Enterprise SIEM Integrations
Export Manus agent activity as an audit feed for compliance, security monitoring, and incident investigation. Every step of an agent session is captured as one of four event types:| Event | What it records |
|---|---|
USER_CHAT | A message the user sent to the agent |
AGENT_REPLY | A reply the agent produced (a notification or a question) |
TOOL_CALL | A tool invocation, with its arguments |
TOOL_RESULT | The result returned by a tool |
Two tiers of data
- Tier 1 — metadata. Identity, timing, event type, outcome, and tool/connector attributes. No message content.
- Tier 2 — metadata + payload. Everything in Tier 1 plus the actual content: chat text, tool-call arguments, and tool results. Requires a signed SIEM Data Processing Agreement (DPA).
Two ways to receive it
Stream (push)
Manus pushes OpenTelemetry records to your OTLP endpoints in real time. Tier 1 destinations receive metadata; Tier 2 destinations receive metadata + payload.
Export (on demand)
Run an asynchronous export over HTTP with a SIEM enterprise API key and download an archive of the matching events.
Streaming (push)
Manus delivers audit events to OTLP endpoints you control. Destinations are configured in the Manus console; streaming setup uses your console sign-in, not an enterprise API key.- Protocols: OTLP/HTTP and OTLP/gRPC.
- Destination tiers: a Tier 1 destination receives metadata-only records; a Tier 2 destination receives metadata + payload (selectable only once your enterprise has signed the SIEM DPA).
- Endpoint auth: attach an auth header (e.g.
Authorization: Bearer …); Manus stores it encrypted and sends it on every push. - Health & control: destinations can be paused and resumed, expose last-success / last-failure timestamps and a consecutive-failure count, and support a connection test that sends an empty OTLP request to verify reachability and auth.
- Large payloads: payloads above the inline limit are omitted from the Tier 2 stream; retrieve them with an export (
include_payload=true).
Export (on demand)
An asynchronous API authenticated with a SIEM enterprise API key (X-API-Key). You submit an export, poll until it completes, then download a ZIP archive of newline-delimited JSON (NDJSON) — one event per line.
Create an export
Submit an export with optional user, session, time-range, and event-type filters
Track an export
Poll the task until it reaches
COMPLIANCE_EXPORT_STATUS_COMPLETEDDownload the archive
Mint a 15-minute pre-signed URL for the completed archive
Export lifecycle
- enterprise.compliance.export.create returns immediately with
COMPLIANCE_EXPORT_STATUS_PENDING. Setinclude_payload=trueto embed event payloads (Tier 2 only). - enterprise.compliance.export.detail reports
PROCESSING, thenCOMPLETED(orFAILED). Completed records carryevent_countandfile_size. - enterprise.compliance.export.downloadUrl mints a 15-minute pre-signed URL for the archive.
failed_precondition.
Operational notes
- Prerequisite — enable SIEM capture: Audit events become exportable once your team has at least one active SIEM destination. A Tier 1 destination captures metadata; adding a Tier 2 destination with a signed SIEM DPA also captures payloads. With no active destination, nothing is captured and exports come back empty.
- Tenancy: A SIEM key is scoped to your enterprise; exports only ever include events from teams your enterprise owns. Streamed records carry
tenant.team_uidso you can route per team. - Retention: Manus keeps audit events for 1 year from each event’s
occurred_at, after which they are permanently deleted. Records already streamed to your SIEM are governed by your own retention policy. - Ordering: Events in the archive are ordered newest first (
occurred_atdescending). - Secret redaction: Inside tool arguments and results, values under secret-like keys (
token,password,api_key, …) are replaced with[REDACTED]before any event is stored, streamed, or exported. - Authentication: The export API requires a SIEM enterprise API key (see Authentication). Streaming destinations are managed in the Manus console.