Skip to content

Audit Trails

Define and control audit logging for security-relevant decisions and actions taken by the Turbo Launcher. The Audit Trails capability is designed for regulated industries (CMMC, NIST 800-171, ITAR) and focuses on what is audited and how policy governs audit behavior. Transport, centralized retention, and SIEM integrations are handled by the platform/server infrastructure.

What You'll Learn

  • Which events are audited (event taxonomy)
  • The normalized audit event envelope
  • How to configure audit level, redaction, integrity, data residency, and failure behavior
  • How to enable user/admin policy change requests (auditable)
  • Recommended defaults for regulated environments

Goals

  • Provide trustworthy, tamper-evident audit records for authorization decisions, data-motion gating, file operations, networking, device access, policy integrity, and session lifecycle.
  • Emit metadata only (no content/payload by default) with configurable redaction to reduce sensitivity.
  • Attach residency and compliance metadata for downstream enforcement by enterprise systems.

Event taxonomy

Events are grouped by category, with an optional subCategory for hierarchical event families. Capture levels are configured globally (with per-category overrides): off, minimal, standard (default), verbose, debug.

When subCategory is present, the canonical identifier is category.subCategory (for example, behavioral.uiInteraction).

Access and Authorization Events

CategorySubCategoryDescription
authz-Application discovery and allow/deny decisions, matched rule and identity checks (publisher certificate, hash, version), selected launch profile, runtime modifications applied, approval-gated appLaunch attempts and outcomes.
session-Container create/start/stop, reset session, diagnostic mode usage, VM/client versions.

Policy, Governance, and Integrity Events

CategorySubCategoryDescription
policy-Policy load/verify results, signer info, revocation/timestamp status, policy version/source, last-known-good fallback, parse/merge errors.
admin-Delegated override evaluations, constraint violations, user profile/template application, policy change requests.
integrity-Audit pipeline health signals, disk rollover, hash-chain checkpoints, timestamping results.

Data Handling Events

CategorySubCategoryDescription
dataMotion-Clipboard/dragDrop/screenCapture/screenShare decisions including channel, direction, matched rule id/priority, defaultAction fallback, bytes/items, transforms, rate limits, watermark/mode.
fileOp-Files tab import/open/delete/list decisions, file type association routing, sizes/counts, deny reasons.

Network and Device Events

CategorySubCategoryDescription
network-Proxy selection, routing rule match (direct/proxy/deny), egress blocks, DNS constraints, connection test outcomes.
device-Printer/removable media/camera/mic and other device allow/deny based on runtime devices configuration.

Workflow, Behavioral, and AI Events

CategorySubCategoryDescription
behavioraluiInteractionDetailed UI interaction events captured via runtime observability (for example, clicks, focus changes, navigation, menu selections).
workflowlifecycleWorkflow and business process lifecycle events (for example, workflow start/stop, task creation/completion, error/abort) used to correlate related actions, including approval workflows for appLaunch and in-app operations.
aiinferenceAI model execution events (model id, latency, token counts, and redaction-safe prompt/response metadata only).
aitoolInvocationTool usage events initiated by AI agents (tool identifier, arguments metadata, outcome, latency; payloads subject to redaction settings).
aireasoningAI reasoning or chain-of-thought metadata (high-level reasoning descriptors or references, not raw reasoning content).

Event envelope (normalized JSON)

All events share a common envelope. Fields may be omitted if not applicable.

json
{
  "ts": "2025-06-06T03:11:22.123Z",            // ISO8601 UTC
  "eventId": "evt-...",                        // unique ID
  "tenantId": "...",                           // optional
  "machineId": "...",                          // device identifier

  "user": { "sid": "S-1-5-21-...", "upn": "[email protected]" }, // human principal (when applicable)
  "actor": {                                   // executing principal (human, agent, or system)
    "type": "human|agent|system",
    "id": "...",
    "attributes": {}
  },

  "session": { "containerName": "chrome-123", "runId": "..." },

  "category": "ai",                            // see taxonomy (e.g., ai, workflow, dataMotion)
  "subCategory": "inference",                  // optional; canonical id = "ai.inference"
  "action": "allow",                           // allow | deny | config | policyChangeRequest | ...
  "outcome": "success",                        // success | fail | partial
  "severity": "info",                          // info | warn | error

  "workflowId": "wf-2025-06-06-abc123",        // optional workflow/case id
  "taskId": "task-1",                          // optional task/step within the workflow

  "rule": { "id": "ai-inference-default", "priority": 500, "scope": "global", "defaultApplied": false },

