πͺπΊ EU AI ACT SIEM COMPLIANCE DETECTIONS π€
π Overview
EU AI Act SIEM Compliance Detections is a specialized open-source repository providing production-ready Security Information and Event Management (SIEM) detection rules, Splunk SPL queries, and SOC incident response playbooks. π‘οΈ
This project serves as a technical bridge between regulatory requirements and security operations. It provides concrete detective controls to help organizations demonstrate compliance with the EU AI Act (Regulation (EU) 2024/1689), focusing specifically on High-Risk AI Systems and General-Purpose AI (GPAI) monitoring.
π Repository Structure ποΈ
To ensure proper rendering, the project follows this strict directory hierarchy:
Legal frameworks define what must be done, but they rarely explain how to monitor it in a production SIEM like Splunk. For SOC teams, the EU AI Act introduces new threat vectors that traditional EDR/Network tools miss:
β’ Prompt Injections: Bypassing safety filters to extract secrets. π
β’ Data Poisoning: Tampering with training sets to bias model outputs. π§ͺ
β’ Human Oversight Bypass: AI agents acting without a human "kill-switch." π«π€
Failure to detect these events leads to regulatory non-compliance and massive fines (up to 35M EUR or 7% of global turnover). πΈ
π The Solution
This repository translates abstract legal articles into deployable SIEM logic. By implementing these detections, you can:
β’ β Automate Compliance: Monitor Article 10, 14, and 15 requirements in real-time.
β’ β Enhance Visibility: Use MITRE ATLAS and OWASP LLM mappings to explain "Technical Risk" to "Legal Risk."
β’ β Standardize Response: Use pre-built playbooks to ensure SOC analysts handle AI incidents correctly.
β’ π Regulatory & Threat Framework Mapping Table
βοΈ Regulatory Deep Dive: Articles & Violation Prevention ποΈ
This repository helps organizations avoid "Failure to Monitor" violations by providing technical evidence for the following articles:
π‘οΈ Article 10: Data and Data Governance
β’ The Law: Requires high-risk AI systems to use high-quality training, validation, and testing datasets that are subject to appropriate governance.
β’ Violation Prevention: We provide logic to detect unauthorized tampering or "poisoning" of training datasets. It flags anomalous access to data lakes containing AI training data, preventing compromised model integrity.
π€ Article 14: Human Oversight
β’ The Law: High-risk AI must be designed to allow natural persons to oversee the system to prevent or minimize risks (Automation Bias).
β’ Violation Prevention: Triggers alerts when an AI agent executes a "critical action" (e.g., financial transfer, data deletion) without a corresponding human approval token in the logs.
β‘ Article 15: Accuracy, Robustness, and Cybersecurity
β’ The Law: Systems must be resilient against attempts by third parties to alter their use, behavior, or performance by exploiting vulnerabilities.
β’ Violation Prevention: This is our primary focus. We provide SPL queries to detect Prompt Injection, Jailbreaking attempts, and Model Inversion attacks in real-time at the API Gateway level.
π οΈ Implementation Guide (Splunk)
-
Ingest Telemetry: Ensure your AI stack logs are mapped to the Splunk CIM. π
-
Deploy Detections: Import the SPL queries from /detections/splunk/ as Correlation Searches. π
-
Tune Thresholds: Use the baseline_builder.spl to establish "normal" AI behavior. βοΈ
Automate: Link Notable Events to SOAR playbooks in the /playbooks/ folder. β‘
βοΈ Disclaimer
This repository provides technical security controls. Implementation does not constitute legal advice. While these detections serve as detective controls for the EU AI Act, organizations must consult with qualified legal counsel and ISO 42001 auditors to ensure full regulatory alignment. π
π€ Contributing
We welcome contributions! Please ensure any new PR includes:
β’ Relevant Article from the EU AI Act. π
β’ MITRE ATLAS Tactic/Technique mapping. πΊοΈ
β’ OWASP LLM Vulnerability category. π₯
π License
Distributed under the MIT License. See LICENSE for more information. π
Maintained by Abhishek G Sharma, email id: contact@move78int.com