Observability & Trust
Control Core separates compliance audit evidence from troubleshooting telemetry — keeping both privacy-aware, regulator-ready, and support-safe.
Start Here
- Audit API Integration — Developer guide: REST polling, SIEM connectors, webhook push, audit schema v2, regulatory export
- How Logging Works
- Audit vs Diagnostic Logs
- Security of Support
- Remote Troubleshooting Runbook
- PBAC Operator Playbooks
Core Principles
- Policy-governed logging — log redaction decisions are policy-driven, consistent with active control rules.
- Separation of concerns — immutable audit records answer who did what, when, and with what outcome; diagnostic traces answer how the system behaved.
- Support-safe evidence sharing — exports use mandatory
TICKET_REFcontext and package integrity metadata. - Actionable diagnostics — outputs include probable causes, evidence links, and remediation steps.
- SIEM-ready by default — every event conforms to
audit_event_v2with full traceability fields for SIEM triage and regulatory evidence.
Developer API
Consume audit events programmatically without UI access:
| Endpoint | Purpose |
|---|---|
GET /audit/logs | Poll audit events with filters, pagination, and regulation tag scoping |
POST /audit/siem-config | Configure push delivery to Splunk, Grafana, Elastic, Sentinel, QRadar |
POST /v1/notifications/channels | Register HMAC-signed webhook for near-real-time event push |
POST /audit/bouncer-logs/batch | Ingest Bouncer enforcement decisions (OEM deployments) |
GET /audit/export | Export CSV with regulation profile preset |
Developer Portal: Customers with Control Plane deployed can explore and try all audit endpoints interactively at
/devdocson their Control Plane URL.
For the full developer guide with curl examples, schema field reference, provider-specific setup (Splunk, Grafana, Elastic, Sentinel), and signature verification code, see Audit API Integration.
Audit event categories
Every audit record belongs to one of the following categories — used for filtering, SIEM triage, and regulatory export scope:
| Category | Events included |
|---|---|
| Authentication & Session | Login, logout, token refresh, API key lifecycle |
| User Management | User creation, role changes, MFA enrollment |
| Control Management | Policy CRUD, deployment, promotion, validation |
| Resource Management | Resource registration and updates |
| Bouncer Enforcement | Bouncer registration, sync events, configuration updates |
| Access Decisions | ACCESS_GRANTED, ACCESS_DENIED, policy evaluation results |
| API Interactions | Rate limiting, auth failures, unauthorized access attempts |
| AI Interactions | AI agent invocations, guardrail triggers, policy generation |
| Data Access & Export | Data exports, sensitive data access, audit log exports |
| Integrations | Data Source connections, MCP integrations, sync events |
| Security Events | Suspicious activity, policy violations, attack patterns |
| System Events | Version updates, health checks, configuration changes |