  "metrics": { "bytes": 842, "items": 1, "latencyMs": 2 }, // extended by some categories (for example, tokensIn, tokensOut)

  "target": {
    "resourceType": "Application|Tool|Model",  // logical resource type
    "executionLocation": "local|remote",       // Secure Sandbox vs remote placement
    "shortcut": "...",
    "resolvedExe": "...",
    "modelId": "...",
    "toolId": "..."
  },

  "match": { "mime": "text/plain" },
  "semanticFindings": {
    "entities": [],
    "topics": [],
    "sentiment": "neutral",
    "classifications": [],
    "labels": []
  },

  "client": { "launcherVersion": "x.y.z", "vmVersion": "a.b.c" },
  "residency": { "allowedCountries": ["US","GB","IN","CN","BR"], "forbidInternationalTransfers": false },
  "integrity": { "prevHash": "...", "hash": "...", "checkpointSig": null }
}

Examples

  • Data-motion allow (text)
json
{
  "ts": "2025-06-06T03:11:22.123Z",
  "category": "dataMotion",
  "subCategory": "clipboard",
  "action": "allow",
  "outcome": "success",
  "channel": "clipboard",
  "direction": "out",
  "user": { "upn": "[email protected]" },
  "actor": {
    "type": "human",
    "id": "S-1-5-21-...",
    "attributes": { "upn": "[email protected]" }
  },
  "workflowId": "wf-clipboard-001",
  "taskId": "task-1",
  "rule": { "id": "clip-txt-out", "priority": 900, "scope": "global", "defaultApplied": false },
  "metrics": { "bytes": 842, "items": 1 },
  "match": { "mime": "text/plain" },
  "semanticFindings": {
    "entities": [],
    "topics": ["clipboard"],
    "sentiment": "neutral",
    "classifications": [],
    "labels": []
  },
  "session": { "containerName": "chrome-123" },
  "target": {
    "resourceType": "Application",
    "executionLocation": "local",
    "shortcut": "Start Menu/Browser/Chrome.lnk",
    "resolvedExe": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
  },
  "integrity": { "prevHash": "...", "hash": "..." }
}
  • Data-motion deny (image, size-gated)
json
{
  "ts": "2025-06-06T03:13:45.200Z",
  "category": "dataMotion",
  "subCategory": "clipboard",
  "action": "deny",
  "outcome": "success",
  "channel": "clipboard",
  "direction": "out",
  "user": { "upn": "[email protected]" },
  "actor": {
    "type": "human",
    "id": "S-1-5-21-...",
    "attributes": { "upn": "[email protected]" }
  },
  "rule": { "id": "img-large-deny", "priority": 800, "scope": "global", "defaultApplied": false },
  "metrics": {
    "bytes": 8847360,
    "items": 1,
    "image": {
      "widthPx": 3840,
      "heightPx": 2160,
      "megapixels": 8.29,
      "format": "png"
    }
  },
  "match": { "mime": "image/png" },
  "session": { "containerName": "chrome-123" },
  "target": {
    "resourceType": "Application",
    "executionLocation": "local",
    "shortcut": "Start Menu/Browser/Chrome.lnk",
    "resolvedExe": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
  },
  "integrity": { "prevHash": "...", "hash": "..." }
}
  • App launch deny with identity failure
json
{
  "ts": "2025-06-06T03:12:55.010Z",
  "category": "authz",
  "action": "deny",
  "outcome": "fail",
  "user": { "upn": "[email protected]" },
  "actor": {
    "type": "human",
    "id": "S-1-5-21-...",
    "attributes": { "upn": "[email protected]" }
  },
  "target": {
    "resourceType": "Application",
    "executionLocation": "local",
    "shortcut": "Start Menu/Tools/SensitiveEditor.lnk",
    "resolvedExe": "C:\\Apps\\SensitiveEditor.exe"
  },
  "reason": "publisherCertificate invalid or untrusted",
  "identity": {
    "publisherCN": "Contoso Software LLC",
    "revocation": "ocsp-failed",
    "timestamp": "absent"
  },
  "rule": { "id": "sensitive-editor", "priority": 800 },
  "integrity": { "prevHash": "...", "hash": "..." }
}
  • App launch with approval workflow (simplified)
json
{
  "ts": "2025-06-06T04:00:00.000Z",
  "category": "authz",
  "action": "requestApproval",
  "outcome": "submitted",
  "user": { "upn": "[email protected]" },
  "actor": {
    "type": "human",
    "id": "S-1-5-21-...",
    "attributes": { "upn": "[email protected]" }
  },
  "workflowId": "wf-appLaunch-1234",
  "rule": { "id": "sensitive-engineering-tools", "priority": 400, "scope": "global" },
  "target": {
    "resourceType": "Application",
    "executionLocation": "remote",
    "shortcut": "Desktop/Sensitive Tools.lnk",
    "resolvedExe": "C:\\Tools\\Sensitive\\tool.exe",
    "operationId": "appLaunch"
  },
  "integrity": { "prevHash": "...", "hash": "..." }
}
  • Approval decision and launch correlation (simplified)
json
{
  "ts": "2025-06-06T04:01:00.000Z",
  "category": "workflow",
  "subCategory": "lifecycle",
  "action": "approve",
  "outcome": "success",
  "user": { "upn": "[email protected]" },
  "actor": {
    "type": "human",
    "id": "S-1-5-21-...",
    "attributes": { "role": "manager" }
  },
  "workflowId": "wf-appLaunch-1234",
  "taskId": "approval-step-1",
  "target": {
    "resourceType": "Application",
    "operationId": "appLaunch"
  },
  "integrity": { "prevHash": "...", "hash": "..." }
}
  • AI inference (agent acting on behalf of a user)
json
{
  "ts": "2025-06-06T03:15:00.000Z",
  "category": "ai",
  "subCategory": "inference",
  "action": "allow",
  "outcome": "success",
  "user": { "upn": "[email protected]" },
  "actor": {
    "type": "agent",
    "id": "analysis-agent-01",
    "attributes": { "agentVersion": "1.2.3" }
  },
  "workflowId": "wf-incident-123",
  "taskId": "task-3",
  "rule": { "id": "ai-inference-default", "priority": 500 },
  "metrics": { "tokensIn": 128, "tokensOut": 256, "latencyMs": 120 },
  "target": {
    "resourceType": "Model",
    "executionLocation": "remote",
    "modelId": "gpt-4.1-mini",
    "endpoint": "https://models.contoso.com/infer"
  },
  "semanticFindings": {
    "topics": ["incidentSummary"],
    "sentiment": "neutral",
    "classifications": [],
    "labels": ["ai.inference"]
  },
  "integrity": { "prevHash": "...", "hash": "..." }
}

