BLACKSHIELD

Public Guide

How BlackShield Produces Audit-Ready Evidence

BlackShield gives authorized users a concrete audit workflow: filter events by action, actor, and time range, then export CSV or JSON evidence while recording the export itself in the audit trail. Audience: Security admins, compliance teams, auditors, and buyers validating accountability. Typical setup time: 10-15 minutes.

trust

Use this if

BlackShield gives authorized users a concrete audit workflow: filter events by action, actor, and time range, then export CSV or JSON evidence while recording the export itself in the audit trail.

Audience
Security admins, compliance teams, auditors, and buyers validating accountability
Typical time
10-15 minutes

Before You Begin

  • Confirm the reviewer has audit log read and export permissions.
  • Prepare the case ID or audit ticket ID that the evidence must tie back to.
  • Have the exact action, actor, and time window you need before exporting.

Guide walkthrough

Step 1

Use the built-in audit filters first

The point of the audit screen is to answer a question with filters, not dump unbounded history.

  • BlackShield lets you filter by action, actor user ID, start time, end time, and result limit in `/audit`.
  • Read access and export access are permissioned separately, so not every reader can pull evidence packages.
  • Keep the case or audit ID with the export so the evidence stays traceable after download.

What success looks like

Keep the case or audit ID with the export so the evidence stays traceable after download.

Step 2

Export the exact evidence package you need

BlackShield already supports both human-readable and machine-readable export formats.

  • Use CSV when the reviewer wants spreadsheet analysis or a lighter-weight audit packet.
  • Use JSON when the evidence is going into automation, archival, or another system.
  • Set an explicit time range so the export can be defended later without re-explaining scope.

What success looks like

Set an explicit time range so the export can be defended later without re-explaining scope.

Step 3

Use the audit trail to prove the evidence path itself

In BlackShield, evidence access is not invisible.

  • BlackShield records audit access queries and audit exports as audit events.
  • Use that record to show who pulled the evidence, which filters were used, and how many rows were exported.
  • Store the export timestamp and destination with the rest of the case record.

What success looks like

Store the export timestamp and destination with the rest of the case record.

What success looks like

  • The evidence package shows the exact time range, actor scope, and action filters used.
  • The review can show that audit access and export activity was itself recorded by BlackShield.
How BlackShield Produces Audit-Ready Evidence | BlackShield Docs