{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Auditing and Logging","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"auditing-and-logging","__idx":0},"children":["Auditing and Logging"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule Security provides comprehensive auditing and logging capabilities for AI agent activity across your organization. This guide covers the platform's native observability features and how to forward audit data to your centralized SIEM — including Splunk and Microsoft Sentinel."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"platform-auditing-and-logging","__idx":1},"children":["Platform Auditing and Logging"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"audit-event-types","__idx":2},"children":["Audit Event Types"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Every AI agent interaction monitored by Capsule generates structured audit events. These events are persisted in the platform database and are immediately available for search, filtering, and investigation."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Event Type"},"children":["Event Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Session Started"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An AI agent session begins"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User Message"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A user sends a prompt to an agent"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Agent Message"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The agent produces a response"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Agent Reasoning"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Internal reasoning steps (chain-of-thought)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tool Invocation"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An agent calls a tool or action"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Data Source Accessed"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An agent reads from a connected data source"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Channel Accessed"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An agent interacts with an access channel"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Skill Invoked"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An agent triggers a defined skill"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy Evaluated"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A security policy is evaluated against an action"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Detection Created"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A security detection is triggered"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Finding Created"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A security finding is generated"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Issue Created"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A security issue is opened"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Error"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An error occurs during agent execution"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["System Message"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A platform-level system event"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"audit-data-structure","__idx":3},"children":["Audit Data Structure"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each audit event includes:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Timestamp"]}," — when the event occurred"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Session ID"]}," — groups events into conversation sessions"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Agent"]}," — the AI agent that generated the event, including platform and environment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User"]}," — the identity of the user interacting with the agent"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Entity"]}," — the tool, data source, skill, or access channel involved"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Message"]}," — human-readable event content (full-text searchable)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Detections"]}," — any security detections triggered by this event"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Findings"]}," — security findings linked to this event"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policies"]}," — policies evaluated during this event"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Metadata"]}," — raw JSON payload from the source platform for forensic analysis"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"searching-and-filtering-audit-logs","__idx":4},"children":["Searching and Filtering Audit Logs"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Observability"]}," in the Capsule portal to access the full audit log. The interface supports:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Full-text search"]}," across event messages and agent names"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Date range filtering"]}," with custom time windows"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Agent filtering"]}," by specific agent or platform type (e.g., all Azure AI Foundry agents)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Activity type filtering"]}," — narrow to specific event types (sessions, tool calls, detections, etc.)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Detection type filtering"]}," — view only events that triggered specific detection categories"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Finding type filtering"]}," — filter by finding classification"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Issue filtering"]}," — find all sessions linked to a specific issue"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tool / Data Source / Channel / Skill filtering"]}," — drill into events involving a specific entity"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Results are sortable by timestamp, agent name, or event type. The timeline chart provides a visual overview of activity density and security indicators across your chosen time window."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"session-based-investigation","__idx":5},"children":["Session-Based Investigation"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Audit events are grouped into ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["sessions"]}," — the complete lifecycle of an agent conversation. Selecting a session in the Observability view shows:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The full ordered sequence of events (user messages, agent responses, tool calls, etc.)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Security detections triggered during the session"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Issues created from the session"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Policy evaluation results"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This session-level view is the primary interface for incident investigation and forensic review."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"csv-export","__idx":6},"children":["CSV Export"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["All audit data visible in the portal can be exported to CSV for offline analysis, compliance reporting, or ingestion into external systems. Use the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Export"]}," action in the toolbar of any inventory or observability page. The export runs in batches with progress tracking and supports cancellation."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"data-retention","__idx":7},"children":["Data Retention"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule retains all audit data in the platform database for the lifetime of your tenant. Data is soft-deleted (never physically removed during normal operation), ensuring a complete audit trail is available for investigation."