docs: add log timeline evidence gates#1340
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fd16398e29
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| Expected output: | ||
|
|
||
| - Finding ID: `LOG-EVID-01`, `LOG-EVID-03`, or `LOG-EVID-05` |
There was a problem hiding this comment.
This fixture has no raw export path, no hash, and only normalized SIEM fields, so it simultaneously satisfies LOG-EVID-01, LOG-EVID-03, and LOG-EVID-05 as defined in the new skill checks. Using or lets a report pass while ignoring two of the missing-evidence conditions, which weakens the edge-case coverage for the evidence gates this test is meant to validate.
Useful? React with 👍 / 👎.
1 participant
Summary
Adds timeline-integrity and evidence-handling gates to
log-analysisso incident conclusions are calibrated by timestamp normalization, log pipeline health, and preserved raw evidence.Changes
LOG-TIME-01throughLOG-TIME-06for timezone, clock skew, ingestion timestamp confusion, log gaps, parser loss, and duplicate event handling.LOG-EVID-01throughLOG-EVID-05for raw source references, query text, hashes/immutability, redaction, and raw-event spot checks.Validation
git diff --checkRelated issue
Created from review issue: #1338