Interactive Security Audit and Compliance Logging
Comprehensive audit log structure supporting multiple compliance frameworks
{
"audit_id": "AUD-2025-12345678",
"timestamp": "2025-12-25T10:30:45.123Z",
"event_type": "AUTHENTICATION",
"severity": "INFO",
"actor": {
"user_id": "user@example.com",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"session_id": "sess_abc123xyz",
"location": {
"country": "US",
"region": "California",
"city": "San Francisco"
}
},
"resource": {
"type": "API_ENDPOINT",
"id": "/api/v1/sensitive-data",
"classification": "CONFIDENTIAL"
},
"action": {
"operation": "READ",
"status": "SUCCESS",
"duration_ms": 234
},
"metadata": {
"compliance_tags": ["SOC2", "ISO27001", "GDPR"],
"data_classification": "PII",
"retention_days": 2555
},
"cryptographic_proof": {
"hash": "sha256:a7f3e2...",
"signature": "RSA:3f8d9a...",
"chain_link": "prev:b4c5d6..."
}
}
// Blockchain-inspired immutable audit chain
function createAuditChain(logEntry, previousHash) {
const timestamp = Date.now();
const data = JSON.stringify({
...logEntry,
timestamp,
previous_hash: previousHash
});
// SHA-256 hash
const currentHash = sha256(data);
// RSA signature
const signature = rsaSign(currentHash, privateKey);
return {
data: logEntry,
timestamp,
previous_hash: previousHash,
current_hash: currentHash,
signature,
block_number: getNextBlockNumber()
};
}
// Verify chain integrity
function verifyAuditChain(chain) {
for (let i = 1; i < chain.length; i++) {
const current = chain[i];
const previous = chain[i - 1];
// Verify hash linkage
if (current.previous_hash !== previous.current_hash) {
return { valid: false, error: `Chain broken at block ${i}` };
}
// Verify signature
if (!rsaVerify(current.current_hash, current.signature, publicKey)) {
return { valid: false, error: `Invalid signature at block ${i}` };
}
}
return { valid: true, blocks: chain.length };
}
// ML-based anomaly detection for audit logs
function detectAnomalies(auditLogs, userProfile) {
const features = extractFeatures(auditLogs);
// Statistical analysis
const stats = {
avgLoginTime: calculateAverage(features.loginTimes),
stdDeviation: calculateStdDev(features.loginTimes),
commonLocations: findCommonLocations(features.locations),
typicalResources: findTypicalResources(features.resources)
};
// Anomaly scoring (0-100)
let anomalyScore = 0;
// Check time-based anomalies
if (isUnusualTime(features.currentLoginTime, stats.avgLoginTime)) {
anomalyScore += 25;
}
// Check location-based anomalies
if (!stats.commonLocations.includes(features.currentLocation)) {
anomalyScore += 30;
}
// Check access pattern anomalies
if (isUnusualAccessPattern(features.accessPattern, stats.typicalResources)) {
anomalyScore += 45;
}
return {
score: anomalyScore,
level: anomalyScore > 70 ? 'CRITICAL' :
anomalyScore > 50 ? 'HIGH' :
anomalyScore > 30 ? 'MEDIUM' : 'LOW',
details: generateAnomalyReport(features, stats)
};
}
// Secure audit log transmission protocol
POST /api/v1/audit/submit
Content-Type: application/json
X-Audit-Signature: RSA-SHA256:abc123...
X-Audit-Timestamp: 2025-12-25T10:30:45.123Z
X-Audit-Nonce: 8f7e6d5c4b3a2910
{
"protocol_version": "1.0",
"audit_batch": [
{
"audit_id": "AUD-2025-12345678",
"event_type": "DATA_ACCESS",
"severity": "MEDIUM",
"actor": {...},
"resource": {...},
"action": {...}
}
],
"batch_metadata": {
"total_events": 1,
"batch_hash": "sha256:f8e7d6c5...",
"retention_policy": "SOC2_7_YEARS"
}
}
// Response
HTTP/1.1 201 Created
Content-Type: application/json
X-Audit-Receipt: RCPT-2025-98765432
{
"status": "ACCEPTED",
"receipt_id": "RCPT-2025-98765432",
"timestamp": "2025-12-25T10:30:45.456Z",
"stored_count": 1,
"compliance_verification": {
"soc2": true,
"iso27001": true,
"gdpr": true
},
"retention_expires": "2032-12-25T10:30:45.456Z"
}
// WebSocket-based real-time audit streaming
const auditStream = new WebSocket('wss://audit.example.com/stream');
// Subscribe to specific event types
auditStream.send(JSON.stringify({
action: 'subscribe',
filters: {
severity: ['HIGH', 'CRITICAL'],
event_types: ['PRIVILEGE_ESCALATION', 'DATA_BREACH'],
compliance_tags: ['SOC2', 'GDPR']
},
authentication: {
token: 'Bearer eyJhbGc...',
signature: 'RSA:3f8d9a...'