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Deployment Model"},"children":["Deployment Model"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Searchable Log Storage"},"children":["Searchable Log Storage"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Retention Period"},"children":["Retention Period"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Archive Capability"},"children":["Archive Capability"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enterprise SaaS"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule-managed PostgreSQL"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Unlimited (tenant lifetime)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Included — data persists in the managed database with automated backups"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Dedicated SaaS with BYOK"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Dedicated PostgreSQL with customer-managed encryption keys"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Unlimited (tenant lifetime)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Included — customer controls encryption keys; Capsule manages backups"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer Hosted VPC"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Amazon RDS in customer VPC"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Unlimited (tenant lifetime)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Full customer control — configure RDS snapshots per your requirements"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["90-day searchable / 1-year archive requirement:"]}," All deployment models meet this requirement by default. Audit data is stored in PostgreSQL and remains fully searchable (with full-text search indexes) for the entire retention period — there is no degradation from \"searchable\" to \"archived\" state. For Customer Hosted VPC deployments, customers can additionally configure RDS automated snapshot retention to satisfy specific compliance windows."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"siem-integration","__idx":8},"children":["SIEM Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule supports forwarding audit data to your organization's centralized SIEM for correlation with other security telemetry, long-term archival, and SOC workflows."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"architecture-overview","__idx":9},"children":["Architecture Overview"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"┌──────────────────────────────────────────────────────────┐\n│ Capsule Security │\n│ │\n│ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │\n│ │ Audit Event │───▶│ Webhook │───▶│ SIEM │ │\n│ │ Pipeline │ │ Events API │ │ Connector │ │\n│ └──────────────┘ └──────────────┘ └─────┬──────┘ │\n│ │ │\n└────────────────────────────────────────────────┼─────────┘\n │\n ┌──────────────────────────┼─────────┐\n │ Customer SIEM │\n │ │\n │ ┌────────────┐ ┌────────────┐ │\n │ │ Splunk │ │ Microsoft │ │\n │ │ │ │ Sentinel │ │\n │ └────────────┘ └────────────┘ │\n │ │\n └─────────────────────────────────────┘\n"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule provides two mechanisms for SIEM integration:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Webhook Events API"]}," — Capsule's REST API emits structured JSON events that SIEM platforms can consume directly via HTTP Event Collector (Splunk) or Data Collector API (Sentinel)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CSV Export"]}," — bulk export for historical data backfill or periodic batch ingestion"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"splunk-integration","__idx":10},"children":["Splunk Integration"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"splunk-http-event-collector-hec","__idx":11},"children":["Splunk HTTP Event Collector (HEC)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use Splunk's built-in HTTP Event Collector to receive Capsule audit events in real time."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Prerequisites:"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Splunk Enterprise or Splunk Cloud with HEC enabled"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A Capsule Security account with admin access"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Step 1 — Configure Splunk HEC"]}]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In Splunk, navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings > Data Inputs > HTTP Event Collector"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New Token"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Set the source type to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["_json"]}," and choose your target index"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy the generated ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["HEC token"]}," and note the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["HEC endpoint URL"]}]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"https://:8088/services/collector/event\n"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Step 2 — Configure the Capsule-to-Splunk Connector"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Forward Capsule audit events to your Splunk HEC endpoint. Events are delivered as structured JSON with the following schema:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n \"event\": {\n \"timestamp\": \"2026-03-19T10:30:00Z\",\n \"sessionId\": \"sess-abc123\",\n \"auditType\": \"ToolInvocation\",\n \"auditSource\": \"Platform\",\n \"agent\": {\n \"id\": \"agent-uuid\",\n \"name\": \"Customer Support Agent\",\n \"platform\": \"azure-ai-foundry\"\n },\n \"user\": {\n \"email\": \"user@example.com\"\n },\n \"message\": \"database_query: SELECT * FROM orders WHERE status = 'pending'\",\n \"detections\": [\"sensitive-data-access\"],\n \"metadata\": {}\n },\n \"sourcetype\": \"capsule:audit\",\n \"source\": \"capsule-security\",\n \"index\": \"capsule_audit\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Step 3 — Create Splunk Dashboards and Alerts"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["capsule:audit"]}," sourcetype to build Splunk dashboards:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"spl","header":{"controls":{"copy":{}}},"source":"index=capsule_audit sourcetype=\"capsule:audit\"\n| spath output=audit_type path=event.auditType\n| spath output=agent_name path=event.agent.name\n| spath output=user_email path=event.user.email\n| timechart count by audit_type\n","lang":"spl"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Example alert for policy violations:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"spl","header":{"controls":{"copy":{}}},"source":"index=capsule_audit sourcetype=\"capsule:audit\" event.auditType=\"PolicyEvaluated\"\n| spath output=agent_name path=event.agent.name\n| spath output=message path=event.message\n| where isnotnull(message)\n| table _time agent_name message\n","lang":"spl"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"microsoft-sentinel-integration","__idx":12},"children":["Microsoft Sentinel Integration"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"azure-monitor-data-collector-api","__idx":13},"children":["Azure Monitor Data Collector API"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Send Capsule audit events to a Microsoft Sentinel Log Analytics workspace using the HTTP Data Collector API."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Prerequisites:"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Microsoft Sentinel workspace in Azure"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Log Analytics ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Workspace ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Primary Key"]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Step 1 — Create a Custom Log Table"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Events are ingested into a custom log table named ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["CapsuleAudit_CL"]},". Sentinel automatically creates the table schema on first ingestion."