Configuration

Audit and Retention

Ledger retention, evidence export, event streaming destinations.

Audit configuration controls how long ledger records are retained, how evidence packs are exported, and how events flow to downstream systems. For most regulated tenants, this configuration is revisited any time a new regulatory obligation applies.

Retention

The tenant's baseline retention (covered under Tenant Setup) sets the floor for ledger entry retention. Individual classifications can specify longer retentions:

  • Classification-specific retention. Objects carrying a specific classification retain their ledger events for an extended period regardless of the baseline. Useful for regulated data that requires longer retention than a typical workload.
  • Policy-specific retention. Ledger events produced under a specific policy can be retained longer. Useful for policies governing sensitive diligence activities.
  • Legal-hold retention. When a legal hold is in effect, affected ledger entries are retained indefinitely until the hold is released — regardless of any baseline or classification-specific limits that would otherwise cause purging.

The longest applicable retention wins. A purge never happens if any active requirement still covers the entry.

Evidence pack exports

An evidence pack is a signed, self-contained bundle of ledger entries for a defined scope. It is the primary format for regulatory submissions and formal inquiries.

Each pack includes:

  • The full ledger entries for the scope — decisions, KAS operations, classification changes, policy changes.
  • The policy versions that were in force during the scope's time window, so the decisions can be interpreted correctly.
  • The tag schema versions that were in force.
  • Metadata identifying the exporting principal, the scope parameters, and the export timestamp.
  • A cryptographic signature over the entire pack that a recipient can verify without contacting Lattix.

Pack scopes can be defined by:

  • A specific data object and its full lifecycle.
  • A specific principal and their full activity in a time window.
  • A specific time window across the whole tenant.
  • A specific classification and its full activity.

Exports are themselves ledger events — the export itself is recorded with who exported it, when, and for what scope.

Event streaming

For tenants that integrate Lattix audit data with a SIEM, a data warehouse, or an internal audit system, the platform supports outbound event streaming.

Configurable per destination:

  • Destination type. Common destinations include Splunk HEC, Elastic, Datadog, generic webhook, generic S3-compatible bucket, and SFTP for older systems. More destinations are added as customer demand indicates.
  • Event filter. Which event categories should be streamed. A tenant might stream all decisions and key operations but not classification-change events.
  • Transformation. A destination-specific schema mapping, if the destination expects a specific format.
  • Encryption and authentication. Credentials for the destination, and whether the outbound stream itself is encrypted end-to-end.

Streaming is at-least-once. Destinations must be prepared to de-duplicate on the ledger event identifier.

Monitoring and alerting

Beyond exports and streaming, the dashboard surfaces standard monitoring views:

  • Denial patterns. Principals with repeated recent denials, classifications with unusually high denial rates.
  • Activity anomalies. Principals accessing unusual object counts, principals active outside normal hours.
  • Administrative activity. Every key rotation, policy change, schema change, and emergency operation is flagged for the security administrator pool.
  • Expiring keys. KEKs approaching retirement, with the count of objects still wrapped under them.
  • Unclassified objects. Objects ingested recently that have not yet been classified.

Tenant-configurable thresholds determine when a pattern produces a notification versus remaining a dashboard-only signal.

External auditor access

For scheduled audits, a tenant can provision a scoped auditor principal with read-only access limited to specific ledger queries. An auditor's own activity is itself logged — the ledger records who inspected what during the audit.

When the audit is complete, the auditor principal is decommissioned. The principal's activity log remains in the ledger as part of the audit-of-the-audit evidence.

Relationship to products and concepts

Connectors

Per-integration configuration — authorization, discovery scope, classification behavior, egress rules.

Best Practices

Recommendations for rolling out Lattix well — sequence, tag design, policy design, key hygiene, and incident readiness.

On this page

RetentionEvidence pack exportsEvent streamingMonitoring and alertingExternal auditor accessRelationship to products and concepts