Appearance
Evidence Capture
Follow these steps to collect artifacts that prove controls are working as intended.
Required Audit Fields
category(e.g.,dataMotion,network,fileOp,authz,device)subCategory/channel(clipboard, dragDrop, screenCapture, etc.)action(allow, deny, process),outcomeruleobject:id,priority,scopeclassificationcontext where applicable:state,normalized[],provider { name, labels[] },confidencebytes/itemscounts where applicablemetrics.imagefor image clipboard events:widthPx,heightPx,megapixels,formatwatermarkTemplateUsedwhen screen capture deterrence is activeintegritychain:hash,prevHashcontext:sessionId,appId,siteRef
How to Capture
- Export JSON Lines (
.jsonl) from the local log or SIEM for the test window. - Name files by test ID:
YYYY-MM-DD/DM-CLIP-01/audit.jsonl. - Include a short
notes.mdwith environment, policy version, and tester name.
Screenshots
- Capture UI prompts/denials and watermark results where applicable.
- Redact PII or use hashed identifiers per audit redaction posture.
Packaging for Auditors
- Zip per suite with folders per test ID.
- Include links back to the Validation Overview rows used.
DataMotion Audit Schema
Use this strictly typed JSON schema to validate that forensic artifacts contain the necessary chain-of-custody fields.
json
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"required": [
"category",
"channel",
"action",
"integrity",
"rule",
"classification"
],
"properties": {
"category": {
"type": "string",
"const": "dataMotion"
},
"channel": {
"type": "string",
"description": "The data channel (e.g., clipboard, dragDrop)"
},
"action": {
"type": "string",
"enum": ["allow", "deny", "process"]
},
"integrity": {
"type": "object",
"required": ["hash"],
"properties": {
"hash": {
"type": "string",
"pattern": "^[a-fA-F0-9]{64}$",
"description": "SHA-256 hash of the event for tamper-evidence"
},
"prevHash": {
"type": "string"
}
}
},
"rule": {
"type": "object",
"required": ["id"],
"properties": {
"id": {
"type": "string",
"description": "ID of the policy rule that triggered this event"
},
"priority": {
"type": "integer"
}
}
},
"classification": {
"type": "object",
"required": ["normalized"],
"properties": {
"normalized": {
"type": "array",
"items": { "type": "string" },
"description": "Normalized tags (e.g., ['CUI', 'ITAR'])"
}
}
}
}
}SIEM Query Logic
Use the following sample logic to create alerts for the mapped adversarial scenarios.
Splunk
splunk
# HARD-POLICY-01: Rename Attack / Identity Bypass
index=turbo_audit category=authz action=deny reason="identity requirements failed"
| stats count by user, process_name, host
| alert when count > 0
# DM-CLIP-01: Clipboard Exfiltration (Failed)
index=turbo_audit category=dataMotion channel=clipboard action=deny
| stats count by rule.id, classification.normalized{}, user
| alert when count > 0
# DM-CLIP-09..12: Image Size-Gated Clipboard Deny
index=turbo_audit category=dataMotion channel=clipboard action=deny metrics.image.megapixels>0
| stats count values(metrics.image.megapixels) values(metrics.image.widthPx) by rule.id, user
| alert when count > 0
# NET-PROTO-01: QUIC/HTTP3 Evasion Attempt
index=turbo_audit category=network action=deny (alpn="h3" OR protocol="udp")
| stats count by dest_ip, process_path
| alert when count > 5KQL (Azure Sentinel / Log Analytics)
kusto
// HARD-POLICY-01: Rename Attack
TurboAudit_CL
| where category_s == "authz" and action_s == "deny" and reason_s == "identity requirements failed"
| project TimeGenerated, User_s, ProcessName_s, Host_s
// DM-CLIP-01: Clipboard Exfiltration
TurboAudit_CL
| where category_s == "dataMotion" and channel_s == "clipboard" and action_s == "deny"
| project TimeGenerated, RuleId_s = rule_id_s, Tags = classification_normalized_s
// NET-PROTO-01: QUIC/HTTP3 Evasion
TurboAudit_CL
| where category_s == "network" and action_s == "deny"
| where alpn_s == "h3" or protocol_s == "udp"
| summarize Count=count() by DestIP_s, ProcessPath_s
| where Count > 5