Integration guide
Step-by-step instructions for connecting your network proxy, SIEM, or custom integration to Shadow AI.
Overview
This guide walks you through connecting your network infrastructure to VerifyWise Shadow AI detection, from creating your first API key to verifying that events are flowing into the dashboard. There are two integration paths: the REST API (for custom integrations, browser extensions, and SIEM webhooks) and syslog forwarding (for network proxies and firewalls).
Prerequisites
- Admin or Editor role in VerifyWise
- Access to your network proxy, firewall, or SIEM configuration
- Network connectivity from your data source to the VerifyWise server
REST API integration
The REST API is the most flexible integration method. Use it when your data source can make HTTP requests — for example, a SIEM webhook action, a custom script, or a browser extension.
Step 1: Create an API key
- Navigate to Shadow AI → Settings
- In the "API keys" section, click "Create API key"
- Enter a label that identifies the data source (e.g., "Zscaler webhook", "Browser extension prod")
- Click "Create"
- Copy the full key immediately and store it securely — it will not be shown again
Step 2: Send events
Send a POST request to the ingestion endpoint with your events. The endpoint accepts batches of up to 10,000 events per request.
Endpoint: POST /api/v1/shadow-ai/events
Headers:
| Header | Value |
|---|---|
| Content-Type | application/json |
| X-API-Key | Your API key from step 1 |
Example request body:
{
"events": [
{
"user_email": "alice@company.com",
"destination": "chat.openai.com",
"timestamp": "2026-02-09T14:32:00Z",
"uri_path": "/v1/chat",
"http_method": "POST",
"action": "allowed",
"department": "Engineering",
"job_title": "Senior Engineer",
"manager_email": "bob@company.com"
}
]
}Required fields: user_email, destination, timestamp. All other fields are optional but improve the accuracy of risk scoring and department-level reporting.
Step 3: Verify ingestion
A successful request returns a 200 response with the number of events ingested and tools matched:
{
"data": {
"ingested": 1,
"tools_matched": 1
}
}After sending events, verify they appear in the system:
- Go to Shadow AI → Insights and check that the summary cards update (unique apps, AI users)
- Go to Shadow AI → AI tools and confirm the destination domain appears as a detected tool
- Go to Shadow AI → User activity and confirm the user email appears in the users list
REST API error responses
| Status code | Cause | How to fix |
|---|---|---|
| 400 | Missing required field or invalid email | Check that every event has user_email, destination, and timestamp. Verify the email format. |
| 401 | Missing or invalid API key | Ensure the X-API-Key header is set with a valid, non-revoked key. |
| 413 | Batch too large | Reduce to 10,000 or fewer events per request. |
| 429 | Rate limit exceeded | Wait until the next hour window, or increase the rate limit in Settings → Rate limiting. |
Syslog integration
Syslog integration is ideal for network proxies and firewalls that natively support syslog forwarding (Zscaler Internet Access, Netskope, Squid proxy). The VerifyWise server runs a TCP syslog listener that receives log lines, parses them using the configured parser, and feeds them into the same event pipeline as the REST API.
Step 1: Verify the syslog listener is running
The syslog listener is controlled by the SHADOW_AI_SYSLOG_PORT environment variable on the VerifyWise server. By default it listens on port 5514. Set the variable to 0 to disable it.
Confirm the listener is running by checking the server logs for the message: Syslog listener started on port 5514. If you do not see it, verify the environment variable is set and the server has been restarted.
Step 2: Add a syslog source in VerifyWise
- Navigate to Shadow AI → Settings
- In the "Syslog sources" section, click "Add source"
- Enter the source identifier — this must be the IP address of the machine that will send syslog messages (e.g.,
10.0.1.50). The syslog listener matches incoming connections by source IP. - Select the parser type that matches your data source (Zscaler, Netskope, Squid proxy, or Generic key-value)
- Click "Add"
Step 3: Configure your proxy to forward logs
Configure your network proxy or firewall to send syslog messages over TCP to the VerifyWise server. Below are configuration notes for each supported source.
