OBS: Observability

The Observability domain enables detection, investigation, and forensics. Six controls address logging, correlation, and anomaly detection.

OBS-01 Action Logging

Requirement: Every action taken by an agent shall be logged with timestamp, agent identity, action type, parameters, and result.

Rationale: Enables forensic reconstruction of agent behavior.

Evidence: Log samples demonstrating required fields.

Profile: Essential

OBS-02 Session Correlation

Requirement: Logs shall include session identifiers enabling correlation of actions within a session and attribution to initiating users.

Rationale: Enables end-to-end tracing of agent operations.

Evidence: Log samples demonstrating session correlation.

Profile: Standard

OBS-03 Immutable Audit Trail

Requirement: Audit logs shall be stored in append-only systems resistant to tampering.

Rationale: Ensures log integrity for forensic and compliance purposes.

Evidence: Log storage configuration demonstrating immutability.

Profile: Elevated

OBS-04 Anomaly Detection

Requirement: Systems shall monitor agent behavior for deviations from established baselines and generate alerts.

Rationale: Enables early detection of compromise or manipulation.

Evidence: Baseline definitions, detection rules, and alert samples.

Profile: Elevated

OBS-05 Confluence Monitoring

Requirement: Systems shall monitor for combinations of capabilities that create elevated risk and apply additional controls when detected.

Rationale: Addresses risks that emerge from capability combinations.

Evidence: Confluence rules and enforcement logs.

Profile: Elevated

OBS-06 Retention Compliance

Requirement: Logs shall be retained for periods meeting regulatory requirements and organizational policy.

Rationale: Ensures availability for investigations and audits.

Evidence: Retention configuration and verification records.

Profile: Critical