Appearance
Audit Trails
Define and control audit logging for security-relevant decisions and actions taken by the Turbo Launcher. The Audit Trails capability is designed for regulated industries (CMMC, NIST 800-171, ITAR) and focuses on what is audited and how policy governs audit behavior. Transport, centralized retention, and SIEM integrations are handled by the platform/server infrastructure.
What You'll Learn
- Which events are audited (event taxonomy)
- The normalized audit event envelope
- How to configure audit level, redaction, integrity, data residency, and failure behavior
- How to enable user/admin policy change requests (auditable)
- Recommended defaults for regulated environments
Goals
- Provide trustworthy, tamper-evident audit records for authorization decisions, data-motion gating, file operations, networking, device access, policy integrity, and session lifecycle.
- Emit metadata only (no content/payload by default) with configurable redaction to reduce sensitivity.
- Attach residency and compliance metadata for downstream enforcement by enterprise systems.
Event taxonomy
Events are grouped by category, with an optional subCategory for hierarchical event families. Capture levels are configured globally (with per-category overrides): off, minimal, standard (default), verbose, debug.
When subCategory is present, the canonical identifier is category.subCategory (for example, behavioral.uiInteraction).
Access and Authorization Events
| Category | SubCategory | Description |
|---|---|---|
authz | - | Application discovery and allow/deny decisions, matched rule and identity checks (publisher certificate, hash, version), selected launch profile, runtime modifications applied, approval-gated appLaunch attempts and outcomes. |
session | - | Container create/start/stop, reset session, diagnostic mode usage, VM/client versions. |
Policy, Governance, and Integrity Events
| Category | SubCategory | Description |
|---|---|---|
policy | - | Policy load/verify results, signer info, revocation/timestamp status, policy version/source, last-known-good fallback, parse/merge errors. |
admin | - | Delegated override evaluations, constraint violations, user profile/template application, policy change requests. |
integrity | - | Audit pipeline health signals, disk rollover, hash-chain checkpoints, timestamping results. |
Data Handling Events
| Category | SubCategory | Description |
|---|---|---|
dataMotion | - | Clipboard/dragDrop/screenCapture/screenShare decisions including channel, direction, matched rule id/priority, defaultAction fallback, bytes/items, transforms, rate limits, watermark/mode. |
fileOp | - | Files tab import/open/delete/list decisions, file type association routing, sizes/counts, deny reasons. |
Network and Device Events
| Category | SubCategory | Description |
|---|---|---|
network | - | Proxy selection, routing rule match (direct/proxy/deny), egress blocks, DNS constraints, connection test outcomes. |
device | - | Printer/removable media/camera/mic and other device allow/deny based on runtime devices configuration. |
Workflow, Behavioral, and AI Events
| Category | SubCategory | Description |
|---|---|---|
behavioral | uiInteraction | Detailed UI interaction events captured via runtime observability (for example, clicks, focus changes, navigation, menu selections). |
workflow | lifecycle | Workflow and business process lifecycle events (for example, workflow start/stop, task creation/completion, error/abort) used to correlate related actions, including approval workflows for appLaunch and in-app operations. |
ai | inference | AI model execution events (model id, latency, token counts, and redaction-safe prompt/response metadata only). |
ai | toolInvocation | Tool usage events initiated by AI agents (tool identifier, arguments metadata, outcome, latency; payloads subject to redaction settings). |
ai | reasoning | AI reasoning or chain-of-thought metadata (high-level reasoning descriptors or references, not raw reasoning content). |
Event envelope (normalized JSON)
All events share a common envelope. Fields may be omitted if not applicable.
json
{
"ts": "2025-06-06T03:11:22.123Z", // ISO8601 UTC
"eventId": "evt-...", // unique ID
"tenantId": "...", // optional
"machineId": "...", // device identifier
"user": { "sid": "S-1-5-21-...", "upn": "[email protected]" }, // human principal (when applicable)
"actor": { // executing principal (human, agent, or system)
"type": "human|agent|system",
"id": "...",
"attributes": {}
},
"session": { "containerName": "chrome-123", "runId": "..." },
"category": "ai", // see taxonomy (e.g., ai, workflow, dataMotion)
"subCategory": "inference", // optional; canonical id = "ai.inference"
"action": "allow", // allow | deny | config | policyChangeRequest | ...