Zscaler Internet Access
- In the ZIA admin portal, navigate to Administration → Nanolog Streaming Service
- Add a new NSS feed or edit an existing one
- Set the feed output type to Syslog
- Set the syslog destination to your VerifyWise server IP and port (default 5514), protocol TCP
- In the log format, include at minimum:
user,dst,method,uri,action. Optionally includedepartmentfor department-level reporting - Save and activate the feed
Expected log line format:
user=alice@company.com dst=chat.openai.com method=POST uri=https://chat.openai.com/v1/chat action=allowed department=EngineeringNetskope
- In the Netskope admin console, navigate to Settings → Tools → SIEM
- Add a new SIEM profile with type Syslog
- Set the destination to your VerifyWise server IP and port (default 5514), protocol TCP
- Set the format to JSON
- Select the event types to forward (at minimum: page events and application events)
- Save and enable the profile
Expected log line format (JSON embedded in syslog frame):
{"user":"alice@company.com","url":"https://chat.openai.com/v1/chat","method":"POST","activity":"allowed","department":"Engineering","timestamp":"2026-02-09T14:32:00Z"}Squid proxy
- Edit your Squid configuration file (
squid.conf) - Add or modify the
access_logdirective to forward to a syslog destination via TCP:access_log tcp://VERIFYWISE_IP:5514 - Ensure the log format includes the user identity field (
%un) — Squid must be configured with authentication (LDAP, Kerberos, or basic) for user emails to be captured - Reload the Squid configuration:
squid -k reconfigure
Expected log line format (standard Squid access log):
1707489120.000 200 10.0.0.1 TCP_MISS/200 1024 POST https://chat.openai.com/v1/chat alice@company.com DIRECT/chat.openai.com-) and events will fail to parse.Generic key-value (CEF-like)
The generic key-value parser handles CEF-style log lines and any source that outputs key=value pairs. Use this for firewalls, DLP systems, or custom log forwarders that do not match the Zscaler, Netskope, or Squid formats.
The parser looks for the following CEF-standard field names:
| Source field | Maps to | Required | Example |
|---|---|---|---|
| suser | user_email | Yes | alice@company.com |
| dhost | destination | Yes | chat.openai.com |
| requestMethod | http_method | No | POST |
| act | action | No | allowed |
Example log line:
suser=alice@company.com dhost=chat.openai.com requestMethod=POST act=allowedStep 4: Verify syslog ingestion
- After configuring your proxy, generate some test traffic by visiting a known AI tool (e.g., chat.openai.com) through the monitored network
- Wait 5-10 seconds for the syslog batch to flush (events are batched in 2-second intervals with a batch size of 50)
- Go to Shadow AI → Insights and verify the summary cards show updated numbers
- Go to Shadow AI → AI tools and confirm the test domain appears
- If events do not appear, check the server logs for parse errors: look for messages containing "Syslog parse failed" which indicate a parser mismatch
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| REST API returns 401 | Invalid or revoked API key | Verify the key is correct and has not been revoked in Settings → API keys. Create a new key if needed. |
| REST API returns 429 | Rate limit exceeded | Check Settings → Rate limiting. Increase the limit or wait until the next hour window. |
| Events sent but nothing in dashboard | Tool not matched to a known domain | The destination domain must resolve to a known AI tool. Check AI tools page — if the tool shows as "Detected", events are being processed. Insights metrics may need a page refresh. |
| Syslog events not appearing | Source IP not registered | The source identifier in syslog configuration must match the IP the server sees. Check for NAT or load balancer translation. Server logs will show "Syslog message from unknown source: <IP>". |
| Syslog parse failed in logs | Wrong parser type selected | Verify the parser type in Settings → Syslog sources matches the actual log format. Try the generic key-value parser if unsure. |
| Syslog listener not starting | Port conflict or disabled | Check that SHADOW_AI_SYSLOG_PORT is set (default: 5514) and no other process is using the port. Set to 0 explicitly to disable. |
| Risk scores are all zero | Nightly recalculation has not run | Risk scores are recalculated nightly. New tools will have a score of 0 until the next calculation cycle runs. |
| Department data missing | Department field not included in events | The department field is optional but required for department-level reporting and sensitive department alerts. Include it in your event payload or syslog format. |
Best practices
- Use descriptive API key labels: Label each key with the source system and environment (e.g., "Zscaler prod", "Browser ext staging") so you can quickly identify and rotate keys
- Include optional fields: The department, job_title, and manager_email fields are not required but significantly improve risk scoring accuracy and enable department-level alerts
- Start with a single source: Integrate one data source first, verify events are flowing, then add additional sources
- Set up alert rules early: Create at least a "New tool detected" rule immediately after integration so you are notified when new AI tools appear in your network
- Monitor the rate limit: If you are ingesting from a high-volume proxy, configure the rate limit in Settings to prevent accidental overload during initial rollout
- Rotate API keys regularly: Revoke and recreate API keys periodically. When rotating, create the new key first, update the data source configuration, then revoke the old key