Skip to main content
Sign in →
SaaS

Export Audit Trail

Stream or batch-export your ShieldAgent audit events to your SIEM, data lake, or log aggregator. Every export is signed with a Merkle root for tamper detection.

Export destinations

WebhookReal-time

POST each event to any HTTPS endpoint in real time. Ideal for SIEM ingestion (Splunk, Datadog, Elastic).

Amazon S3Batch

Batch events to an S3 bucket hourly or daily. Compressed NDJSON. Supports cross-account IAM roles.

Syslog (RFC 5424)Real-time

Forward events to a syslog receiver over TLS. Compatible with on-prem SIEMs and log aggregators.

Configure a webhook export

  1. 1.Go to Settings → Export Configurations → New.
  2. 2.Select Webhookas the destination type.
  3. 3.Enter the HTTPS endpoint URL and an optional secret for HMAC-SHA256 signature verification.
  4. 4.Choose which event types to include (tool calls, policy decisions, alerts, all).
  5. 5.Click Test & Save. ShieldAgent sends a test payload and shows the response.

Event format

{
  "id": "evt_01HXYZ...",
  "timestamp": "2026-04-16T10:23:45.123Z",
  "tenantId": "t_abc123",
  "agentId": "ag_xyz789",
  "type": "tool_call",
  "tool": "read_file",
  "decision": "ALLOW",
  "riskScore": 12,
  "policyId": "pol_read_only",
  "latencyMs": 1.4,
  "merkleRoot": "a3f9..."
}

Integrity verification

Each event batch is anchored with a Merkle root. You can verify that an exported batch has not been tampered with using the Audit → Verify Integrity tool in the dashboard, or by comparing the root hash against the hash stored in the ShieldAgent database.

Export Audit Trail