Configuration

Audit configuration is authored under configuration.launch.runtime.audit.

Settings

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "settings": {
          "enabled": true,
          "level": "standard",                     // off | minimal | standard | verbose | debug
          "categoryOverrides": {                    // optional per-category levels
            "policy": "minimal",
            "dataMotion": "standard"
          },
          "redaction": {
            "redactUserDisplay": true,
            "includeUserSid": true,
            "includeUserUpn": false,
            "pathTokenization": "standard"
          },
          "integrity": {
            "hashChain": true,
            "checkpoint": { "everyEvents": 1000 },
            "timestamping": { "mode": "none" }   // none | rfc3161
          },
          "failurePolicy": {
            "onFailure": "degrade",                // continue | degrade
            "requireHealthyFor": ["screenShare"]   // actions blocked when audit is unhealthy
          },
          "dataResidency": {
            "enforceByMetadata": true,
            "allowedCountries": ["US","GB","IN","CN","BR"],
            "allowedCloudRegions": ["aws:us-east-1","azure:uksouth"],
            "forbidInternationalTransfers": false
          },
          "export": {
            "mode": "platform",
            "localDiagnostics": { "enabled": true, "maxSizeMb": 100 }
          }
        }
      }
    } }
  }
}

Integrity, Failure Policy, and Export (CMMC AU)

This example shows a CMMC-aligned posture that enforces RFC3161 timestamping, fails closed when audit cannot be guaranteed, and requires confirmed delivery to a downstream SIEM with immutable retention metadata.

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "settings": {
          "integrity": {
            "hashChain": true,
            "timestamping": { "mode": "rfc3161", "tsaUrl": "http://timestamp.provider.com" }
          },
          "failurePolicy": {
            "onFailure": "block",
            "requireHealthyFor": ["all"]
          },
          "export": {
            "mode": "siemForwarding",
            "deliveryGuarantee": "atLeastOnceConfirmed",
            "complianceMetadata": { "retentionPolicyRef": "worm-7y" }
          }
        }
      }
    } }
  }
}

Notes

  • onFailure=block: Fail closed if auditing cannot be guaranteed. Blocks all actions listed in requireHealthyFor; the token "all" applies to all gated operations (for example, sessionStart, appLaunch, dataMotion.clipboard, fileOp.import, screenShare.start).
  • deliveryGuarantee=atLeastOnceConfirmed: Requires an acknowledgment from the receiving system; may increase latency and interacts with failurePolicy.
  • complianceMetadata.retentionPolicyRef: Opaque hint for downstream WORM/immutability (for example, 7-year retention).
  • Recommended: Use HTTPS for tsaUrl when possible.

