Export agent governance events to your SIEM in CEF, LEEF, or OCSF format. Webhook, Syslog, and S3 destinations. Splunk, Elastic, and Sentinel compatible.
Common Event Format (CEF) for ArcSight and Splunk. Log Event Extended Format (LEEF) for QRadar. Open Cybersecurity Schema Framework (OCSF) for modern SIEM platforms. Custom template support for proprietary formats. All formats include agent identity, action, decision, and governance context.
Webhook destinations with custom headers and authentication. Syslog (TCP/UDP) with configurable host, port, and protocol. S3 bucket export with region, prefix, and batched uploads. Test connection before saving. Export history with event counts and error tracking.
// SIEM config example
{
"name": "Splunk Production",
"format": "cef",
"destination": "webhook",
"connectionConfig": {
"url": "https://splunk.corp.com:8088/services/collector",
"headers": {
"Authorization": "Splunk HEC-TOKEN"
}
},
"eventFilters": {
"decisions": ["denied", "pending_approval"],
"minSeverity": "medium"
}
}Filter events by decision type (allowed, denied, pending), severity level, agent, action pattern, or time window. Only forward security-relevant events to reduce SIEM ingestion costs. Custom templates let you reshape event payloads to match your SIEM schema.
CEF format for ArcSight and Splunk
LEEF format for IBM QRadar
OCSF for modern SIEM platforms
Webhook, Syslog (TCP/UDP), and S3 destinations
Event filtering by decision, severity, and agent
Export history with event counts and error tracking