Trail and Audit Evidence
Trail is the immutable audit surface for actors, resources, changes, request context, and integrity metadata. Use it to reconstruct who changed what, when, and with which result.
Do not use Trail as a synonym for every observability surface:
| Surface | Primary evidence |
|---|---|
kt events or GET /v1/events with required since | Runtime governance outcomes and request-policy activity |
| History | Captured conversation and session content when enabled |
| Inbox | Human-review work items and decisions |
| Trail | Control-plane actions, resource changes, audit chronology, and record integrity |
Search the console
Open Trail and narrow the result with:
- date range;
- event category;
- actor type or actor ID;
- resource type;
- event name;
- verdict; and
- read-only state.
Start from an exact request ID, event ID, resource ID, or short UTC window when available. Expand only when the investigation requires it.
The current console does not provide access-key-prefix lookup as an active search filter. Use supported actor, request, resource, and event fields instead of assuming a key filter was applied.
Read an event
The detail view can expose:
- actor identity and ARN;
- source, name, category, and read-only classification;
- request ID and event ID;
- event time and duration;
- request method and path;
- response status and recorded error details;
- the primary resource type, ID, and ARN;
- record and previous hashes;
- before/after change records;
- additional event data; and
- full event JSON.
Fields are event-dependent. A missing optional field is not proof that the corresponding activity did not happen.
Reconstruct a change
For an administrative mutation:
- Anchor on the resource ID or request ID.
- Confirm actor, organization, region, and UTC time.
- Read the before/after change record.
- Identify referenced roles, policies, agents, gateways, or other resources.
- Check response status and error fields.
- Follow adjacent events only as far as needed to explain the operation.
- Correlate runtime Events through
kt eventsor the Events API; add History separately when customer traffic is part of the question and capture is enabled.
An HTTP success can still require verification of the resulting resource state. Trail records the operation; the owning detail page confirms current state.
Export evidence from the console
Open Trail and choose the visible Evidence exports action to queue a
date-bounded evidence export. The direct path is /trail?view=exports.
Raw-data exports are available as CSV or JSON; the same view also offers the
supported compliance-report formats. This export workflow uses its own start
date, end date, and format. It does not inherit the filters from the Trail
event list.
Before queueing an export:
- set and record the requested date range;
- confirm the organization and region;
- choose a format appropriate for the reviewer; and
- note that the export contains decision-event evidence, not a dump of the immutable Trail records currently visible in the list.
After the job completes, compare the returned integrity.artifact_sha256 with
the downloaded bytes and inspect
GET /v1/exports/jobs/{job_id}/manifest when a manifest is available. Record
the job parameters, integrity values, reviewer, and storage location. To export
immutable Trail records with Trail-specific filters, use kt trail export.
Verify with the CLI
Use kt trail verify for hash-chain and digest checks:
kt trail verify \
--org-id 550e8400-e29b-41d4-a716-446655440000 \
--start-time 2026-07-01T00:00:00Z \
--end-time 2026-07-08T00:00:00Z \
--deep \
--json
Standard verification checks digest links inside a nonempty selected window. Deep verification is limited to 90 days and recomputes event record hashes, sequence continuity, and links between returned events. Neither mode performs cryptographic DSSE-envelope verification or checks the inbound link of the first returned record. Equal, reversed, or empty windows fail. A single-event command checks only the fetched event's recorded hash presence.
Use kt trail export for paginated JSON, JSONL, or CSV exports. See
Trail CLI for exact commands and compression behavior.
Build an evidence packet
Include:
- purpose and review owner;
- organization, region, and UTC window;
- filter or command parameters;
- event, request, actor, and resource IDs;
- configuration or rollout version when relevant;
- integrity-verification output;
- exported file digest and protected location;
- known gaps or unavailable fields; and
- conclusion and next owner.
Minimize copied request or response content. Never include credentials, one-time secrets, payment identifiers, or unrelated personal data.
Failed or incomplete evidence
If verification reports a gap or failure:
- Preserve the exact JSON output.
- Do not relabel the result as verified.
- Confirm organization, region, and time boundaries.
- Repeat only to rule out a transient retrieval error.
- Escalate through the approved audit-integrity workflow.
If a Trail record is absent, check whether the action belongs in the runtime Events query, capture-enabled History, or another surface and whether the selected scope is correct. Absence from one search is not proof of non-occurrence.
Retention and access
Trail exports can contain sensitive operational metadata. Apply your approved:
- access controls;
- encryption;
- retention schedule;
- legal hold;
- reviewer logging; and
- deletion process.
Tagging or exporting an audit record does not change the authoritative retention policy.