Skip to content

Commit bb15849

Browse files
committed
docs: notes from 2025-12-16 audit logging wg
Signed-off-by: Alan Pinkert <apinkert@cisco.com>
1 parent 353cd52 commit bb15849

1 file changed

Lines changed: 52 additions & 0 deletions

File tree

  • docs/contribute/wip/5_Audit_Logs_Standardization/meeting_notes
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
# Notes
2+
3+
* We have connections with the Otel working group (TODO)
4+
* OASF
5+
* More about classifying Agent skills than agentic events
6+
* Maybe not an immediate connection
7+
* OCSF
8+
* Captures events for security practitioners
9+
* Might need more agentic
10+
* What are looking for in this working group?
11+
* Customers frustrated with too many standards they need to adopt
12+
* Example: accounting firm, RAG on tax docs. Only these specific people should respond to it. But don’t know the best practices, and would find guidance helpful.
13+
* Lots of startups around deploy-stack for management of MCP servers, LLMs, etc., but what are the blind spots?
14+
* Example: customer wrapping APIs with an internal MCP server. Reason: before, they needed to train their support team on how to read audit logs, now, they have them ask the chatbot.
15+
* Guidance vs a specification?
16+
* Proposal: we should build out an SDK
17+
* Contribute it back to Otel?
18+
* Challenge: making something overly broad vs narrow and specific to start with
19+
* Easier exercise: what vs how?
20+
* But — we might close the door on certain paths on what we want to audit
21+
* Observe Discussion
22+
* SDK: pure SDK for traces and spans for Otel
23+
* Poirot: creates metrics around traces
24+
* Integrations with LangChain, e.g. as well as MCP servers
25+
* Personas
26+
* Higher priority - Identity
27+
* Compliance Professionals
28+
* Security Professionals
29+
* Support Teams (audit-logs-as-training-data)
30+
* Lower priority (not a part of the identity working group)
31+
* Agent and Agentic Resource Developers
32+
* How are personas going to be consuming this?
33+
* Example: how can they use LLMs to cut down event noise
34+
* Will it be these human personas consuming audit logs or their agents?
35+
* Standards
36+
* SET (security event tokens)
37+
* CADF (cloud auditing data federation)
38+
* CEF (common event format)
39+
* SSF (shared signals framework) — RISC / CAEP
40+
* Microsoft extension to SCIM
41+
* Be wary of https://xkcd.com/927/
42+
43+
# Action Items
44+
45+
1. Nailing down persona / use cases
46+
2. What are the data points that we need recorded
47+
3. Look at existing standards & frameworks, compare to 2. above
48+
4. Converge: pursue these tracks
49+
50+
# Logistics
51+
52+
Next meeting will be 2025-01-13 because of the holidays. See everyone in the new year!

0 commit comments

Comments
 (0)