"outcome": "success", // success | fail | partial
"severity": "info", // info | warn | error
"workflowId": "wf-2025-06-06-abc123", // optional workflow/case id
"taskId": "task-1", // optional task/step within the workflow
"rule": { "id": "ai-inference-default", "priority": 500, "scope": "global", "defaultApplied": false },
"metrics": { "bytes": 842, "items": 1, "latencyMs": 2 }, // extended by some categories (for example, tokensIn, tokensOut)
"target": {
"resourceType": "Application|Tool|Model", // logical resource type
"executionLocation": "local|remote", // Secure Sandbox vs remote placement
"shortcut": "...",
"resolvedExe": "...",
"modelId": "...",
"toolId": "..."
},
"match": { "mime": "text/plain" },
"semanticFindings": {
"entities": [],
"topics": [],
"sentiment": "neutral",
"classifications": [],
"labels": []
},
"client": { "launcherVersion": "x.y.z", "vmVersion": "a.b.c" },
"residency": { "allowedCountries": ["US","GB","IN","CN","BR"], "forbidInternationalTransfers": false },
"integrity": { "prevHash": "...", "hash": "...", "checkpointSig": null }
}Examples
- Data-motion allow (text)
json
{
"ts": "2025-06-06T03:11:22.123Z",
"category": "dataMotion",
"subCategory": "clipboard",
"action": "allow",
"outcome": "success",
"channel": "clipboard",
"direction": "out",
"user": { "upn": "[email protected]" },
"actor": {
"type": "human",
"id": "S-1-5-21-...",
"attributes": { "upn": "[email protected]" }
},
"workflowId": "wf-clipboard-001",
"taskId": "task-1",
"rule": { "id": "clip-txt-out", "priority": 900, "scope": "global", "defaultApplied": false },
"metrics": { "bytes": 842, "items": 1 },
"match": { "mime": "text/plain" },
"semanticFindings": {
"entities": [],
"topics": ["clipboard"],
"sentiment": "neutral",
"classifications": [],
"labels": []
},
"session": { "containerName": "chrome-123" },
"target": {
"resourceType": "Application",
"executionLocation": "local",
"shortcut": "Start Menu/Browser/Chrome.lnk",
"resolvedExe": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"integrity": { "prevHash": "...", "hash": "..." }
}- Data-motion deny (image, size-gated)
json
{
"ts": "2025-06-06T03:13:45.200Z",
"category": "dataMotion",
"subCategory": "clipboard",
"action": "deny",
"outcome": "success",
"channel": "clipboard",
"direction": "out",
"user": { "upn": "[email protected]" },
"actor": {
"type": "human",
"id": "S-1-5-21-...",
"attributes": { "upn": "[email protected]" }
},
"rule": { "id": "img-large-deny", "priority": 800, "scope": "global", "defaultApplied": false },
"metrics": {
"bytes": 8847360,
"items": 1,
"image": {
"widthPx": 3840,
"heightPx": 2160,
"megapixels": 8.29,
"format": "png"
}
},
"match": { "mime": "image/png" },
"session": { "containerName": "chrome-123" },
"target": {
"resourceType": "Application",
"executionLocation": "local",
"shortcut": "Start Menu/Browser/Chrome.lnk",
"resolvedExe": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"integrity": { "prevHash": "...", "hash": "..." }
}- App launch deny with identity failure
json
{
"ts": "2025-06-06T03:12:55.010Z",
"category": "authz",
"action": "deny",
"outcome": "fail",
"user": { "upn": "[email protected]" },
"actor": {
"type": "human",
"id": "S-1-5-21-...",
"attributes": { "upn": "[email protected]" }
},
"target": {
"resourceType": "Application",
"executionLocation": "local",
"shortcut": "Start Menu/Tools/SensitiveEditor.lnk",
"resolvedExe": "C:\\Apps\\SensitiveEditor.exe"
},
"reason": "publisherCertificate invalid or untrusted",
"identity": {
"publisherCN": "Contoso Software LLC",
"revocation": "ocsp-failed",
"timestamp": "absent"
},
"rule": { "id": "sensitive-editor", "priority": 800 },
"integrity": { "prevHash": "...", "hash": "..." }
}- App launch with approval workflow (simplified)
json
{
"ts": "2025-06-06T04:00:00.000Z",
"category": "authz",
"action": "requestApproval",
"outcome": "submitted",
"user": { "upn": "[email protected]" },
"actor": {
"type": "human",
"id": "S-1-5-21-...",
"attributes": { "upn": "[email protected]" }
},
