Unit 3: SIEM integration — native forwarding to Splunk, Sentinel, Elastic, Datadog

[TeoSlayer]

Scope

Native audit log forwarding to enterprise SIEM platforms. Beyond slog file output — direct integration with collection APIs.

Deliverables

• Splunk: HTTP Event Collector (HEC) integration with source type, index, correlation fields
• Microsoft Sentinel: Azure Monitor Data Collection Rules (DCR) ingestion
• Elastic: direct Elasticsearch indexing or Filebeat-compatible JSON output with ECS field mapping
• Datadog: Datadog Logs API with facet mapping
• Universal syslog forwarding (RFC 5424) for on-premise SIEM
• Configuration: SIEM endpoint, credentials, batch size, retry policy
• Field mapping: audit events → SIEM-native schema (CIM for Splunk, ECS for Elastic)

Files

• pkg/registry/siem.go — SIEM forwarder implementations
• pkg/daemon/siem.go — daemon-side forwarding
• tests/ — SIEM integration tests (mock collectors)

Priority: HIGH

[TeoSlayer]

Context: Phase 2 added structured audit events via slog. But enterprise SOC teams don't parse log files — they need events in their SIEM with proper field mapping. Splunk CIM, Elastic ECS, and Sentinel KQL all have different schemas. Native integration means Pilot events appear in existing dashboards, trigger existing alert rules, and correlate with events from other infrastructure.