The activity should be exportable to a CSV format and API accessible so that it can be centralized into an organization wide SIEM logging system like Splunk. It’s advisable to offer both the ability to poll for new events and to be able to push new events to the remote system. When polling, use standards such as persistent cursors to prevent duplicate events from being received. When pushing, use standards such as webhooks to minimize the amount of custom work required to ingest these events.

The Replicated Audit Log Service provides CSV export with custom saved searches for easy repeatability of common export actions.

Additionally, the Enterprise API is designed to enable the IT admins to retrieve the events with support for persistent cursors for resuming retrieval on a regular interval without overlapping or excluding events.