Runtime Signal Reference
Technical semantics for runtime verification events, baseline states, and drift classifications.
Signal Types
- Baseline Established: expected runtime state captured from approved deployment.
- Baseline Drift: observed state differs from approved baseline.
- Integrity Mismatch: runtime artifact hash/signature differs from expected artifact.
- Configuration Mutation: sensitive setting changed outside authorized deployment path.
- Signal Stale: expected telemetry heartbeat missing beyond configured window.
Drift Classification
Authorized Drift
Linked to approved change ticket or deployment event; retained as evidence.
Unauthorized Drift
No approved change linkage; emits alert and requires investigation.
Expected Ephemeral Drift
Known transient runtime variance, managed through baseline policy tuning.
Material Drift
High-impact change to security-sensitive controls or artifacts.
Evidence Requirements
- Signal timestamp and environment scope.
- Observed and expected values (or hashes) where safe to retain.
- Change linkage (deployment ID, ticket ID, actor) when available.
- Resolution state and closure note for drift investigations.
Alert Routing Guidance
- Material drift should route to security and service owner channels.
- Signal stale should route to platform operations telemetry owners.
- Authorized drift should remain searchable but not page on-call by default.
- Routing should include environment criticality and service tier metadata.