🚧 SanctumAI is in beta. APIs may change before v1.0.
GuidesExport to SIEM

Export to SIEM

SanctumAI’s Export Layer streams audit events to external security platforms in real-time. This guide covers configuring adapters for popular SIEMs.

Architecture

Vault Events → Event Bus → Filter/Route → Transform → Adapter → SIEM
                              │                          │
                           WAL (durable)            Retry + DLQ

Events flow through a pluggable pipeline:

  1. Event Bus — Captures every vault operation
  2. Filter/Route — Selects which events go to which adapter
  3. Transform — Converts to target format (OCSF, CEF, flat JSON)
  4. Adapter — Delivers to the destination with retry and dead-letter queue

Configuration

Export adapters are configured in ~/.sanctum/config.toml:

[export]
enabled = true
 
[export.durability]
wal_enabled = true

Splunk (HEC)

[[export.adapters]]
id = "splunk-prod"
type = "splunk_hec"
enabled = true
 
[export.adapters.config]
endpoint = "https://splunk.corp.example.com:8088"
token_env = "SANCTUM_SPLUNK_TOKEN"
index = "sanctum_events"
source = "sanctum-ai"
sourcetype = "_json"
format = "ocsf"
 
[export.adapters.batch]
size = 100
flush_interval_secs = 5

Note: Credentials like Splunk tokens are referenced via environment variables (token_env), never stored in the config file.

Datadog

[[export.adapters]]
id = "datadog"
type = "datadog"
enabled = true
 
[export.adapters.config]
api_key_env = "SANCTUM_DD_API_KEY"
site = "datadoghq.com"
source = "sanctum-ai"
format = "flat_json"

Elasticsearch

[[export.adapters]]
id = "elastic"
type = "elastic"
enabled = true
 
[export.adapters.config]
endpoint = "https://elastic.corp.example.com:9200"
index = "sanctum-events"
api_key_env = "SANCTUM_ELASTIC_KEY"
format = "ocsf"

Amazon Security Lake (S3)

[[export.adapters]]
id = "security-lake"
type = "s3"
enabled = true
 
[export.adapters.config]
bucket = "sanctum-security-lake"
region = "us-east-1"
prefix = "ocsf/sanctum/"
format = "ocsf"
compression = "zstd"
role_arn = "arn:aws:iam::123456789:role/SanctumExport"
 
[export.adapters.batch]
size = 1000
flush_interval_secs = 60

Webhook (Generic)

For Slack alerts, PagerDuty, or any HTTP endpoint:

[[export.adapters]]
id = "slack-alerts"
type = "webhook"
enabled = true
 
[export.adapters.config]
url = "https://hooks.slack.com/services/T00/B00/xxx"
method = "POST"
format = "flat_json"
 
[export.adapters.filter]
include_classes = ["PolicyViolation", "CredentialRotation"]
min_severity = "High"
 
[export.adapters.batch]
size = 1
flush_interval_secs = 0

OpenTelemetry (OTLP)

[[export.adapters]]
id = "otel"
type = "otlp"
enabled = true
 
[export.adapters.config]
endpoint = "http://otel-collector:4317"
protocol = "grpc"
format = "otlp_logs"

Filtering

Each adapter can filter which events it receives:

[export.adapters.filter]
include_classes = ["Authentication", "PolicyViolation", "SecretAccess"]
min_severity = "Medium"
labels = { env = "production" }

Output Formats

FormatUse Case
ocsfOCSF 1.3 JSON — Amazon Security Lake, OCSF-native tools
cefCommon Event Format — Splunk, QRadar, ArcSight
flat_jsonSimple key-value JSON — webhooks, custom integrations
otlp_logsOpenTelemetry Logs — Grafana, Jaeger, OTLP collectors

One-Time Export

For ad-hoc exports without configuring adapters:

# OCSF JSON to file
sanctum export --format ocsf --since "2026-02-01" --output events.json
 
# CEF to stdout
sanctum export --format cef | tee /var/log/sanctum.cef
 
# Pipe to any tool
sanctum export --format json | jq '.[] | select(.action == "retrieve")'
Cursor Setup