K
Kairro
How Kairro Works Login to Kairro
Events & Telemetry

Every AI action. One governed event stream.

Kairro turns every AI interaction into rich, structured telemetry so security, governance, and platform teams can see what happened, why it happened, and the risk it carries — in real time.

Get a Demo
Real-time AI events DLP-aware logging Shadow AI telemetry Ops & health
Kairro events and telemetry dashboard

What Kairro Captures

A central Event system enriched with DLP, Shadow AI, and operational context.

AI Events

Every prompt evaluation

Captured with rich context and indexed for fast analytics.

  • Org & identity: org, user/identity, browser client, extension
  • AI tool & endpoint: provider/tool used
  • Action & status: allow / warn / block, and why
  • Prompt & response summary: redacted, length-limited
  • DLP impact: matched severity and patterns
  • Tokens & metadata: usage and diagnostics
DLP Matches

Pattern-level insights

Stored separately to power DLP analytics and investigations.

  • Pattern name and severity
  • Snippet offsets for context
  • Linked to the originating event

Answer “critical hits,” “top patterns,” “which prompts were blocked.”

Shadow AI Signals

Unknown & unapproved usage

Captured as ShadowAiEvent and elevated to findings.

  • Hostname/URL, severity, identity, extension metadata
  • Feeds Shadow AI inventory and governance views

How Events Flow Into Kairro

Telemetry designed around real user activity and security signals.

1) Extension Prompt Evaluations

Every approved AI interaction calls evaluate:

  • Policy decision (Allow/Warn/Block)
  • Logged Event + DlpMatches (if present)
  • Optional notifications and integration pushes

2) Shadow AI Events

Extension detects unapproved/unknown tools and sends:

  • Hostname/URL, context, severity
  • Identity and extension metadata

Stored as ShadowAiEvent and linked to inventory/governance.

3) Shadow AI Reports via API

External systems can POST to /v1/shadow-ai/report (API key) to ingest signals beyond the extension.

4) Ops & Health Signals

Ops dashboard uses event/endpoint data to track evaluate errors, active endpoints, notification delivery, DLP blocks, and high/critical incidents.

Intelligent Logging & Redaction

Rich telemetry balanced with privacy and performance.

Per-org logging levels

Configurable detail via notificationConfig.eventsLoggingLevels before anything is persisted.

Redacted, length-limited content

Prompts, responses, and DLP snippets truncated to 256 chars with offsets/pattern metadata, not full documents.

Events → Integrations & Notifications

The same pipeline powers outbound signal flows.

Outbound integrations

Structured payloads to SIEM/logging, security analytics, webhooks, and custom pipelines.

Includes core event fields, DLP summary, metadata, and tracks delivery/last errors.

Notification engine

Evaluates type, risk/severity, and org thresholds; routes alerts to Slack, email, Teams, PagerDuty, Opsgenie, and webhooks. Tracks notification objects, deliveries, and channel health.

Events in the Admin Console

Powerful views for investigations and analytics.

Events list & DLP details

Filter by org, user, AI tool, action, or severity; identify DLP-related events.

Each event includes DLP summary: isDlpEvent, blockedByDlp, maxSeverity, highOrAbove/critical, totalMatches. Dedicated DLP details returns full match list.

Aggregated event analytics

Allow/warn/block counts, DLP events, high/critical DLP, top patterns (up to 20), last 7-day buckets. Capped scans (e.g., 5,000 events) for predictable performance.

Shadow AI Telemetry & Findings

Raw signals plus curated findings tied to inventory and governance.

ShadowAiEvent

Raw telemetry of unapproved/unknown AI usage with severity and context.

ShadowAiFinding

Curated findings linked to inventory and governance use cases; drives dashboards and remediation workflows.

Ops & Health via Events

24h operational snapshot built on event and endpoint data.

Operational signals

  • Database health and connectivity
  • Evaluate error rate
  • DLP coverage and block rates
  • High/critical DLP counts & top patterns
  • Active endpoints 24h/30d vs subscription limits
  • Notification success/failure and last errors

Questions it answers

  • Is the extension working?
  • Are policies and DLP actually firing?
  • Are we nearing subscription limits?
  • Are alerts reaching downstream systems?

Why It Matters

End-to-end visibility, evidence for compliance, actionable analytics, and reliable routing into your SIEM, SOC tools, and collaboration channels.

End-to-end visibility

Every AI interaction captured with context.

Auditable evidence

Compliance-ready logs and DLP details.

Actionable analytics

Tune policies, DLP, and governance from real data.

Operational confidence

Know the AI security & governance layer is working.