Introduction to Splunk AI Security Monitoring

How Cisco AI Defense integration works

Splunk AI Security Monitoring provides an instrumentation library, opentelemetry-instrumentation-aidefense, to automate security and privacy risk tracing for Python-based AI agents. This library captures and attaches security telemetry to calls that your AI agents make to LLMs (such as OpenAI) and orchestration frameworks (such as LangChain) to ensure that every prompt and response can be audited against security guardrails and recorded within a unified OpenTelemetry trace. It does this by adding the gen_ai.security.event_id attribute to chat spans in traces.

How instrumentation works

The library follows standard OpenTelemetry patterns to minimize manual coding:

• Zero-code patching: When your AI agent calls .instrument(), the instrumentation library automatically intercepts outgoing prompts and incoming responses without requiring changes to your business logic.
• Context propagation: It propagates security context (like User IDs or Session IDs) throughout your AI agent's entire distributed system, ensuring all related AI activities are linked in a single trace.
• Standardized mapping: It maps AI-specific data such as token counts, model versions, and security scores into standard OTLP semantic conventions. This makes the data fully compatible with a Splunk Observability Cloud OTLP ingestion endpoint.

After you configure this integration, Splunk Observability for AI correlates the Cisco AI Defense risks from the splunk-otel-util-genai library to other data from your agents, traces, services, and applications.

License requirements

• You need licenses for Cisco AI Defense and Splunk AI Agent Monitoring.

Limitations

• You can only have one active Cisco AI Defense integration at a time.
• The safety risks highlighted are based on Splunk Observability Cloud agent evaluations, not on Cisco AI Defense safety risks detection.