Airlock Digital Application Control Logs
Airlock Digital provides application control and allowlisting with comprehensive execution history and server activity logging. These logs capture information such as blocked executions, trusted path events, publisher-based approvals, and administrative actions. They help administrators monitor endpoint security posture, track application control policy effectiveness, and audit changes for compliance.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
Airlock Digital supports API polling to collect execution history and server activity logs from your Airlock server.
Setup
- Go to Sources in RunReveal
- Click the Airlock Digital source tile
- Give it a name and click Connect Source
- Fill in the required fields with your Airlock server address and API key
Airlock Digital API Key Configuration
To generate an API key for RunReveal:
Prerequisites:
- Airlock Digital server version v6.1 or later
- A user account in a Permission Group with the following REST API Roles enabled:
logging/exechistorieslogging/svractivities
Creating the API Key:
- Sign in to your Airlock Digital management console
- Navigate to My Profile
- Click Generate API Key
- Copy the API key and paste it into the RunReveal source configuration form
Network Access Required: Airlock Digital uses port 3129 for REST API access. Ensure your firewall rules allow outbound HTTPS connections from RunReveal to your Airlock server on port 3129.
Airlock Digital Event Types
The Airlock Digital integration collects two categories of logs from your Airlock server.
Execution History Events
Execution history events track all application execution decisions made by Airlock on your endpoints.
| Type ID | Event Name | Description |
|---|---|---|
| 0 | Trusted Execution | Application ran and was explicitly trusted via hash approval |
| 1 | Blocked Execution | Application was blocked from running by policy |
| 2 | Untrusted Execution [Audit] | Application ran in audit mode (would be blocked in enforcement) |
| 3 | Untrusted Execution [OTP] | Application ran via one-time password override |
| 4 | Trusted Path Execution | Application ran from a trusted path location |
| 5 | Trusted Publisher Execution | Application ran because its publisher certificate is trusted |
| 6 | Blocklist Execution | Application matched an explicit blocklist rule and was blocked |
| 7 | Blocklist Execution [Audit] | Application matched a blocklist rule in audit mode |
| 8 | Trusted Process Execution | Application ran as a child of a trusted process |
Server Activity Events
Server activity events capture administrative actions performed on the Airlock management server, including policy changes, user management, and configuration updates.
Event Data Structure
Each execution history event includes:
- Hostname - The endpoint where the execution occurred
- Filename - Full path of the executed file
- Parent Process - The process that launched the execution
- SHA256 Hash - Cryptographic hash of the executed file
- Publisher - Code signing certificate publisher name
- Event Type - Numeric type ID indicating the execution decision
Data Collection
- Collection Method: API polling every 60 seconds
- Data Format: JSON with normalized fields for consistent querying
- Endpoints Polled: Execution history and server activity logs
- Real-time Updates: New events appear in RunReveal within 1-2 minutes
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: airlock_logs (43 columns)
airlock_logs (43 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
| Column | Type |
|---|---|
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
eventTypeID | UInt8 |
hostname | String |
filename | String |
parentProcess | String |
sha256Hash | String |
publisher | String |
checkpoint | String |
Helpful Links
- Airlock Digital API Documentation - REST API reference for execution history and server activity endpoints
- Elastic Integration Reference - Elastic’s Airlock Digital integration documentation with API role requirements