SIEM / Audit Event Adapter — Adapter Technical Specification
SIEM / Audit Event Adapter — Adapter Technical Specification
Status: reserved · Class: conformance · Mission: telemetry · Phase: phase-planning
Canon source: canon/adapter-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.
Overview
TODO — Author an overview of the SIEM / Audit Event Adapter adapter’s role in the UIAO governance perimeter. Do not contradict canon. Cross-reference the companion AVS document where relevant.
Scope
Target surfaces / subsystems: audit-events, security-alerts, log-aggregation
TODO — Expand scope with concrete boundaries: what the adapter reads, what it emits, what it explicitly does not touch.
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: AU-2, AU-3, AU-6, SI-4
TODO — For each control, state the adapter’s role (primary, supporting, evidence-only). If a control is aspirational, flag as NEW (Proposed) per No-Hallucination Protocol.
Operational profile
| Field | Value |
|---|---|
| Runtime | python-3.12 |
| Runtime pin | TBD |
| Runner class | github-hosted |
| Tenancy | per-customer |
| Evidence class | interval |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
FIMF Tier 5 conformance adapter. Ingests audit events and security alerts from SIEM platforms (Sentinel, Splunk, etc.). Highest-value telemetry adapter for the evidence fabric.
References
- UIAO-CANON-003
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.