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Step 2 — Forward Events via Data Collector API"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule audit events are posted to the Log Analytics Data Collector API:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"POST https://.ods.opinsights.azure.com/api/logs?api-version=2016-04-01\nContent-Type: application/json\nLog-Type: CapsuleAudit\n"},"children":[]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"[\n {\n \"TimeGenerated\": \"2026-03-19T10:30:00Z\",\n \"SessionId\": \"sess-abc123\",\n \"AuditType\": \"ToolInvocation\",\n \"AuditSource\": \"Platform\",\n \"AgentId\": \"agent-uuid\",\n \"AgentName\": \"Customer Support Agent\",\n \"Platform\": \"azure-ai-foundry\",\n \"UserEmail\": \"user@example.com\",\n \"Message\": \"database_query: SELECT * FROM orders WHERE status = 'pending'\",\n \"Detections\": \"sensitive-data-access\"\n }\n]\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Step 3 — Query in Sentinel"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use KQL to query Capsule audit data:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"kql","header":{"controls":{"copy":{}}},"source":"CapsuleAudit_CL\n| where AuditType_s == \"ToolInvocation\"\n| summarize count() by AgentName_s, bin(TimeGenerated, 1h)\n| render timechart\n","lang":"kql"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Example detection rule for high-risk agent activity:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"kql","header":{"controls":{"copy":{}}},"source":"CapsuleAudit_CL\n| where AuditType_s in (\"PolicyEvaluated\", \"DetectionCreated\")\n| summarize DetectionCount = count() by AgentName_s, UserEmail_s, bin(TimeGenerated, 15m)\n| where DetectionCount > 10\n","lang":"kql"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"centralized-log-offloading","__idx":14},"children":["Centralized Log Offloading"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Can Capsule offload logs to a centralized SIEM?"]}," Yes."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule supports offloading all audit and security event data to customer-managed SIEM platforms. The integration methods described above (Splunk HEC and Sentinel Data Collector API) enable real-time or near-real-time forwarding of structured audit data to your organization's centralized logging infrastructure."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"retention-and-archival-compliance","__idx":15},"children":["Retention and Archival Compliance"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Does Capsule support 90-day searchable logs and 1-year archived data?"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Yes. The following table summarizes how each deployment model meets this requirement:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Requirement"},"children":["Requirement"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Enterprise SaaS"},"children":["Enterprise SaaS"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Dedicated SaaS (BYOK)"},"children":["Dedicated SaaS (BYOK)"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Customer Hosted VPC"},"children":["Customer Hosted VPC"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["90-day searchable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Full-text indexed audit data in managed PostgreSQL — searchable at all times"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Same as Enterprise SaaS, with customer-managed encryption keys"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Full-text indexed audit data in customer-owned RDS with configurable retention"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["1-year archive"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule-managed database backups with automated retention"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Customer-controlled encryption keys over Capsule-managed backups"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Customer-controlled RDS snapshots with lifecycle policies"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SIEM archival"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Forward to Splunk/Sentinel and apply your organization's retention policies"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Same"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Same"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For organizations requiring strict compliance with 90-day/1-year retention policies, the recommended approach is:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Primary retention"]}," — Capsule platform retains all audit data with full search capability for the tenant lifetime (exceeds 90-day requirement)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SIEM forwarding"]}," — Forward events to Splunk or Sentinel for correlation, alerting, and SOC workflows"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Long-term archival"]}," — Configure your SIEM's archival tier (Splunk SmartStore, Sentinel Archive Logs) to retain data for 1+ year at reduced storage cost"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"security-and-compliance","__idx":16},"children":["Security and Compliance"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Control"},"children":["Control"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Details"},"children":["Details"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption in transit"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["TLS 1.3 for all API communication and log forwarding"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption at rest"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["AES-256 for all stored audit data; BYOK available on Dedicated SaaS and VPC deployments"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Access control"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Role-based access control (RBAC) governs who can view, search, and export audit data"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Immutability"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Audit records use soft-delete — events are never physically removed during normal operation"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SOC 2 Type 2"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Audit logging controls verified annually"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["ISO 27001"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Information security management compliance"]}]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"support","__idx":17},"children":["Support"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For help configuring SIEM integrations or meeting specific compliance requirements, contact ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"mailto:support@capsule.security"},"children":["support@capsule.security"]},"."]}]},"headings":[{"value":"Auditing and Logging","id":"auditing-and-logging","depth":1},{"value":"Platform Auditing and Logging","id":"platform-auditing-and-logging","depth":2},{"value":"Audit Event Types","id":"audit-event-types","depth":3},{"value":"Audit Data Structure","id":"audit-data-structure","depth":3},{"value":"Searching and Filtering Audit Logs","id":"searching-and-filtering-audit-logs","depth":3},{"value":"Session-Based Investigation","id":"session-based-investigation","depth":3},{"value":"CSV Export","id":"csv-export","depth":3},{"value":"Data Retention","id":"data-retention","depth":3},{"value":"SIEM Integration","id":"siem-integration","depth":2},{"value":"Architecture Overview","id":"architecture-overview","depth":3},{"value":"Splunk Integration","id":"splunk-integration","depth":3},{"value":"Splunk HTTP Event Collector (HEC)","id":"splunk-http-event-collector-hec","depth":4},{"value":"Microsoft Sentinel Integration","id":"microsoft-sentinel-integration","depth":3},{"value":"Azure Monitor Data Collector API","id":"azure-monitor-data-collector-api","depth":4},{"value":"Centralized Log Offloading","id":"centralized-log-offloading","depth":3},{"value":"Retention and Archival Compliance","id":"retention-and-archival-compliance","depth":3},{"value":"Security and Compliance","id":"security-and-compliance","depth":2},{"value":"Support","id":"support","depth":2}],"frontmatter":{"sidebar":"../sidebars.yaml","seo":{"title":"Auditing and Logging"}},"lastModified":"2026-06-09T20:02:44.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/auditing-and-logging","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}