PII redaction modes and classification context

To align with ITAR/CMMC, audit supports structured PII redaction and classification context emission.

Redaction settings (extended)

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "settings": {
          "redaction": {
            "pii": "hash",                      // mask | hash | drop | none
            "variablesAllowlist": ["Classification"],
            "hashAlgorithm": "sha256",
            "salt": "env:PII_SALT"
          }
        }
      }
    } }
  }
}
  • pii: mask replaces characters with asterisks (configurable keep N on the right), hash outputs a salted digest, drop omits the field, none includes raw value.
  • variablesAllowlist: restricts which dynamic variables may appear in audit payloads (for example, when referencing watermark templates). Non-allowlisted variables are redacted per pii mode.
  • salt / hashAlgorithm: use environment-backed salt for stable-but-unreversible attribution across events.

Classification fields in data-motion events

  • classification: { state: "known"|"unknown", normalized: ["CUI", "ITAR"], provider: { name: "corp-purview", labels: ["…"] }, confidence: 0.92 }
  • watermarkTemplateUsed: boolean
  • userIdentifiers: { upn: "…" } (subject to redaction)

Example (clipboard deny with classification)

json
{
  "ts": "2025-06-06T03:14:01.000Z",
  "category": "dataMotion", "action": "deny", "channel": "clipboard", "direction": "out",
  "rule": { "id": "clip-deny-cui-itar-out", "priority": 1000, "scope": "global" },
  "classification": {
    "state": "known",
    "normalized": ["CUI"],
    "provider": { "name": "corp-purview", "labels": ["11111111-2222-3333-4444-555555555555"] },
    "confidence": 0.93
  },
  "user": { "upn": "9f2c8a10" },
  "integrity": { "prevHash": "...", "hash": "..." }
}

Notes

  • Transport/retention are handled by platform services. The client emits a normalized event stream and keeps an optional local diagnostic ring buffer.
  • Integrity uses a per-record hash chain with periodic checkpoints; RFC3161 timestamping is optional for future CMMC alignment.
  • Redaction ensures metadata only (no payload content by default). Content hashing is not enabled.

Policy change requests (optional)

Allow users/admins to submit structured requests when actions are denied (e.g., blocked launch or clipboard). Requests are auditable and forwarded to platform approval workflows.

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "changeRequests": {
          "enabled": true,
          "requireJustification": true,
          "allowedPaths": [
            "apps[*].capabilities",
            "configuration.launch.runtime.dataMotion.rules[*]"
          ],
          "payloadFormat": "policyIntent",        // policyIntent | jsonPatch
          "attachContext": { "lastDenyEventRef": true, "includeRedactedDetails": true }
        }
      }
    } }
  }
}

A submitted request produces an admin event:

json
{
  "category": "admin",
  "action": "policyChangeRequest",
  "outcome": "submitted",
  "request": {
    "id": "req-20250606-1234",
    "intent": {
      "addDataMotionRule": { "channel": "clipboard", "direction": "out", "allow": "text/plain", "sizeBytesMax": 65536 }
    },
    "justification": "Allow plain text clipboard for team X",
    "context": { "denyEventId": "evt-..." }
  }
}

Notes

  • Access approval workflows (for example, approval-gated appLaunch) use authz events with action: "requestApproval" and workflow.lifecycle events for decisions. Policy change requests remain under the admin category and are distinct from access approvals.
  • level: standard
  • categoryOverrides: { policy: minimal, authz: minimal }
  • failurePolicy: onFailure=degrade; requireHealthyFor=["screenShare"]
  • redaction: redactUserDisplay=true; includeUserSid=true; includeUserUpn=false; pathTokenization=standard
  • dataResidency: enforceByMetadata=true; allowedCountries includes US, GB, IN, CN, BR; forbidInternationalTransfers=false (enforced downstream)

Compliance notes

  • NIST 800-171 / CMMC: AU-2/3.3.1 (coverage), AU-3/3.3.2-3 (record content), AU-4/3.3.4 (capacity/rollover), AU-5/3.3.5 (audit failure response), AU-6/3.3.6-7 (review/reporting), CM-3 (configuration change tracking).
  • ITAR: mark events with residency metadata; use platform-side regional storage/WORM; do not capture content by default.

Where to configure

  • Global (all launches): configuration.launch.runtime.audit
  • Per-app and launch profile: not supported; audit is global to ensure consistent compliance posture.

See also