SIEM And Observability Egress
MeshGuard exports tenant-scoped audit, decision, metric, and trace data to the customer's security and observability stack.
Connector Targets
| Target | Mode | Notes |
|---|---|---|
| Splunk | HEC | Map to Splunk CIM and OCSF. |
| Microsoft Sentinel | Log Analytics ingestion | Keep MeshGuard neutral while supporting Microsoft SOC workflows. |
| Datadog | Logs and Cloud SIEM | Emit audit events plus p99 and decision-rate metrics. |
| Elastic/OpenSearch | Bulk HTTP | Preserve event IDs for deduplication. |
| OTLP | Logs, metrics, traces | Preferred vendor-neutral observability path. |
| S3/GCS/Azure Blob | Archive | Customer-managed keys and retention policies. |
| Generic webhook | HMAC-signed JSON | Default integration for unsupported destinations. |
OCSF Mapping
| MeshGuard field | OCSF field |
|---|---|
tenant_id | metadata.tenant_uid |
source_type | class_name |
actor.id | actor.user.uid or actor.process.uid |
actor.spiffe_id | actor.process.uid_alt |
action | activity_name |
decision | disposition |
policy_version | policy.uid |
trace_id | trace.uid |
request_id | metadata.uid |
Delivery Semantics
- At-least-once delivery.
- Per-destination dedup tokens.
- Dead-letter queue visible in the operator console.
- Disk buffering when a destination is slow.
- Connector credentials encrypted with customer-controlled keys where available.