Evidence Export¶

ARX provides multiple export mechanisms to produce compliance evidence for external auditors, board reports, and regulatory filings. All exports are scoped to the authenticated user's organization and enforce the same RBAC and tenant isolation rules as the rest of the API.

Audit Log Export¶

Export the full audit trail or a filtered subset.

CSV Format¶

GET /v1/audit/export?format=csv

Produces a downloadable CSV file with the following columns:

Column	Description
`created_at`	UTC timestamp of the event.
`action_type`	Structured action identifier (e.g., `connector.called`).
`connector`	Connector type involved (e.g., `crowdstrike`).
`target_resource`	Target operation or resource.
`policy_verdict`	Policy engine decision: `PERMIT`, `ESCALATE`, or `DENY`.
`status`	Outcome: `success`, `error`, or `blocked`.
`user_name`	Resolved human-readable name of the user who initiated the action.
`duration_ms`	Execution duration in milliseconds.

User IDs are resolved to full names or email addresses for readability. The CSV format is suitable for spreadsheet analysis, board reporting, and attachment to auditor evidence requests.

JSON Format¶

GET /v1/audit/export?format=json

Produces a downloadable JSON file containing the full audit log entry objects with all fields, including inputs_hash, outputs_hash, and metadata. The JSON format is suitable for programmatic ingestion by GRC platforms, compliance automation tools, and custom reporting pipelines.

Filtering¶

Both formats accept optional query parameters:

Parameter	Type	Description
`agent_id`	`UUID`	Scope the export to a single agent.
`limit`	`integer`	Maximum number of entries (default 10,000, max 50,000).

Compliance Package Export¶

Compliance packages provide structured evidence bundles for individual agents.

PDF Download¶

GET /v1/compliance/{package_id}/pdf

Downloads a branded PDF containing the full compliance package: execution graph, data flow diagram, vendor security questionnaire responses, sub-processor list, and SOC 2 control mappings. The PDF header includes the agent name, generation timestamp, and the identity of the user who triggered generation.

PDFs are suitable for direct submission to auditors and attachment to SOC 2 evidence requests.

JSON Access¶

GET /v1/compliance/{package_id}

Returns the full compliance package as a JSON object. This format is suitable for integration with GRC platforms (Drata, Vanta, Secureframe) or custom compliance dashboards.

Package Listing¶

GET /v1/compliance?agent_id={agent_id}

Lists all compliance packages for an agent in reverse chronological order. Use this to demonstrate a history of regular compliance evidence generation across audit periods.

Agent Configuration Export¶

Agent configurations and version histories are accessible through the Agents API:

Current configuration: GET /v1/agents/{agent_id} returns the agent's current configuration including name, description, runtime, image URI, version, status, and declared intent.
Version history: GET /v1/agents/{agent_id}/versions returns all deployment versions with image URIs, configurations, deploying user, and deployment notes.

These endpoints provide evidence of change management practices for agent deployments.

Policy History Export¶

Policy configurations are accessible through the Policies API:

Current policies: GET /v1/policies?agent_id={agent_id} returns all active policy rules for an agent, including rule type, connector scope, action patterns, and risk thresholds.

Policy creation, modification, and deletion events are recorded in the audit trail. Export the audit trail filtered by action_type=policy.created, action_type=policy.updated, or action_type=policy.deleted to produce a complete policy change history.

SIEM Forwarding¶

For organizations that require continuous evidence collection, configure a SIEM integration to receive real-time audit events. SIEM integrations forward every audit log entry as it is created, providing a secondary evidence store outside the ARX platform. Supported targets include Splunk, Microsoft Sentinel, Elastic Security, and any platform that accepts structured JSON over HTTPS.

Recommendations for Auditors¶

When preparing for a SOC 2 audit or vendor security review:

Generate compliance packages for each active agent to produce per-agent evidence bundles.
Export the audit trail in CSV format for the audit period to provide a complete event log.
Download compliance PDFs for each agent to provide formatted evidence documents.
Export agent version histories to demonstrate change management practices.
Export policy configurations to demonstrate access control and authorization rules.

All exports are timestamped and scoped to the authenticated organization, ensuring that evidence is traceable and tamper-evident.