Turning LLM Observability into a SIEM Feed

An LLM stack already emits the ingredients of a security feed: prompts, retrieved chunks, model decisions, tool calls, guardrail verdicts, token budgets, latency, and egress decisions. The gap is that most observability pipelines treat those records as product analytics, not security telemetry. This article complements the existing detection-engineering guide by focusing on the plumbing: a SIEM-ready event model, enrichment strategy, privacy controls, and illustrative detection logic.

1. Start with a Security Event Model

Product observability asks whether the assistant is useful and fast. Security observability asks whether a principal tried to cross a boundary. The same raw events can serve both purposes, but only if they are structured, enriched, and routed with security semantics.

  • Conversation event. User, tenant, route, model release, prompt token count, normalized intent class, and risk labels.
  • Retrieval event. Query, indexes, source trust, top-k IDs, access-control filters, and score distribution.
  • Guardrail event. Policy name, verdict, confidence band, normalized reason, and whether the model disagreed.
  • Tool event. Tool name, arguments hash, target object, side-effect class, policy allow/deny, and confirmation ID.
  • Egress/render event. External host class, Markdown/HTML sanitizer verdict, blocked link count, and CSP/egress outcome.

For detection logic examples, cross-link this with Detection Engineering for LLM Attacks. That article focuses on detection content; this one focuses on getting the data to the SIEM without leaking the data you are trying to protect.

2. Pipeline Pattern

Stage Purpose Security requirement
Collect Capture prompts, retrievals, tools, and guardrails Minimize raw sensitive content where possible
Normalize Convert vendor/runtime fields into stable schema Preserve original IDs for forensics
Enrich Add tenant, source trust, model release, route risk, and data class Do not enrich with secrets or raw PII
Detect Run rules for injection, exfiltration, tool misuse, DoS, and extraction Version rules and test with red-team fixtures
Respond Create alerts, throttle accounts, block tools, or isolate indexes Actions must be deterministic and auditable

Use OpenTelemetry or existing application logs where they fit, but do not force LLM-specific evidence into generic HTTP fields. A retrieved chunk list is not a URL path; a guardrail disagreement is not a 500 error. Preserve the semantics that an investigator will need later.

3. Illustrative Detection Logic

Illustrative Sigma-style rule

This is deliberately generic and non-deployable as-is. Adapt field names, thresholds, and privacy controls to your SIEM.

title: LLM Tool Call After Low Trust Retrieval
status: illustrative
logsource:
  product: llm_gateway
detection:
  selection:
    event.category: llm_tool_call
    retrieved_context.min_trust: public_or_user_uploaded
    tool.side_effect_class:
      - reversible_write
      - irreversible_write
      - external_communication
  filter_confirmed:
    confirmation.status: approved
  condition: selection and not filter_confirmed
fields:
  - user.id
  - tenant.id
  - conversation.id
  - tool.name
  - retrieved_context.source_ids
  - policy.decision
level: high
  • Injection canary seen. Canary marker appears in output, tool argument, or rendered link.
  • Denied egress spike. Agent runtime attempts hosts outside allow-list after retrieval from low-trust sources.
  • Grounding gate failed. High-risk route produced claims without supporting source spans.
  • Extraction-like query cluster. Similar prompts or systematic parameter sweeps by one principal.

4. Privacy and Retention Controls

LLM telemetry is sensitive. A SIEM feed that stores every prompt and retrieved document verbatim can create a new data leak. The goal is to preserve investigative value while minimizing content exposure.

  • Hash or tokenize where possible. Store prompt hashes, chunk IDs, source IDs, and policy labels instead of raw text for routine detections.
  • Tiered evidence storage. Keep raw prompt/prompt-assembly evidence in a restricted forensic store with shorter retention and stronger access control.
  • Redact before export. Apply PII/secrets redaction before sending events to shared SOC tooling.
  • Access reviews. SIEM users who can read LLM traces may be able to read regulated business content. Treat that as privileged access.
  • Case-based expansion. Allow investigators to retrieve raw evidence only for an approved case, with audit logging.

This is where OWASP LLM06 meets blue-team engineering: telemetry should reveal leaks, not become the leak.

Make AI Telemetry SOC-Usable

The field notes above are intentionally conceptual and defanged, but the controls are practical. Use AI red-teaming to validate the attack path safely, blue-team detection engineering to make the signals operational, and contact to scope a review of your own environment.

Related Reading