SIEM Integration

Tangate writes structured decision output to your S3 bucket in formats compatible with major SIEM platforms. No custom integration is required — most enterprise SIEMs support native S3 ingestion.

Output Locations

All output is written to your CloudFront log bucket under the deckard/ prefix:

Output	S3 Path	Format
Decision Log	deckard/decisions/{date}/{timestamp}.json	Nested JSON (full detail)
SIEM Output	deckard/siem/{date}/{timestamp}.json	Flat JSON array (SIEM-optimized)
Blocklist	deckard/blocklist.json	JSON (current state)

New files are written after each hourly analysis run.

Decision Log Format

The decision log contains the full detail of each analysis run, including AI reasoning:

{
  "instance_id": "customer-xyz",
  "run_id": "uuid",
  "timestamp": "2026-03-05T14:00:00Z",
  "decisions": [
    {
      "type": "ip",
      "value": "1.2.3.4",
      "action": "BLOCK",
      "reason": "SQL injection pattern",
      "source": "ai_analysis",
      "confidence": 0.95,
      "rule_ref": null
    },
    {
      "type": "ip",
      "value": "5.6.7.8",
      "action": "BLOCK",
      "reason": "Known botnet C2",
      "source": "tyrell:global",
      "confidence": 1.0,
      "rule_ref": "feodo-tracker-2026-03-04"
    }
  ]
}

Source Values

Source	Meaning
ai_analysis	Blocked by AI traffic analysis
tyrell:global	Matched a global threat intelligence rule
tyrell:elevated	Matched an elevated protection rule
tyrell:instance	Matched an instance-specific rule
local:blocklist	Matched a local blocklist entry

SIEM Output Format

The SIEM output contains the same data as the decision log, reformatted as a flat array of events with consistent field names matching common SIEM field conventions. Only BLOCK decisions are included.

[
  {
    "timestamp": "2026-03-05T14:00:00Z",
    "source_product": "orion",
    "instance_id": "customer-xyz",
    "event_type": "BLOCK_DECISION",
    "block_type": "ip",
    "block_value": "1.2.3.4",
    "action": "BLOCK",
    "reason": "SQL injection pattern",
    "confidence": 0.95,
    "rule_source": "ai_analysis",
    "src_ip": "1.2.3.4"
  }
]

Field Mapping

SIEM Output Field	Description
timestamp	ISO 8601 event timestamp
source_product	Always orion
instance_id	Your Tangate instance ID
event_type	Event type (always BLOCK_DECISION)
block_type	Type of block: ip, user_agent, or query_pattern
block_value	The blocked value (IP address, user agent string, or query pattern)
action	Action taken (BLOCK)
reason	Human-readable reason for the action
confidence	Confidence score (0.0–1.0)
rule_source	Rule source that triggered the action
src_ip	Source IP address (only present for ip-type blocks)

CloudWatch Structured Logging

The analysis Lambda writes structured JSON logs to CloudWatch using the same field names as the SIEM output. This enables CloudWatch-based SIEM ingestion via subscription filters.

Log group: /aws/lambda/deckard-analysis-{instance-id}

Blocklist JSON

The current blocklist is always available at s3://{bucket}/deckard/blocklist.json:

{
  "version": "abc123",
  "generated": "2026-03-05T14:00:00Z",
  "blocked_ips": ["1.2.3.4", "5.6.7.8"],
  "blocked_cidrs": ["192.0.2.0/24"],
  "blocked_user_agents": ["BadBot/"],
  "blocked_query_patterns": ["eval("]
}

Compatible SIEM Platforms

Tangate's S3-based output works with any SIEM that supports S3 ingestion:

• Splunk — via S3 input (Splunk Add-on for AWS)
• Elastic / ELK — via S3 input plugin or Elastic Agent
• Datadog — via S3 log source
• Sumo Logic — via S3 source
• Microsoft Sentinel — via S3 connector
• CrowdStrike LogScale — via S3 collector

Example: Connecting to Splunk

1. Install the Splunk Add-on for Amazon Web Services from Splunkbase
2. Configure an S3 input:
   • Bucket: your CloudFront log bucket
   • Key prefix: deckard/siem/
   • Source type: _json
3. Splunk will automatically ingest new SIEM output files as they are written hourly
4. Use the flat field names (src_ip, action, rule_source, etc.) for searches and dashboards

Example: Connecting to Datadog

1. In the Datadog console, go to Logs → Configuration → Sources
2. Add an Amazon S3 source:
   • Bucket: your CloudFront log bucket
   • Path: deckard/siem/
3. Configure an S3 event notification (or use Datadog's Lambda forwarder) to trigger on new objects under the deckard/siem/ prefix
4. Datadog will parse the flat JSON fields automatically

Next Steps

• Dashboard — View decisions in the web UI
• Troubleshooting — Common issues with output and logging
• How It Works — Understand the full analysis pipeline