What audit events does SBOX log?

Session events (start, stop, duration), user events (login, role change), configuration events, and AI events (prompt invoked, model used). Each with actor, action, timestamp, target, outcome.

Where do SBOX audit logs go?

Splunk, IBM QRadar, Microsoft Sentinel natively. Customer's SIEM owns immutability and retention. Syslog and CEF also supported.

Does SBOX provide RBAC for projects and roles?

Yes. JWT-based RBAC with admin, developer, auditor, viewer roles plus custom definitions. Bound to IdP groups via SAML or OIDC.

Can SBOX prove who ran which test against which version?

Yes. Every execution record includes actor identity, test suite version, SBOX configuration, and AI model used. SOX, FDA 21 CFR Part 11, DORA traceability supported.

How long does SBOX retain audit data?

Retention is customer-defined and enforced by the customer's SIEM, not SBOX. SBOX streams events; SIEM decides retention.

Does SBOX support segregation of duties?

Yes. RBAC roles enforce segregation between developer, QA, and auditor. Combined with SSO group mapping for SOX, GLBA, HIPAA segregation.

Security · Audit and governance

Audit and governance for test automation that survives a SIEM review.

SIEM-native · Stateless license + RBAC via OIDC · Customer-controlled retention

Session-level events, user-level events, configuration changes, and AI prompt metadata stream to your SIEM. Your IdP enforces roles. Your retention policy applies. Element34 SBOX writes audit events for the team that signs the regulator's letter.

Talk to solutions Schedule a security review

SIEM-native
Stateless license + RBAC via OIDC

Selenium Box · Audit stream

Live events · customer SIEM

🔐 audit.customer-siem Streaming

session.starteduser.id=42b1

session_id=s_9f1c · region=eu-central-1 · tenant=cust_acme

test.executedaction=run

resource=checkout.spec · browser=chrome-128 · duration=8.2s

ai.prompt.dispatchedprovider=azure

ai_prompt_hash=sha256:b3c... · element34_visibility=metadata-only

config.changedrole=Admin

change=executor.scale=8 · actor=svc_devops · via=scim

siem.deliveredsink=splunk-hec

batch_id=b_27f · events=128 · status=2xx

Audit field catalog

What SBOX writes to your audit trail. Field by field.

The categories below are stable across deployments. The exact field-by-field schema is confirmed during procurement scoping and shared under NDA.

Field	Category	Example	Notes
session_id	Session	s_9f1c4a2b	Unique per test session
user_id	User	u_42b1	Sourced from customer IdP via OIDC, with SCIM on roadmap
timestamp	Session, User, Config	2026-06-04T14:22:01Z	UTC, ISO 8601
action	User, Config	test.executed	Action verb, dotted namespace
resource	Session, Config	checkout.spec	Resource path or test identifier
tenant_id	System	cust_acme	Single value per deployment in single-tenant SBOX
region	System	eu-central-1	Region pinning value
ai_prompt_hash	AI	sha256:b3c2...	Hash only; prompt content not stored Element34-side
extended fields	Customer-scoped	on request	Additional fields confirmed during procurement scoping.

SIEM integrations

Splunk, IBM QRadar, Microsoft Sentinel supported natively.

Three SIEM destinations supported natively. Connector specifics (Splunk HEC, QRadar DSM, Sentinel Log Analytics, or S3 lifecycle) are confirmed during deployment scoping.

Splunk

Splunk Enterprise + Cloud

SBOX streams events to Splunk HEC inside the customer environment. Field mapping aligns with Splunk Common Information Model where applicable.

Connector specifics confirmed during deployment scoping

IBM QRadar

IBM QRadar self-hosted and SaaS

SBOX streams events to QRadar through the customer-deployed collector. Event names align with QRadar QID assignments through DSM editor where the customer has standardized.

Connector specifics confirmed during deployment scoping

Microsoft Sentinel

Microsoft Sentinel workspace

SBOX streams events to a customer Sentinel workspace. Custom log table is provisioned at deployment time; KQL-friendly field shapes.

Connector specifics confirmed during deployment scoping

RBAC and identity

Scoped roles. Customer IdP. OIDC today, SCIM roadmap.

Identity is sourced from the customer IdP. Roles map to customer IdP attributes via OIDC today, with SCIM on the roadmap. Stateless licensing applies across every deployment. Specific role names are confirmed during deployment scoping.

