Capsule Security provides comprehensive auditing and logging capabilities for AI agent activity across your organization. This guide covers the platform's native observability features and how to forward audit data to your centralized SIEM — including Splunk and Microsoft Sentinel.
Every AI agent interaction monitored by Capsule generates structured audit events. These events are persisted in the platform database and are immediately available for search, filtering, and investigation.
| Event Type | Description |
|---|---|
| Session Started | An AI agent session begins |
| User Message | A user sends a prompt to an agent |
| Agent Message | The agent produces a response |
| Agent Reasoning | Internal reasoning steps (chain-of-thought) |
| Tool Invocation | An agent calls a tool or action |
| Data Source Accessed | An agent reads from a connected data source |
| Channel Accessed | An agent interacts with an access channel |
| Skill Invoked | An agent triggers a defined skill |
| Policy Evaluated | A security policy is evaluated against an action |
| Detection Created | A security detection is triggered |
| Finding Created | A security finding is generated |
| Issue Created | A security issue is opened |
| Error | An error occurs during agent execution |
| System Message | A platform-level system event |
Each audit event includes:
- Timestamp — when the event occurred
- Session ID — groups events into conversation sessions
- Agent — the AI agent that generated the event, including platform and environment
- User — the identity of the user interacting with the agent
- Entity — the tool, data source, skill, or access channel involved
- Message — human-readable event content (full-text searchable)
- Detections — any security detections triggered by this event
- Findings — security findings linked to this event
- Policies — policies evaluated during this event
- Metadata — raw JSON payload from the source platform for forensic analysis
Navigate to Observability in the Capsule portal to access the full audit log. The interface supports:
- Full-text search across event messages and agent names
- Date range filtering with custom time windows
- Agent filtering by specific agent or platform type (e.g., all Azure AI Foundry agents)
- Activity type filtering — narrow to specific event types (sessions, tool calls, detections, etc.)
- Detection type filtering — view only events that triggered specific detection categories
- Finding type filtering — filter by finding classification
- Issue filtering — find all sessions linked to a specific issue
- Tool / Data Source / Channel / Skill filtering — drill into events involving a specific entity
Results are sortable by timestamp, agent name, or event type. The timeline chart provides a visual overview of activity density and security indicators across your chosen time window.
Audit events are grouped into sessions — the complete lifecycle of an agent conversation. Selecting a session in the Observability view shows:
- The full ordered sequence of events (user messages, agent responses, tool calls, etc.)
- Security detections triggered during the session
- Issues created from the session
- Policy evaluation results
This session-level view is the primary interface for incident investigation and forensic review.
All audit data visible in the portal can be exported to CSV for offline analysis, compliance reporting, or ingestion into external systems. Use the Export action in the toolbar of any inventory or observability page. The export runs in batches with progress tracking and supports cancellation.
Capsule retains all audit data in the platform database for the lifetime of your tenant. Data is soft-deleted (never physically removed during normal operation), ensuring a complete audit trail is available for investigation.
| Deployment Model | Searchable Log Storage | Retention Period | Archive Capability |
|---|---|---|---|
| Enterprise SaaS | Capsule-managed PostgreSQL | Unlimited (tenant lifetime) | Included — data persists in the managed database with automated backups |
| Dedicated SaaS with BYOK | Dedicated PostgreSQL with customer-managed encryption keys | Unlimited (tenant lifetime) | Included — customer controls encryption keys; Capsule manages backups |
| Customer Hosted VPC | Amazon RDS in customer VPC | Unlimited (tenant lifetime) | Full customer control — configure RDS snapshots per your requirements |
90-day searchable / 1-year archive requirement: All deployment models meet this requirement by default. Audit data is stored in PostgreSQL and remains fully searchable (with full-text search indexes) for the entire retention period — there is no degradation from "searchable" to "archived" state. For Customer Hosted VPC deployments, customers can additionally configure RDS automated snapshot retention to satisfy specific compliance windows.
Capsule supports forwarding audit data to your organization's centralized SIEM for correlation with other security telemetry, long-term archival, and SOC workflows.
┌──────────────────────────────────────────────────────────┐
│ Capsule Security │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │
│ │ Audit Event │───▶│ Webhook │───▶│ SIEM │ │
│ │ Pipeline │ │ Events API │ │ Connector │ │
│ └──────────────┘ └──────────────┘ └─────┬──────┘ │
│ │ │
└────────────────────────────────────────────────┼─────────┘
│
┌──────────────────────────┼─────────┐
│ Customer SIEM │
│ │
│ ┌────────────┐ ┌────────────┐ │
│ │ Splunk │ │ Microsoft │ │
│ │ │ │ Sentinel │ │
│ └────────────┘ └────────────┘ │
│ │
└─────────────────────────────────────┘Capsule provides two mechanisms for SIEM integration:
- Webhook Events API — Capsule's REST API emits structured JSON events that SIEM platforms can consume directly via HTTP Event Collector (Splunk) or Data Collector API (Sentinel)
- CSV Export — bulk export for historical data backfill or periodic batch ingestion
Use Splunk's built-in HTTP Event Collector to receive Capsule audit events in real time.
