New source

Identity first

Register a source that compare and collection can trust

The two most important decisions here are the stable target identifier and the typed collection scope. Get those right and repeat uploads, queued jobs, and compare drift all line up cleanly.

Display nameTarget identifierStable key for compare and drift. Must match target_identifier in uploaded run metadata.

Source typeA standard Linux machine running the external collector or agent.Artifact familyThis controls which collector capability the source expects and which artifact family collection jobs may upload.

Selected family

Linux audit log

Host-level audit output from first-audit.sh or an equivalent Linux evidence collector.

Target id hint: Use a stable host identifier so compare can line up repeated audits.

Example: host:prod-web-01

Preferred collection: Push directly or use a long-running host agent service.

Collection scopeOptional. Store a typed default scope on the source so queued jobs inherit it unless you override the request.

What matters most

Pick a display name operators will recognize quickly in queues and run history.
Use a stable target identifier that will still make sense after reanalyze or future uploads.
Set a default collection scope when the source should consistently target one workload, namespace, or cluster shape.

Cancel