Collections
Each collection is a YAML-defined evidence pull bound to one connector and a list of control codes. The runner executes them on a schedule; every artifact is hashed and retention-locked.
| Connector | Collection | Last run | Runs | Items | Bytes |
|---|---|---|---|---|---|
| AWS IAM | aws_iam_inventory0 3 * * * Daily inventory of IAM users, roles, and access-key age. Surfaces stale keys and over-privileged accounts. AC-2AC-6IA-5NIST 800-171FedRAMP Moderate | succeeded | 14 | 42 | 5.9 MB |
| Filesystem | filesystem_evidence_staging*/15 * * * * Watches a staging directory for files dropped by control owners. The escape hatch when a system has no API. DOC-1AC5 Internal | succeeded | 1299 | 2653 | 1.83 GB |
| GitHub | github_branch_protection0 4 * * * Daily snapshot of branch-protection rules across every org repo. Catches the day someone disables required reviews. CM-3CM-5SA-10NIST 800-171SOC 2 | succeeded | 14 | 548 | 1.5 MB |
| Microsoft 365 | m365_admin_audit_log5 * * * * Hourly export of M365 unified audit log filtered to admin actions. Becomes invaluable during incident response. AU-2AU-3AU-12NIST 800-171ISO 27001 | succeeded | 325 | 314 | 10.0 MB |
| Okta | okta_mfa_enrollment0 6 * * 1 Weekly MFA-enrollment report from Okta. The first thing every audit asks for. Hashes the CSV and pins it against AC-2, AC-7, IA-2. AC-2AC-7IA-2NIST 800-171ISO 27001 | succeeded | 2 | 2 | 83.4 KB |