Endpoint Visibility for Agent Behavior Analytics
Exabeam Agent Sensor is a lightweight endpoint binary that captures agentic activity from AI CLI tools running on enterprise endpoints — normalized to Exabeam Common Information Model (CIM), with no build toolchain required to install.
One sensor, every AI CLI on the endpoint
Agent Sensor captures session lifecycle, user prompts, tool invocations, token usage, and agent costs — all normalized to Exabeam Common Information Model (CIM) for SIEM threat detection and investigation. Binaries are published as GitHub Releases, so there's no build toolchain required to install.
Session Lifecycle
Tracks session starts, stops, and the full arc of an agentic CLI session on the endpoint.
Prompts & Tool Calls
Captures user prompts and every tool invocation made by the agent during a session.
Token Usage & Cost
Records token consumption and agent cost data alongside behavioral telemetry.
Built for macOS and Windows endpoints
Prerequisites: ~100 MB disk, local port 4982 available for the hook server, and curl (present by default on macOS and Windows 10 1803+ / Windows 11).
.
Up and running in under a minute
Download the binary for your platform, then install hooks for Claude Code, Codex CLI, and Gemini CLI with a single flag.
# Replace VERSION with the release you want, e.g. 1.0.4 VERSION=1.0.4 sudo curl -fsSL https://github.com/ExabeamLabs/agent-sensor-dist/releases/download/v${VERSION}/agent-sensor-v${VERSION}-aarch64-apple-darwin \ -o /usr/local/bin/agent-sensor sudo chmod +x /usr/local/bin/agent-sensor
# Replace VERSION with the release you want, e.g. 1.0.4 VERSION=1.0.4 sudo curl -fsSL https://github.com/ExabeamLabs/agent-sensor-dist/releases/download/v${VERSION}/agent-sensor-v${VERSION}-x86_64-apple-darwin \ -o /usr/local/bin/agent-sensor sudo chmod +x /usr/local/bin/agent-sensor
# 1. Download agent-sensor-v{VERSION}-x86_64-pc-windows-gnu.exe from the Releases page
# 2. Rename it to agent-sensor.exe
# 3. Move it to a directory on your PATH, e.g. C:\Program Files\agent-sensor\
agent-sensor --version
# 1. Install hooks for Claude Code, Codex CLI, and Gemini CLI + write default config agent-sensor --auto-config # 2. Install and start as a background service agent-sensor install-service # 3. After a Claude Code session, inspect the JSONL audit log cat ~/.agent-sensor/events.jsonl
Preview what --auto-config would change first with agent-sensor --auto-config --dry-run.
Forward events straight into Exabeam
The default config lives at ~/.agent-sensor/config.toml and is created automatically by --auto-config — it's never overwritten on subsequent runs, so edit it freely.
[sources] [[sinks]] kind = "jsonl" path = "/Users/YOU/.agent-sensor/events.jsonl" rotation_size_mb = 100 max_rotated_files = 5 # Uncomment to forward events to Exabeam or another SIEM: # [[sinks]] # kind = "webhook" # url = "https://your-collector.example.com/agent-sensor" # token_file = "~/.agent-sensor/webhook.token"
Environment variables
| Variable | Purpose |
|---|---|
RUST_LOG | Log filter, e.g. agent_sensor=debug |
AGENT_SENSOR_KEY | Encryption key for --enable-local-encryption |
AGENT_SENSOR_WEBHOOK_TOKEN | Bearer token for webhook sink |
AGENT_SENSOR_PROJECT_DIR | Same as --project-dir flag |
⚠️ Never pass bearer tokens as CLI flags — they appear in ps aux. Use --token-file or the env var instead.
Command-line reference
agent-sensor [OPTIONS] [SUBCOMMAND] — running without a subcommand is equivalent to agent-sensor run.
0 if valid, 78 if malformed or missing.--use-scheduled-task on Windows.install-service.[update] enabled = true in config). Supports --check and --rollback.Global options
| Flag | Default | Description |
|---|---|---|
-c, --config <PATH> | ~/.agent-sensor/config.toml | Path to config file |
--log-level <LEVEL> | info | error, warn, info, debug, trace |
--hook-port <PORT> | 0 (OS-assigned) | Port for the hook server, serving /claude, /codex, /gemini |
--port-range <MIN-MAX> | none | Constrain hook port binds to this range |
--auto-config | — | Install hooks for all supported CLIs and write default config |
--dry-run | — | Preview changes without modifying any files |
--enable-local-encryption | — | Encrypt JSONL/SQLite files at rest (requires AGENT_SENSOR_KEY) |
--project-dir <PATH> | ~/.agent-sensor | Project directory for registry lookup |
Everything you need to deploy at scale
Browse the full documentation, rendered here for easy reading.
Install & service setup
Download links, Gatekeeper handling on macOS, Windows scheduled tasks, verification, upgrading, and uninstalling.
Read the docs →CLI & configuration reference
Full subcommand reference, global options, common workflows, exit codes, and environment variables.
Read the docs →Release history
Track what's new in each version of Exabeam Agent Sensor.
Read the docs →Download binaries
Pre-built macOS and Windows binaries — no build toolchain required to install.
View releases →Common issues
Port already in use
Find what's bound to the port, or run on a different one.
lsof -i :4982 agent-sensor --hook-port 4992
No events appearing
Verify the forwarder is running, confirm hooks are installed in ~/.claude/settings.json, then send a manual test event via the hook server.
macOS Gatekeeper blocks the binary
Clear the quarantine attribute, or allow it in System Settings.
xattr -d com.apple.quarantine \ /usr/local/bin/agent-sensor
Start collecting agent behavior today
Install Exabeam Agent Sensor and forward AI CLI activity into the Exabeam platform in minutes.
Built on the Observra Open Source Library schema
Exabeam Agent Sensor doesn't invent its own event format. It captures and forwards agent activity using the same open schema defined by the Observra Open Source Library, so events stay portable across the agentic ecosystem instead of being locked to one vendor.
One Schema, Many Sources
Observra defines a common, vendor-neutral event shape for agent sessions, prompts, tool calls, and token usage. Agent Sensor emits events in this shape out of the box, so they line up with anything else in your environment that speaks the same schema.
Designed for Embedding
The Observra Open Source Library is built to be embedded directly into custom AI agents and internal tooling — not just bolted on at the endpoint. Teams instrumenting their own agents can emit Observra-shaped events natively, and Agent Sensor's CLI coverage extends that same visibility to off-the-shelf tools like Claude Code, Codex CLI, and Gemini CLI.
Consistent Downstream
Because both paths — embedded agents and CLI hooks — produce the same event shape, detections, dashboards, and investigations in Exabeam don't need to special-case where the data came from. One schema, one set of detections, full coverage.