and), ANY (or), and NONE (not); each leaf matches an event field. The same grammar powers SIEM search, detection rules, SOAR rules, and notification routing — learn it once, use it everywhere.

JSON
{
  "all": [
    { "field": "category", "equals": "guardrail.triggered" },
    { "field": "attributes.action", "equals": "BLOCK" },
    { "any": [
      { "field": "attributes.category", "equals": "SECRET" },
      { "field": "attributes.category", "equals": "PII" }
    ]}
  ]
}

That reads: guardrail events that blocked, where the matched category was SECRET or PII.

UEBA — behavioural anomaly detection

UEBA learns a baseline of normal behaviour per entity (a virtual key, a source IP, an admin) and raises ueba.anomaly events on deviations — volume, mix, timing, novelty — graded against a threshold you set.

Three detection profiles, each off by default: Key risk (a key behaving unlike its own history), Source risk (an abnormal IP/source), and Admin risk (admin-plane behaviour). Each has a grade-threshold slider with a live "how many would fire" preview.

SOAR — automated containment

When a pattern fires over the event stream, SOAR takes a reversible action:

ActionEffectReverts
alertRaise an event for notification routing
quarantinePut the offending key into a reversible SUSPENDED stateManually un-suspend
throttleTemporarily tighten the scope's rate limitAuto-reverts (or stop it early)

A rule is a match (the same expression grammar) plus a count-over-window (threshold, window, cooldown) plus an action. An apply recommended starter set exists here too. The Actions tab is the containment review feed (platform admin): mark each action CONFIRMED or FALSE_POSITIVE, and un-suspend quarantined keys.

How the pieces compose

A typical pipeline: a guardrail blocks secrets from one key → a detection rule fires at ≥5 blocks in 10 minutes and raises siem.detectionnotification routing pages the on-call → a SOAR rule at ≥10 in 5 minutes quarantines the key → the platform admin reviews the action, confirms it, or un-suspends. The full walkthrough is in Contain a leaked key.