Prerequisites:
- Splunk Enterprise or Splunk Cloud with HEC enabled
- A Capsule Security account with admin access
Step 1 — Configure Splunk HEC
- In Splunk, navigate to Settings > Data Inputs > HTTP Event Collector
- Click New Token
- Set the source type to
_jsonand choose your target index - Copy the generated HEC token and note the HEC endpoint URL
https://<splunk-host>:8088/services/collector/eventStep 2 — Configure the Capsule-to-Splunk Connector
Forward Capsule audit events to your Splunk HEC endpoint. Events are delivered as structured JSON with the following schema:
{
"event": {
"timestamp": "2026-03-19T10:30:00Z",
"sessionId": "sess-abc123",
"auditType": "ToolInvocation",
"auditSource": "Platform",
"agent": {
"id": "agent-uuid",
"name": "Customer Support Agent",
"platform": "azure-ai-foundry"
},
"user": {
"email": "user@example.com"
},
"message": "database_query: SELECT * FROM orders WHERE status = 'pending'",
"detections": ["sensitive-data-access"],
"metadata": {}
},
"sourcetype": "capsule:audit",
"source": "capsule-security",
"index": "capsule_audit"
}Step 3 — Create Splunk Dashboards and Alerts
Use the capsule:audit sourcetype to build Splunk dashboards:
index=capsule_audit sourcetype="capsule:audit"
| spath output=audit_type path=event.auditType
| spath output=agent_name path=event.agent.name
| spath output=user_email path=event.user.email
| timechart count by audit_typeExample alert for policy violations:
index=capsule_audit sourcetype="capsule:audit" event.auditType="PolicyEvaluated"
| spath output=agent_name path=event.agent.name
| spath output=message path=event.message
| where isnotnull(message)
| table _time agent_name messageSend Capsule audit events to a Microsoft Sentinel Log Analytics workspace using the HTTP Data Collector API.
Prerequisites:
- Microsoft Sentinel workspace in Azure
- Log Analytics Workspace ID and Primary Key
Step 1 — Create a Custom Log Table
Events are ingested into a custom log table named CapsuleAudit_CL. Sentinel automatically creates the table schema on first ingestion.
Step 2 — Forward Events via Data Collector API
Capsule audit events are posted to the Log Analytics Data Collector API:
POST https://<workspace-id>.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
Content-Type: application/json
Log-Type: CapsuleAudit[
{
"TimeGenerated": "2026-03-19T10:30:00Z",
"SessionId": "sess-abc123",
"AuditType": "ToolInvocation",
"AuditSource": "Platform",
"AgentId": "agent-uuid",
"AgentName": "Customer Support Agent",
"Platform": "azure-ai-foundry",
"UserEmail": "user@example.com",
"Message": "database_query: SELECT * FROM orders WHERE status = 'pending'",
"Detections": "sensitive-data-access"
}
]Step 3 — Query in Sentinel
Use KQL to query Capsule audit data:
CapsuleAudit_CL
| where AuditType_s == "ToolInvocation"
| summarize count() by AgentName_s, bin(TimeGenerated, 1h)
| render timechartExample detection rule for high-risk agent activity:
CapsuleAudit_CL
| where AuditType_s in ("PolicyEvaluated", "DetectionCreated")
| summarize DetectionCount = count() by AgentName_s, UserEmail_s, bin(TimeGenerated, 15m)
| where DetectionCount > 10Can Capsule offload logs to a centralized SIEM? Yes.
Capsule supports offloading all audit and security event data to customer-managed SIEM platforms. The integration methods described above (Splunk HEC and Sentinel Data Collector API) enable real-time or near-real-time forwarding of structured audit data to your organization's centralized logging infrastructure.
Does Capsule support 90-day searchable logs and 1-year archived data?
Yes. The following table summarizes how each deployment model meets this requirement:
| Requirement | Enterprise SaaS | Dedicated SaaS (BYOK) | Customer Hosted VPC |
|---|---|---|---|
| 90-day searchable | Full-text indexed audit data in managed PostgreSQL — searchable at all times | Same as Enterprise SaaS, with customer-managed encryption keys | Full-text indexed audit data in customer-owned RDS with configurable retention |
| 1-year archive | Capsule-managed database backups with automated retention | Customer-controlled encryption keys over Capsule-managed backups | Customer-controlled RDS snapshots with lifecycle policies |
| SIEM archival | Forward to Splunk/Sentinel and apply your organization's retention policies | Same | Same |
For organizations requiring strict compliance with 90-day/1-year retention policies, the recommended approach is:
- Primary retention — Capsule platform retains all audit data with full search capability for the tenant lifetime (exceeds 90-day requirement)
- SIEM forwarding — Forward events to Splunk or Sentinel for correlation, alerting, and SOC workflows
- Long-term archival — Configure your SIEM's archival tier (Splunk SmartStore, Sentinel Archive Logs) to retain data for 1+ year at reduced storage cost
| Control | Details |
|---|---|
| Encryption in transit | TLS 1.3 for all API communication and log forwarding |
| Encryption at rest | AES-256 for all stored audit data; BYOK available on Dedicated SaaS and VPC deployments |
| Access control | Role-based access control (RBAC) governs who can view, search, and export audit data |
| Immutability | Audit records use soft-delete — events are never physically removed during normal operation |
| SOC 2 Type 2 | Audit logging controls verified annually |
| ISO 27001 | Information security management compliance |
For help configuring SIEM integrations or meeting specific compliance requirements, contact support@capsule.security.