"workflowId": "wf-appLaunch-1234",
"rule": { "id": "sensitive-engineering-tools", "priority": 400, "scope": "global" },
"target": {
"resourceType": "Application",
"executionLocation": "remote",
"shortcut": "Desktop/Sensitive Tools.lnk",
"resolvedExe": "C:\\Tools\\Sensitive\\tool.exe",
"operationId": "appLaunch"
},
"integrity": { "prevHash": "...", "hash": "..." }
}- Approval decision and launch correlation (simplified)
json
{
"ts": "2025-06-06T04:01:00.000Z",
"category": "workflow",
"subCategory": "lifecycle",
"action": "approve",
"outcome": "success",
"user": { "upn": "[email protected]" },
"actor": {
"type": "human",
"id": "S-1-5-21-...",
"attributes": { "role": "manager" }
},
"workflowId": "wf-appLaunch-1234",
"taskId": "approval-step-1",
"target": {
"resourceType": "Application",
"operationId": "appLaunch"
},
"integrity": { "prevHash": "...", "hash": "..." }
}- AI inference (agent acting on behalf of a user)
json
{
"ts": "2025-06-06T03:15:00.000Z",
"category": "ai",
"subCategory": "inference",
"action": "allow",
"outcome": "success",
"user": { "upn": "[email protected]" },
"actor": {
"type": "agent",
"id": "analysis-agent-01",
"attributes": { "agentVersion": "1.2.3" }
},
"workflowId": "wf-incident-123",
"taskId": "task-3",
"rule": { "id": "ai-inference-default", "priority": 500 },
"metrics": { "tokensIn": 128, "tokensOut": 256, "latencyMs": 120 },
"target": {
"resourceType": "Model",
"executionLocation": "remote",
"modelId": "gpt-4.1-mini",
"endpoint": "https://models.contoso.com/infer"
},
"semanticFindings": {
"topics": ["incidentSummary"],
"sentiment": "neutral",
"classifications": [],
"labels": ["ai.inference"]
},
"integrity": { "prevHash": "...", "hash": "..." }
}Configuration
Audit configuration is authored under configuration.launch.runtime.audit.
Settings
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"settings": {
"enabled": true,
"level": "standard", // off | minimal | standard | verbose | debug
"categoryOverrides": { // optional per-category levels
"policy": "minimal",
"dataMotion": "standard"
},
"redaction": {
"redactUserDisplay": true,
"includeUserSid": true,
"includeUserUpn": false,
"pathTokenization": "standard"
},
"integrity": {
"hashChain": true,
"checkpoint": { "everyEvents": 1000 },
"timestamping": { "mode": "none" } // none | rfc3161
},
"failurePolicy": {
"onFailure": "degrade", // continue | degrade
"requireHealthyFor": ["screenShare"] // actions blocked when audit is unhealthy
},
"dataResidency": {
"enforceByMetadata": true,
"allowedCountries": ["US","GB","IN","CN","BR"],
"allowedCloudRegions": ["aws:us-east-1","azure:uksouth"],
"forbidInternationalTransfers": false
},
"export": {
"mode": "platform",
"localDiagnostics": { "enabled": true, "maxSizeMb": 100 }
}
}
}
} }
}
}Integrity, Failure Policy, and Export (CMMC AU)
This example shows a CMMC-aligned posture that enforces RFC3161 timestamping, fails closed when audit cannot be guaranteed, and requires confirmed delivery to a downstream SIEM with immutable retention metadata.
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"settings": {
"integrity": {
"hashChain": true,
"timestamping": { "mode": "rfc3161", "tsaUrl": "http://timestamp.provider.com" }
},
"failurePolicy": {
"onFailure": "block",
"requireHealthyFor": ["all"]
},
"export": {
"mode": "siemForwarding",
"deliveryGuarantee": "atLeastOnceConfirmed",
"complianceMetadata": { "retentionPolicyRef": "worm-7y" }
}
}
}
} }
}
}Notes
onFailure=block: Fail closed if auditing cannot be guaranteed. Blocks all actions listed inrequireHealthyFor; the token"all"applies to all gated operations (for example,sessionStart,appLaunch,dataMotion.clipboard,fileOp.import,screenShare.start).deliveryGuarantee=atLeastOnceConfirmed: Requires an acknowledgment from the receiving system; may increase latency and interacts withfailurePolicy.complianceMetadata.retentionPolicyRef: Opaque hint for downstream WORM/immutability (for example, 7-year retention).- Recommended: Use HTTPS for
tsaUrlwhen possible.
