SIEM, UEBA & SOAR
The Investigate group is security operations over the gateway's event stream: search it (SIEM), learn what normal looks like and flag deviations (UEBA), and automatically contain abuse (SOAR). It requires the Pro tier — OpenSearch holds the normalized event projection that makes free-text search, facets, and large-window analytics practical.
Dashboard: Investigate ▸ SIEM / UEBA / SOAR. VIEW_SECURITY to view; MANAGE_GATEWAY to manage rules. Enabled by the Pro overlay (aim.siem.enabled).
SIEM — search the event stream
A query-agnostic explorer over every governance event: LLM calls, guardrail triggers, security actions, config changes.
- Events — a search bar and a recursive query builder, an events-over-time histogram (24h/7d/30d or custom range), field facets, and a chart that re-renders for any group-by (source / severity / event / model / org / action) × metric (count / spend / tokens / entities) × chart type. A per-request trace drills into one request's events.
- Detection rules — per-tenant rules that watch the stream and fire when a match crosses a count threshold over a window. They compile to OpenSearch Alerting / Security Analytics, and their
siem.detectionevents can be routed to notifications or acted on by SOAR. - Sigma rules — bring standard Sigma detections; they compile to the same backend.
The match-expression grammar
You build a tree of conditions combined with ALL (and), ANY (or), and NONE (not); each leaf matches an event field. The same grammar powers SIEM search, detection rules, SOAR rules, and notification routing — learn it once, use it everywhere.
{
"all": [
{ "field": "category", "equals": "guardrail.triggered" },
{ "field": "attributes.action", "equals": "BLOCK" },
{ "any": [
{ "field": "attributes.category", "equals": "SECRET" },
{ "field": "attributes.category", "equals": "PII" }
]}
]
}
That reads: guardrail events that blocked, where the matched category was SECRET or PII.
UEBA — behavioural anomaly detection
UEBA learns a baseline of normal behaviour per entity (a virtual key, a source IP, an admin) and raises ueba.anomaly events on deviations — volume, mix, timing, novelty — graded against a threshold you set.
Three detection profiles, each off by default: Key risk (a key behaving unlike its own history), Source risk (an abnormal IP/source), and Admin risk (admin-plane behaviour). Each has a grade-threshold slider with a live "how many would fire" preview.
SOAR — automated containment
When a pattern fires over the event stream, SOAR takes a reversible action:
| Action | Effect | Reverts |
|---|---|---|
alert | Raise an event for notification routing | — |
quarantine | Put the offending key into a reversible SUSPENDED state | Manually un-suspend |
throttle | Temporarily tighten the scope's rate limit | Auto-reverts (or stop it early) |
A rule is a match (the same expression grammar) plus a count-over-window (threshold, window, cooldown) plus an action. An apply recommended starter set exists here too. The Actions tab is the containment review feed (platform admin): mark each action CONFIRMED or FALSE_POSITIVE, and un-suspend quarantined keys.
How the pieces compose
A typical pipeline: a guardrail blocks secrets from one key → a detection rule fires at ≥5 blocks in 10 minutes and raises siem.detection → notification routing pages the on-call → a SOAR rule at ≥10 in 5 minutes quarantines the key → the platform admin reviews the action, confirms it, or un-suspends. The full walkthrough is in Contain a leaked key.
Related pages
- Guardrails — the events these engines most often act on.
- Audit, usage & reports — the compliance-facing read side.