University/Setup & Integrations/Connect Northbeams to your SIEM
Setup & Integrations

Connect Northbeams to your SIEM

Last updated 2026-07-10

Stream your governance events to your SIEM in real time. Every time Northbeams blocks or warns on a prompt, an MCP tool call, an LLM policy violation, or a risky-domain DNS lookup, that event is forwarded to the SIEM you connect, so your SecOps team sees Northbeams activity next to the rest of your security telemetry.

Three destinations are supported today: Splunk, Microsoft Sentinel, and Elastic. You can enable one, two, or all three at once. The same events go to each.

What you need

  • A Northbeams workspace with SIEM forwarding. It is built into the Fleet plan, and available as an add-on on Sentinel. See pricing.
  • Workspace-owner access. Only the owner can set up SIEM forwarding.
  • Credentials from your SIEM (an endpoint plus a key). The exact values are in the per-tool sections below.

Everything is configured in the dashboard under Settings, then SIEM.

What gets forwarded

Northbeams forwards the events it flags, not raw activity:

Event When it fires
Prompt blocked or warned A prompt hits a block or warn policy in the browser or desktop app.
MCP tool blocked or warned An MCP tool call is blocked or warned by the MCP Gateway.
LLM policy block An outbound LLM call is blocked by policy.
DNS detection The desktop app sees a lookup to a risky or unsanctioned AI domain.

Each event carries metadata: the tool name, the acting user, the risk categories, the device hostname, and the disposition. Prompt snippets are redacted before they leave the device, and DNS detections carry domain metadata only. Raw prompt text is never forwarded.

Splunk and Microsoft Sentinel receive a flat JSON event. Elastic receives the same data mapped to Elastic Common Schema (ECS) so it lands natively in Elastic Security. A forwarded event looks like this:

{
  "kind": "prompt:blocked",
  "orgId": "org_123",
  "severity": "high",
  "occurredAt": 1730000000000,
  "toolName": "ChatGPT",
  "userLabel": "jane@yourcompany.com",
  "categories": ["source_code"],
  "hostname": "jane-laptop",
  "disposition": "blocked by policy"
}

Set a severity filter (optional)

By default Northbeams forwards every flagged event. If you only care about the serious ones, set a floor under Settings, then SIEM, then Severity filter:

  • All events (default)
  • Medium and above
  • High and above
  • Critical only

Anything below the floor is dropped before it leaves Northbeams, so your SIEM is not billed to ingest and store low-severity noise you will not act on. The floor applies to all three connectors at once. The authoritative record stays in your Northbeams dashboard and audit log regardless of the floor.

Connect Splunk

You need your HEC (HTTP Event Collector) URL and an HEC token.

  1. In Splunk, enable HTTP Event Collector and create a token (Settings, then Data inputs, then HTTP Event Collector, then New Token). Copy the token value.
  2. Note your HEC URL, for example https://splunk.yourcompany.com:8088.
  3. In Northbeams, open Settings, then SIEM, then Splunk, tick Enable Splunk forwarding, paste the HEC URL and token, and Save.
  4. Click Test connection. Northbeams sends one sample event; you should see "Connected".

Events arrive under sourcetype northbeams:governance.

Connect Microsoft Sentinel

You need your Log Analytics Workspace ID and a Primary key.

  1. In the Azure portal, open your Log Analytics workspace, then Settings, then Agents. Copy the Workspace ID and the Primary key.
  2. In Northbeams, open Settings, then SIEM, then Microsoft Sentinel, tick Enable Microsoft Sentinel forwarding, paste both values, and Save.
  3. Click Test connection and confirm "Connected".

Events appear in the NorthbeamsGovernance_CL table within about 5 minutes of ingestion. The first batch can take longer while Azure creates the table.

Connect Elastic

You need three things: your Elasticsearch URL, an API key, and an index or data-stream name.

  1. Note your Elasticsearch endpoint. On Elastic Cloud this is the Elasticsearch endpoint, not the Kibana URL, for example https://my-deployment.es.us-east-1.aws.elastic-cloud.com.
  2. In Kibana, go to Stack Management, then Security, then API keys, then Create API key. Copy the Encoded value. Give the key permission to write to (and create, if it does not exist yet) your target index.
  3. Choose an index or data-stream name, for example logs-northbeams.governance-default. A data stream is recommended; a plain index is created automatically on the first write.
  4. In Northbeams, open Settings, then SIEM, then Elastic, tick Enable Elastic forwarding, paste the URL, index or data-stream, and API key, and Save.
  5. Click Test connection. Northbeams writes one sample ECS document; you should see "Connected" and the document appear in your index.

Because the events are ECS-shaped, Elastic recognizes the fields (host.name, user.name, event.action, dns.question.name, and so on) out of the box. They are queryable in Discover and usable in dashboards and detection rules immediately. To surface them as Alerts in the Elastic Security app specifically, point a detection rule or index pattern at the index (standard Elastic setup on your side).

How it works under the hood

  • Delivery. Best-effort, fire-and-forget. Northbeams sends one HTTPS POST per event to each enabled connector, with a 5-second timeout. A failed delivery is logged on our side and dropped; it is not retried, because the authoritative record already lives in your Northbeams dashboard and audit log.
  • Direction. Outbound from Northbeams to your SIEM. Your endpoint must be reachable over HTTPS. Elastic Cloud and Splunk Cloud work out of the box; a self-hosted cluster behind a firewall has to allow our egress.
  • Secrets. Tokens and keys are write-only in the dashboard. Once saved, they are masked and never shown again, so re-open the tab and you will see the mask, not the secret.

Troubleshooting

Symptom Fix
Test connection fails with a permission error The API key or token cannot write to the target index or HEC input. Widen its privileges.
Test connection times out Your SIEM endpoint is not reachable from the public internet. Allow our egress, or check the URL and port.
Events stop arriving Confirm the connector is still enabled and the workspace still has the SIEM entitlement. A lapsed plan stops forwarding.
Test works but no events arrive Check your Severity filter. If it is set above the severity of your events, they are dropped by design.