1. Start with a Security Event Model
Product observability asks whether the assistant is useful and fast. Security observability asks whether a principal tried to cross a boundary. The same raw events can serve both purposes, but only if they are structured, enriched, and routed with security semantics.
- Conversation event. User, tenant, route, model release, prompt token count, normalized intent class, and risk labels.
- Retrieval event. Query, indexes, source trust, top-k IDs, access-control filters, and score distribution.
- Guardrail event. Policy name, verdict, confidence band, normalized reason, and whether the model disagreed.
- Tool event. Tool name, arguments hash, target object, side-effect class, policy allow/deny, and confirmation ID.
- Egress/render event. External host class, Markdown/HTML sanitizer verdict, blocked link count, and CSP/egress outcome.
For detection logic examples, cross-link this with Detection Engineering for LLM Attacks. That article focuses on detection content; this one focuses on getting the data to the SIEM without leaking the data you are trying to protect.
2. Pipeline Pattern
| Stage | Purpose | Security requirement |
|---|---|---|
| Collect | Capture prompts, retrievals, tools, and guardrails | Minimize raw sensitive content where possible |
| Normalize | Convert vendor/runtime fields into stable schema | Preserve original IDs for forensics |
| Enrich | Add tenant, source trust, model release, route risk, and data class | Do not enrich with secrets or raw PII |
| Detect | Run rules for injection, exfiltration, tool misuse, DoS, and extraction | Version rules and test with red-team fixtures |
| Respond | Create alerts, throttle accounts, block tools, or isolate indexes | Actions must be deterministic and auditable |
Use OpenTelemetry or existing application logs where they fit, but do not force LLM-specific evidence into generic HTTP fields. A retrieved chunk list is not a URL path; a guardrail disagreement is not a 500 error. Preserve the semantics that an investigator will need later.
3. Illustrative Detection Logic
Illustrative Sigma-style rule
This is deliberately generic and non-deployable as-is. Adapt field names, thresholds, and privacy controls to your SIEM.
title: LLM Tool Call After Low Trust Retrieval
status: illustrative
logsource:
product: llm_gateway
detection:
selection:
event.category: llm_tool_call
retrieved_context.min_trust: public_or_user_uploaded
tool.side_effect_class:
- reversible_write
- irreversible_write
- external_communication
filter_confirmed:
confirmation.status: approved
condition: selection and not filter_confirmed
fields:
- user.id
- tenant.id
- conversation.id
- tool.name
- retrieved_context.source_ids
- policy.decision
level: high
- Injection canary seen. Canary marker appears in output, tool argument, or rendered link.
- Denied egress spike. Agent runtime attempts hosts outside allow-list after retrieval from low-trust sources.
- Grounding gate failed. High-risk route produced claims without supporting source spans.
- Extraction-like query cluster. Similar prompts or systematic parameter sweeps by one principal.
4. Privacy and Retention Controls
LLM telemetry is sensitive. A SIEM feed that stores every prompt and retrieved document verbatim can create a new data leak. The goal is to preserve investigative value while minimizing content exposure.
- Hash or tokenize where possible. Store prompt hashes, chunk IDs, source IDs, and policy labels instead of raw text for routine detections.
- Tiered evidence storage. Keep raw prompt/prompt-assembly evidence in a restricted forensic store with shorter retention and stronger access control.
- Redact before export. Apply PII/secrets redaction before sending events to shared SOC tooling.
- Access reviews. SIEM users who can read LLM traces may be able to read regulated business content. Treat that as privileged access.
- Case-based expansion. Allow investigators to retrieve raw evidence only for an approved case, with audit logging.
This is where OWASP LLM06 meets blue-team engineering: telemetry should reveal leaks, not become the leak.
Make AI Telemetry SOC-Usable
The field notes above are intentionally conceptual and defanged, but the controls are practical. Use AI red-teaming to validate the attack path safely, blue-team detection engineering to make the signals operational, and contact to scope a review of your own environment.