Skip to content

Evidence Capture

Follow these steps to collect artifacts that prove controls are working as intended.

Required Audit Fields

  • category (e.g., dataMotion, network, fileOp, authz, device)
  • subCategory/channel (clipboard, dragDrop, screenCapture, etc.)
  • action (allow, deny, process), outcome
  • rule object: id, priority, scope
  • classification context where applicable: state, normalized[], provider { name, labels[] }, confidence
  • bytes/items counts where applicable
  • metrics.image for image clipboard events: widthPx, heightPx, megapixels, format
  • watermarkTemplateUsed when screen capture deterrence is active
  • integrity chain: hash, prevHash
  • context: sessionId, appId, siteRef

How to Capture

  • Export JSON Lines (.jsonl) from the local log or SIEM for the test window.
  • Name files by test ID: YYYY-MM-DD/DM-CLIP-01/audit.jsonl.
  • Include a short notes.md with environment, policy version, and tester name.

Screenshots

  • Capture UI prompts/denials and watermark results where applicable.
  • Redact PII or use hashed identifiers per audit redaction posture.

Packaging for Auditors

  • Zip per suite with folders per test ID.
  • Include links back to the Validation Overview rows used.

DataMotion Audit Schema

Use this strictly typed JSON schema to validate that forensic artifacts contain the necessary chain-of-custody fields.

json
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "required": [
    "category",
    "channel",
    "action",
    "integrity",
    "rule",
    "classification"
  ],
  "properties": {
    "category": {
      "type": "string",
      "const": "dataMotion"
    },
    "channel": {
      "type": "string",
      "description": "The data channel (e.g., clipboard, dragDrop)"
    },
    "action": {
      "type": "string",
      "enum": ["allow", "deny", "process"]
    },
    "integrity": {
      "type": "object",
      "required": ["hash"],
      "properties": {
        "hash": {
          "type": "string",
          "pattern": "^[a-fA-F0-9]{64}$",
          "description": "SHA-256 hash of the event for tamper-evidence"
        },
        "prevHash": {
          "type": "string"
        }
      }
    },
    "rule": {
      "type": "object",
      "required": ["id"],
      "properties": {
        "id": {
          "type": "string",
          "description": "ID of the policy rule that triggered this event"
        },
        "priority": {
          "type": "integer"
        }
      }
    },
    "classification": {
      "type": "object",
      "required": ["normalized"],
      "properties": {
        "normalized": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Normalized tags (e.g., ['CUI', 'ITAR'])"
        }
      }
    }
  }
}

SIEM Query Logic

Use the following sample logic to create alerts for the mapped adversarial scenarios.

Splunk

splunk
# HARD-POLICY-01: Rename Attack / Identity Bypass
index=turbo_audit category=authz action=deny reason="identity requirements failed"
| stats count by user, process_name, host
| alert when count > 0

# DM-CLIP-01: Clipboard Exfiltration (Failed)
index=turbo_audit category=dataMotion channel=clipboard action=deny
| stats count by rule.id, classification.normalized{}, user
| alert when count > 0

# DM-CLIP-09..12: Image Size-Gated Clipboard Deny
index=turbo_audit category=dataMotion channel=clipboard action=deny metrics.image.megapixels>0
| stats count values(metrics.image.megapixels) values(metrics.image.widthPx) by rule.id, user
| alert when count > 0

# NET-PROTO-01: QUIC/HTTP3 Evasion Attempt
index=turbo_audit category=network action=deny (alpn="h3" OR protocol="udp")
| stats count by dest_ip, process_path
| alert when count > 5

KQL (Azure Sentinel / Log Analytics)

kusto
// HARD-POLICY-01: Rename Attack
TurboAudit_CL
| where category_s == "authz" and action_s == "deny" and reason_s == "identity requirements failed"
| project TimeGenerated, User_s, ProcessName_s, Host_s

// DM-CLIP-01: Clipboard Exfiltration
TurboAudit_CL
| where category_s == "dataMotion" and channel_s == "clipboard" and action_s == "deny"
| project TimeGenerated, RuleId_s = rule_id_s, Tags = classification_normalized_s

// NET-PROTO-01: QUIC/HTTP3 Evasion
TurboAudit_CL
| where category_s == "network" and action_s == "deny"
| where alpn_s == "h3" or protocol_s == "udp"
| summarize Count=count() by DestIP_s, ProcessPath_s
| where Count > 5