Role category	Scope	Typical user
Platform administration	Full platform admin: deployment configuration, executor scale, integration setup, role assignment.	Platform engineering lead, DevSecOps lead
User and project management	Workspace-level admin: project setup, integration configuration within scope, member management.	QA engineering manager, test platform owner
Test creation	Author and edit tests, configure runs, view results within workspace.	Senior SDET, test author
Test execution	Execute existing tests, view results within workspace. No author rights.	QA engineer, CI service account
Results visibility	View results, dashboards, and session reconstructions. No execute or author rights.	Engineering manager, product manager, stakeholder
Audit-log access	Read-only access to the audit trail and SBOX session reconstruction surfaces. No platform configuration access.	Compliance officer, internal audit, regulator-facing review team

Retention + integrity

Customer-defined retention. Customer SIEM owns immutability.

Retention follows customer policy. SBOX delivers audit events to the customer SIEM where the customer's existing immutability and retention policies apply.

Default

Customer-defined retention

Retention follows the customer's S3 lifecycle policy or the customer-configured SBOX setting. Video, screenshots, and session metadata follow customer-set retention rules. Video storage offloads to customer S3 or object storage with customer-defined lifecycle policies.

Integrity

Customer SIEM is the system of record

Logs are delivered to the customer SIEM where customer immutability policies apply. SBOX does not promise log immutability inside the platform itself. The customer's existing immutability and retention policies govern the audit trail end-to-end.

Continuity

Buffering and replay

If the customer SIEM endpoint is unreachable, SBOX buffers events and replays once the endpoint is reachable. Buffer behavior, retry policy, and dead-letter handling are configured during deployment.

Audit and governance FAQ

Audit and governance, answered.

What fields are logged?

Session-level events, user-level events, configuration changes, and AI prompt metadata. The audit field catalog includes session_id, user_id, timestamp, action, resource, tenant_id, region, and ai_prompt_hash. The full schema is confirmed during procurement scoping and is available under NDA as part of the architecture review pack.

Are AI prompts logged in full?

AI prompt metadata is logged: a hash of the prompt, the LLM provider, the timestamp, and the user identity. Prompt content stays between SBOX and the customer LLM and is not stored on the Element34 side. The customer LLM provider is the system of record for prompt content if the customer chooses to log it there.

How are logs delivered to the SIEM?

Connector specifics (Splunk HEC, QRadar DSM, Sentinel Log Analytics, or S3 lifecycle) are confirmed during deployment scoping. Splunk, IBM QRadar, and Microsoft Sentinel are supported natively. Native adapters cover the common ingestion patterns; custom collectors are scoped during procurement.

What is the default retention?

Retention is customer-defined. Retention follows the customer's S3 lifecycle policy. Video, screenshots, and session metadata follow customer-set retention rules. Video storage offloads to customer S3 or object storage with customer-defined lifecycle policies.

How granular is RBAC?

Roles cover platform administration, user and project management, test creation, test execution, results visibility, and audit-log access. Specific role names are confirmed during deployment scoping. Roles map to customer IdP attributes via OIDC today, with SCIM on the roadmap. Custom roles can be scoped during deployment.

Are logs signed or write-once inside SBOX?

Logs are delivered to the customer SIEM where customer immutability policies apply. SBOX does not promise log immutability inside the platform itself. The customer SIEM is the system of record for integrity, and the customer's existing immutability and retention policies govern the audit trail end-to-end.

How do customers set up the SIEM integration?

During deployment, the customer provides the SIEM endpoint (Splunk HEC, QRadar collector, or Sentinel workspace) and the customer-issued credentials. SBOX is configured to stream events to the customer endpoint through the customer-elected protocol. Integration takes hours, not weeks, in most environments.

How are SSO and SCIM integrated?

SSO via OIDC against the customer IdP is supported today. SAML and SCIM for user and group provisioning are on the roadmap. Stateless licensing applies across deployments. RBAC inside SBOX is enforced through customer IdP attributes mapped to SBOX roles.

Does the audit trail support compliance officers directly?

Yes. Audit Reader is a dedicated role for compliance officers and audit teams. Read-only access to the audit trail and SBOX session reconstruction surfaces. Audit Reader access is provisioned through the customer IdP via OIDC (SCIM on roadmap), not through Element34.

How is audit and governance priced?

Audit and governance features are included in every SBOX edition. There is no separate audit add-on. Pricing structure includes the three SBOX product editions (SBOX Core, SBOX AI, SBOX Managed) and four drivers (parallel execution capacity, AI consumption, deployment model, and support tier). Talk to sales for a scoped quote.

Wire SBOX into your SIEM.

Your audit and governance team will get the audit field catalog, the SIEM integration guide for Splunk, IBM QRadar, and Microsoft Sentinel, and a walk-through of the OIDC-authenticated RBAC model (SCIM on roadmap). Bring your compliance officer to the call.

Talk to solutions Schedule a security review

Read the architecture →