name: Audit Everything to SIEM
description: Define an audit log schema for a tenant, emit events for critical actions (user, org, directory, authorization, agent), and confirm events stream to the customer's SIEM via the Audit Logs destination.
specification: Naftiko Capability Composition
specificationVersion: '0.1'
provider: WorkOS
providerId: workos
api: workos
created: '2026-05-22'
modified: '2026-05-22'
tags:
  - Audit Logs
  - Compliance
  - SIEM
inputs:
  - name: organization_id
    type: string
    required: true
  - name: action
    type: string
    required: true
  - name: actor
    type: object
    required: true
  - name: targets
    type: array
    required: true
steps:
  - id: define-schema
    capability: audit-logging
    operation: AuditLogsController_createSchema
    description: Define the audit log schema (actions, target types, metadata) the application emits.
  - id: emit-event
    capability: audit-logging
    operation: AuditLogsController_createEvent
    description: Emit a tamper-evident audit event for the given action, actor, and targets.
  - id: stream-to-siem
    description: Confirm the event reaches the customer's configured SIEM destination (Splunk, Datadog, Elastic, etc.).
    external: true
  - id: query-events
    capability: webhooks
    operation: EventsController_list
    description: Verify the event is queryable via the Events API for replay and integration testing.
outputs:
  - name: event_id
    source: emit-event.id