Event source inventory
Security event sources need owners, schemas, selected audit events, severity taxonomy, and time-source records before production audit claims.
Event Sources, Redaction, Triage, and Non-Claims
Security logging, monitoring, and detection
Latticra records logging, monitoring, and detection requirements before hosted services, production monitoring, detection services, SIEM integration, telemetry export, or security operations claims can promote. It does not implement a log collector, SIEM, telemetry export, host sensor, network sensor, detection rule, alerting service, log storage, or monitoring authority.
Current Rule
Local reports are not monitoring services.
Current reporting work is deterministic, local, and no-effect. The baseline requires event-source inventory, audit event selection, runtime decision events, denial reasons, identity/access events, privileged actions, redaction, integrity controls, retention, disposal, triage ownership, and incident handoff before monitoring language can change.
Decision and access events
Runtime decisions, denial reasons, identity/access events, privileged actions, configuration changes, and security errors must be explicit.
Redaction and integrity
Logs require redaction review, secret-marker scanning, integrity controls, access controls, retention, and disposal process records.
Triage and handoff
Critical log-source disable alerts, detection triage owners, and incident handoff paths are required before detection-service wording.
Current Snapshot
The baseline is present, but monitoring authority is still zero.
These fields show requirements and denials. They are not evidence of live log collection, SIEM export, telemetry, sensors, alerting, or detection service operation.
Promotion Gate
No monitoring or detection wording can promote without the logging gate.
A future monitoring surface must prove what it observes, how records are shaped, how sensitive material is excluded, how logs are protected, who triages events, and how incidents are handed off before public claims can change.
Present now
Baseline record, status record, guard script, local deterministic report surfaces, report-redaction guard, secret-material guard, zero-trust decision-report context, incident handoff context, and supply-chain redaction expectations.
Required before promotion
Event-source inventory, log-source owner, schema or field contract, audit event selection, runtime decision events, denial reason events, identity/access events, privileged action events, configuration changes, security errors, severity taxonomy, time source, redaction review, secret-marker scan, integrity control, log access control, retention period, disposal process, centralization or export path, critical source disable alert, triage owner, incident handoff path, and operator-visible non-claims.
Denied now
Production log monitoring, production audit claims, SIEM integration claims, telemetry export, host monitoring, network monitoring, alerting service, detection-service claims, security-operations claims, and log-collection service claims.
Latticra Boundary
Reports stay local, deterministic, and guarded.
Latticra can report decisions and preserve redaction expectations, but it does not collect telemetry, monitor hosts, export to a SIEM, run sensors, or detect incidents.
Report metadata
Local report surfaces can describe decisions and status without becoming a log collection service.
Policy decision reports
Runtime policy decisions and denial reasons remain local report fields, not operational monitoring.
Redaction and secrets
Report redaction and secret-material guards protect local evidence wording without claiming production log hygiene.
Telemetry and detection
No log collector, remote telemetry, SIEM export, detection runtime, alerting service, or monitoring authority is added.
Local Commands
Validate logging requirements without enabling monitoring.
These checks validate records and local guardrails. They do not collect logs, export telemetry, run sensors, emit alerts, detect threats, or store monitoring data.
Logging baseline
sh scripts/test-security-logging-monitoring-baseline.shReport guards
sh scripts/test-report-redaction-boundary.sh
sh scripts/test-secret-material-guard.shSecurity context
sh scripts/test-zero-trust-runtime-authority-baseline.sh
sh scripts/test-cyber-incident-reporting-response-baseline.shSource Records
Use exact records before repeating logging or monitoring wording.
Security logging, monitoring, and detection baselineEvent-source inventory, audit event selection, redaction, retention, detection triage, incident handoff, and monitoring non-claims.
Logging baseline statusStatus fields and expected guard output for the logging, monitoring, and detection baseline.
High-assurance baselineSource-tracked security posture and future logging and detection control allocation.
Zero-trust runtime authority baselineAudit-record, policy-decision, and denial-reason context for future authority requests.
Incident reporting baselineEvidence preservation, audit records, reporting routes, and closed response authority.
Backup and recovery resilienceRestore testing, recovery prioritization, RTO/RPO, rollback planning, and incident handoff context.
Secure configuration and change managementConfiguration-change logging context, baselines, checklists, drift planning, and hardening non-claims.
Network exposure and remote accessNetwork log source inventory, flow visibility, incident handoff, and no network monitoring claims.
Data classification and protectionLog/report redaction, retention, disposal, PII review, telemetry blockers, and no customer-data claims.
Supply-chain baselineReport redaction, installer log redaction, workflow authority, and release blockers.
Security overviewSafe testing, effect gates, runtime boundary, and security non-claims.
Incident response boundaryReporting routes, evidence preservation, response gates, and incident-response non-claims.
Identity and access managementIdentity/access event context, privileged behavior review, access exceptions, and hosted-access non-claims.
Runtime boundaryDefault-deny runtime classification, policy matrix, and no-effect report surfaces.
Evidence modelPromotion levels, public claim boundaries, and exact source records.
Non-claimsUnsupported monitoring, detection, hosted-service, and production-readiness claims.