}
}));
// Receive real-time audit events
auditStream.onmessage = (event) => {
const auditEvent = JSON.parse(event.data);
if (auditEvent.severity === 'CRITICAL') {
triggerIncidentResponse(auditEvent);
}
logToComplianceDatabase(auditEvent);
updateDashboard(auditEvent);
};
// Integration with Splunk, ELK Stack, QRadar
import { AuditClient } from '@wia/sec-017-audit';
const auditClient = new AuditClient({
endpoint: 'https://audit.example.com',
apiKey: process.env.WIA_AUDIT_KEY,
compliance: ['SOC2', 'ISO27001', 'GDPR']
});
// Forward to SIEM
auditClient.on('audit_event', async (event) => {
// Send to Splunk
await splunk.log({
source: 'wia-sec-017',
sourcetype: 'security_audit',
event: event
});
// Send to Elasticsearch
await elasticsearch.index({
index: 'security-audit',
body: event
});
// Send to QRadar
await qradar.sendEvent({
severity: mapSeverity(event.severity),
category: 'Security Audit',
payload: event
});
});
// AWS CloudTrail Integration
const AWS = require('aws-sdk');
const cloudtrail = new AWS.CloudTrail();
async function syncWithCloudTrail(auditEvent) {
// Map WIA audit to AWS CloudTrail format
const cloudTrailEvent = {
eventVersion: '1.08',
userIdentity: {
type: 'IAMUser',
principalId: auditEvent.actor.user_id,
arn: `arn:aws:iam::123456789012:user/${auditEvent.actor.user_id}`
},
eventTime: auditEvent.timestamp,
eventSource: 'wia-sec-017.amazonaws.com',
eventName: auditEvent.event_type,
sourceIPAddress: auditEvent.actor.ip_address,
userAgent: auditEvent.actor.user_agent
};
await cloudtrail.putEvents({
CloudTrailEvent: JSON.stringify(cloudTrailEvent)
}).promise();
}
// Azure Monitor Integration
const { DefaultAzureCredential } = require('@azure/identity');
const { MonitorClient } = require('@azure/arm-monitor');
async function syncWithAzureMonitor(auditEvent) {
const credential = new DefaultAzureCredential();
const client = new MonitorClient(credential, subscriptionId);
await client.activityLogs.create({
resourceGroupName: 'security-audit',
activityLogName: auditEvent.audit_id,
properties: {
eventTimestamp: auditEvent.timestamp,
category: 'Security',
level: mapToAzureLevel(auditEvent.severity),
operationName: auditEvent.event_type,
properties: auditEvent
}
});
}
Service Organization Control reporting for trust service principles
Information security management system certification
EU General Data Protection Regulation compliance
Health Insurance Portability and Accountability Act
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://wia.org/sec-017/v1"
],
"type": ["VerifiableCredential", "AuditReceipt"],
"issuer": {
"id": "did:wia:audit-system-01",
"name": "WIA Security Audit System"
},
"issuanceDate": "2025-12-25T10:30:45Z",
"credentialSubject": {
"id": "did:wia:user:admin@company.com",
"auditRecord": {
"audit_id": "AUD-2025-12345678",
"event_type": "DATA_ACCESS",
"resource": "/api/v1/customer-data",
"timestamp": "2025-12-25T10:30:45.123Z",
"compliance_verified": ["SOC2", "ISO27001", "GDPR"]
}
},
"proof": {
"type": "RsaSignature2018",
"created": "2025-12-25T10:30:45Z",
"verificationMethod": "did:wia:audit-system-01#keys-1",
"proofPurpose": "assertionMethod",
"jws": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19.."
}
}
// Generate compliance certificate as VC
async function generateComplianceCertificate(auditPeriod) {
const vc = {
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential", "ComplianceCertificate"],
"issuer": "did:wia:compliance-authority",
"issuanceDate": new Date().toISOString(),
"credentialSubject": {
"id": "did:wia:organization:company-123",
"organization": "Example Corp",
"compliance": {
"framework": "SOC2_TYPE_II",
"period": auditPeriod,
"controls_tested": 147,
"controls_passed": 147,
"effectiveness": "100%",
"audit_trail_verified": true,
"evidence_count": 3542
}
},
"proof": await generateProof()
};
return vc;
}