PII redaction modes and classification context
To align with ITAR/CMMC, audit supports structured PII redaction and classification context emission.
Redaction settings (extended)
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"settings": {
"redaction": {
"pii": "hash", // mask | hash | drop | none
"variablesAllowlist": ["Classification"],
"hashAlgorithm": "sha256",
"salt": "env:PII_SALT"
}
}
}
} }
}
}pii:maskreplaces characters with asterisks (configurable keep N on the right),hashoutputs a salted digest,dropomits the field,noneincludes raw value.variablesAllowlist: restricts which dynamic variables may appear in audit payloads (for example, when referencing watermark templates). Non-allowlisted variables are redacted perpiimode.salt/hashAlgorithm: use environment-backed salt for stable-but-unreversible attribution across events.
Classification fields in data-motion events
classification: { state: "known"|"unknown", normalized: ["CUI", "ITAR"], provider: { name: "corp-purview", labels: ["…"] }, confidence: 0.92 }watermarkTemplateUsed: booleanuserIdentifiers: { upn: "…" }(subject to redaction)
Example (clipboard deny with classification)
json
{
"ts": "2025-06-06T03:14:01.000Z",
"category": "dataMotion", "action": "deny", "channel": "clipboard", "direction": "out",
"rule": { "id": "clip-deny-cui-itar-out", "priority": 1000, "scope": "global" },
"classification": {
"state": "known",
"normalized": ["CUI"],
"provider": { "name": "corp-purview", "labels": ["11111111-2222-3333-4444-555555555555"] },
"confidence": 0.93
},
"user": { "upn": "9f2c8a10" },
"integrity": { "prevHash": "...", "hash": "..." }
}Notes
- Transport/retention are handled by platform services. The client emits a normalized event stream and keeps an optional local diagnostic ring buffer.
- Integrity uses a per-record hash chain with periodic checkpoints; RFC3161 timestamping is optional for future CMMC alignment.
- Redaction ensures metadata only (no payload content by default). Content hashing is not enabled.
Policy change requests (optional)
Allow users/admins to submit structured requests when actions are denied (e.g., blocked launch or clipboard). Requests are auditable and forwarded to platform approval workflows.
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"changeRequests": {
"enabled": true,
"requireJustification": true,
"allowedPaths": [
"apps[*].capabilities",
"configuration.launch.runtime.dataMotion.rules[*]"
],
"payloadFormat": "policyIntent", // policyIntent | jsonPatch
"attachContext": { "lastDenyEventRef": true, "includeRedactedDetails": true }
}
}
} }
}
}A submitted request produces an admin event:
json
{
"category": "admin",
"action": "policyChangeRequest",
"outcome": "submitted",
"request": {
"id": "req-20250606-1234",
"intent": {
"addDataMotionRule": { "channel": "clipboard", "direction": "out", "allow": "text/plain", "sizeBytesMax": 65536 }
},
"justification": "Allow plain text clipboard for team X",
"context": { "denyEventId": "evt-..." }
}
}Notes
- Access approval workflows (for example, approval-gated
appLaunch) useauthzevents withaction: "requestApproval"andworkflow.lifecycleevents for decisions. Policy change requests remain under theadmincategory and are distinct from access approvals.
Recommended defaults (regulated)
level: standardcategoryOverrides: { policy: minimal, authz: minimal }failurePolicy: onFailure=degrade; requireHealthyFor=["screenShare"]redaction: redactUserDisplay=true; includeUserSid=true; includeUserUpn=false; pathTokenization=standarddataResidency: enforceByMetadata=true; allowedCountries includes US, GB, IN, CN, BR; forbidInternationalTransfers=false(enforced downstream)
Compliance notes
- NIST 800-171 / CMMC: AU-2/3.3.1 (coverage), AU-3/3.3.2-3 (record content), AU-4/3.3.4 (capacity/rollover), AU-5/3.3.5 (audit failure response), AU-6/3.3.6-7 (review/reporting), CM-3 (configuration change tracking).
- ITAR: mark events with residency metadata; use platform-side regional storage/WORM; do not capture content by default.
Where to configure
- Global (all launches):
configuration.launch.runtime.audit - Per-app and launch profile: not supported; audit is global to ensure consistent compliance posture.
