Streaming agent audit logs to your SIEM

An audit trail that lives only inside the agent platform is a trail nobody checks. The value shows up when the record flows into the SIEM your security team already watches — Splunk, Elastic, Microsoft Sentinel, Chronicle. This guide covers what to stream, how to shape it, and the first detections worth building.

Why stream, not just store

Three reasons the trail has to leave the product:

• Correlation. Agent actions matter most next to your other signals — identity events, network logs, app telemetry. A SIEM is where that join happens.
• Independence. A log the agents’ operators can rewrite isn’t evidence. Streaming to a destination they don’t control makes the trail tamper-resistant.
• The team is already there. Your responders run queries in the SIEM at 2 a.m. Make the agent trail one of those queries, not a separate login.

What to stream

Send every action — allowed and denied — not just the scary ones. Denials are often your richest signal. A complete event should carry:

• agent and owner — the agent identity and the accountable human
• action and args — the tool called and its arguments, secrets redacted
• verdict — allow, deny (with reason), or pending_approval
• role and policy — what authority decided it
• ts — a trustworthy server-side timestamp
• run_id / session_id — to reconstruct a chain of actions

{
  "ts": "2026-06-10T09:14:02Z",
  "agent": "support-agent",
  "owner": "maya.chen@acme.com",
  "role": "Support · L2",
  "action": "vault_get",
  "args": { "key": "***" },
  "verdict": "deny",
  "reason": "scope: capability not granted",
  "run_id": "run_2a7f…"
}

How to ship it

Most teams use one of three transports. Pick what your SIEM ingests most cleanly:

1. Native streaming integration — a built-in connector to your SIEM. Lowest effort; prefer this when available.
2. Webhook / HTTP event source — push events to an HTTP collector (HEC, Event Hubs, a Logstash endpoint).
3. Object-storage sink + poller — write batched JSON to a bucket and let the SIEM pull. Best for high volume and long retention.

For long-term, tamper-evident retention, pair real-time streaming with an append-only object-storage copy. Stream for detection, archive for the auditor.

Map fields to a common schema

Don’t dump raw JSON and hope. Map agent fields to your SIEM’s normalized schema (CIM in Splunk, ECS in Elastic) so agent events sit alongside everything else:

Agent field	ECS-style field
owner	user.name
agent	service.name
action	event.action
verdict	event.outcome
args	event.original (redacted)
run_id	trace.id

With this mapping, “show me every denied action for user maya.chen this week” is a query your team already knows how to write.

The first detections to build

You don’t need a hundred rules. Start with the handful that catch real trouble:

• Denial spikes. A sudden rise in denied actions for one agent — especially around secrets or destructive tools — is a likely prompt-injection or compromise. Alert on rate, not single events.
• Repeated probing of an ungranted tool. The same agent attempting the same denied capability over and over is someone testing the fence.
• Approval anomalies. Payments approved just under denial caps, repeatedly, can mean threshold gaming.
• New payee + high amount. First-time recipient combined with a near-cap payment.
• Off-hours destructive actions. Deploys or deletes outside normal windows.

Build your detections around verdict and owner. The most useful agent alerts aren’t “an action happened” — they’re “an action was denied, repeatedly, and here’s the human accountable for the agent that tried it.”

Validate end to end

Before you trust it, prove it. Trigger a known denial — point a test agent at a tool it doesn’t have — and confirm the event lands in the SIEM, mapped correctly, and fires your denial-spike rule. An audit pipeline you haven’t tested is a pipeline you don’t have.

Once it’s flowing, the agent platform stops being a separate console you have to remember to check. It becomes one more well-behaved log source in the place your team already watches — which is exactly where an audit trail earns its keep.