Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Compliance Evidence Collection

Documentation

Compliance Evidence Collection

arxsec-site / library/workflows/compliance-evidence/README.md

arxsec-site repo-root library/workflows/compliance-evidence/README.md

Automates the collection of audit evidence from multiple security tools: Splunk audit logs, Okta user lists, CrowdStrike detection statistics, and Wiz cloud posture data. Compiles everything into a structured evidence package.

Maturity: L4-5 (Governed to Accountable)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~8 hours per audit cycle manually gathering evidence from four tools, formatting exports, and compiling documentation.

After: One-click evidence collection. Auditors receive a structured JSON evidence package with all required data.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Splunk | search:execute | LOW | | Okta | users:read | LOW | | CrowdStrike | detections:read | LOW | | Wiz | findings:read | LOW | | Slack | chat:write | LOW |

Overall Risk: LOW -- All operations are read-only data collection. No write operations against any security tool.

How It Works

  1. Run predefined Splunk queries to extract audit log evidence.
  2. Export Okta user lists with MFA status and group memberships.
  3. Pull CrowdStrike detection statistics and agent coverage metrics.
  4. Query Wiz for cloud posture scores and open finding counts.
  5. Compile all data into a structured JSON evidence package.
  6. Store the package and post a Slack notification with a summary.

ARX Governance

  • Risk Classification:
  • Splunk:search:execute -- LOW -- read-only audit log queries
  • Okta:users:read -- LOW -- read-only user and factor enumeration
  • CrowdStrike:detections:read -- LOW -- read-only detection statistics
  • Wiz:findings:read -- LOW -- read-only posture data
  • Slack:chat:write -- LOW -- informational notifications only
  • HITL Gate: Disabled -- all operations are read-only. No human approval required.
  • Policy Rules:
  • PERMITTED: All read operations across Splunk, Okta, CrowdStrike, and Wiz
  • PERMITTED: Posting Slack summary notifications
  • DENIED: Any write or modification operations against source systems
  • Audit Trail: Every query executed, data volume collected per source, and evidence package generated is logged with timestamps. Slack notification includes package ID for traceability.
  • Config: See arx.yaml for connector permissions, schedule, and evidence query definitions.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export SPLUNK_HOST="https://splunk.your-org.com:8089" export SPLUNK_TOKEN="your-splunk-bearer-token" export OKTA_DOMAIN="your-org.okta.com" export OKTA_API_TOKEN="your-okta-api-token" export CROWDSTRIKE_CLIENT_ID="your-cs-client-id" export CROWDSTRIKE_CLIENT_SECRET="your-cs-client-secret" export WIZ_CLIENT_ID="your-wiz-client-id" export WIZ_CLIENT_SECRET="your-wiz-client-secret" export WIZ_API_URL="https://api.wiz.io" export SLACK_BOT_TOKEN="xoxb-your-slack-token" export SLACK_COMPLIANCE_CHANNEL="#compliance" ``

Run

```bash

One-time execution (on-demand before audits)

arx run workflow.py

Register on schedule (quarterly: Jan, Apr, Jul, Oct 1st at 06:00 UTC)

arx register --config arx.yaml ```

Customization

  • Define Splunk evidence queries in splunk_queries parameter
  • Adjust Okta group filters for scoped user exports
  • Configure evidence package format and storage location