What compliance report types does Sentinel support?

Sentinel supports three compliance report types: GDPR (user data access, exports, deletions, and unusual access patterns), PCI-DSS (authentication events, security incidents, blocked threats, and requirements status), and SOC 2 (monitoring evidence, incident response, and access control).

How do I generate a GDPR report in Sentinel?

Call GET /sentinel/api/reports/gdpr with an optional ?window query parameter (default 720h for 30 days). The report aggregates user data access events, export and deletion counts, and unusual access patterns detected by anomaly detection. No extra configuration is needed.

Can Sentinel compliance reports be exported as JSON?

Yes. Both the API and the dashboard return reports as JSON. The dashboard includes an Export JSON button that downloads a file named sentinel- -report- .json. Programmatically, pipe the API response through jq to extract the data field.

What data is included in Sentinel compliance reports?

Reports aggregate threat events, audit logs, user activity, and access control records from data Sentinel already collects. GDPR reports include per-user summaries, PCI-DSS maps to requirement categories with compliance status, and SOC 2 covers monitoring and incident response.

Compliance Reports

Sentinel can generate compliance reports for GDPR, PCI-DSS, and SOC 2 directly from your security data. Each report aggregates threat events, audit logs, user activity, and access control records into a structured document that maps to the requirements of its respective compliance framework. Reports are generated on demand through the API or the dashboard and can be exported as JSON for integration with external compliance tools.

No Extra Configuration

Compliance reports are generated from data that Sentinel already collects. There is no separate configuration to enable them. As long as Sentinel is mounted and processing traffic, the report endpoints are available.

Available Reports

Sentinel supports three compliance report types. Each report queries different subsets of stored data and presents metrics aligned with its compliance framework.

Report	Framework	Time Window	Description
GDPR	General Data Protection Regulation	Configurable (default 720h)	User data access, exports, deletions, and unusual access patterns.
PCI-DSS	Payment Card Industry Data Security Standard	Fixed 90 days	Authentication events, security incidents, blocked threats, and requirements status.
SOC 2	Service Organization Control 2	Configurable (default 720h)	Monitoring evidence, incident response, access control, and anomalies.

The GDPR report provides visibility into how user data is accessed, exported, and deleted within your application. It also surfaces unusual access patterns detected by the anomaly detection engine. This helps demonstrate compliance with GDPR articles related to data subject rights, lawful processing, and breach notification.

Metrics

Metric	Description
`total_users`	Number of unique users with data access activity in the reporting window.
`data_access_events`	Total number of data access events across all users.
`data_export_events`	Number of data export (READ) audit log entries.
`data_deletion_events`	Number of data deletion (DELETE) audit log entries.
`unusual_access_patterns`	Anomaly-type threat events indicating suspicious data access behavior.
`user_data_summary`	Per-user breakdown with user ID, activity count, routes accessed, and last access time.

GDPR Responsejson

{
  "data": {
    "generated_at": "2025-06-15T10:00:00Z",
    "window_start": "2025-05-16T10:00:00Z",
    "window_end": "2025-06-15T10:00:00Z",
    "total_users": 42,
    "data_access_events": 1580,
    "data_export_events": 12,
    "data_deletion_events": 3,
    "unusual_access_patterns": [
      {
        "id": "te-anom-001",
        "timestamp": "2025-06-10T03:22:00Z",
        "ip": "198.51.100.14",
        "threat_types": ["AnomalyDetected"],
        "severity": "Medium"
      }
    ],
    "user_data_summary": [
      {
        "user_id": "user-abc123",
        "activity_count": 87,
        "routes_accessed": ["/api/users", "/api/profile"],
        "last_seen": "2025-06-15T09:45:00Z"
      }
    ]
  }
}

Query Parameter

The GDPR report accepts a ?window query parameter to control the reporting period. The default is 720h (30 days). Example: GET /sentinel/api/reports/gdpr?window=2160h for 90 days.

PCI-DSS Report

The PCI-DSS report focuses on authentication security, incident tracking, and threat blocking over a fixed 90-day window. It maps to PCI-DSS requirements around access control, monitoring, and incident response. The report includes a requirements status map that indicates whether each relevant PCI-DSS requirement is compliant, partially met, or non-compliant based on your Sentinel configuration and runtime data.

Metrics

Metric	Description
`auth_events_90d`	Total authentication attempts in the last 90 days (success + failure).
`failed_logins_90d`	Number of failed login attempts in the last 90 days.
`security_incidents`	Total security incidents (threat events) detected in the last 90 days.
`blocked_threats`	Number of threats that were actively blocked by the WAF or rate limiter.
`requirements`	Map of PCI-DSS requirement names to their compliance status: `compliant`, `partial`, or `non-compliant`.

PCI-DSS Responsejson

{
  "data": {
    "generated_at": "2025-06-15T10:00:00Z",
    "auth_events_90d": 12450,
    "failed_logins_90d": 342,
    "security_incidents": 87,
    "blocked_threats": 76,
    "requirements": {
      "Req 1 - Firewall Configuration": "compliant",
      "Req 2 - Default Passwords": "compliant",
      "Req 6 - Secure Systems": "partial",
      "Req 7 - Access Control": "compliant",
      "Req 8 - Authentication": "compliant",
      "Req 10 - Logging & Monitoring": "compliant",
      "Req 11 - Security Testing": "partial",
      "Req 12 - Security Policy": "non-compliant"
    }
  }
}

Fixed 90-Day Window

The PCI-DSS report always covers the last 90 days. There is no ?window query parameter for this endpoint. This aligns with PCI-DSS requirements for quarterly review periods.

SOC 2 Report

The SOC 2 report provides evidence for the Trust Services Criteria: security, availability, and confidentiality. It aggregates monitoring evidence, incident response metrics, access control data, and anomaly events into a format suitable for SOC 2 Type II audits.

Sections

Monitoring Evidence

Field	Description
`total_events`	Total number of security events processed during the reporting window.
`threats_detected`	Number of threats identified by the detection engine.
`threats_blocked`	Number of threats actively blocked before reaching the application.

Incident Response

Field	Description
`total_incidents`	Total number of security incidents recorded.
`resolved`	Number of incidents that have been resolved.
`avg_response_time`	Average time to resolve an incident (human-readable duration).

Access Control

Field	Description
`unique_users`	Number of unique users with activity in the reporting window.
`auth_events`	Total authentication events (logins, logouts, token refreshes).
`ip_blocks_active`	Number of currently active IP blocks.

Anomalies

A list of anomaly-type threat events detected during the reporting window. Each anomaly includes the event ID, timestamp, source IP, severity, and threat type details.

SOC 2 Responsejson

{
  "data": {
    "generated_at": "2025-06-15T10:00:00Z",
    "window_start": "2025-05-16T10:00:00Z",
    "window_end": "2025-06-15T10:00:00Z",
    "monitoring_evidence": {
      "total_events": 58420,
      "threats_detected": 134,
      "threats_blocked": 121
    },
    "incident_response": {
      "total_incidents": 134,
      "resolved": 128,
      "avg_response_time": "4m32s"
    },
    "access_control": {
      "unique_users": 67,
      "auth_events": 8930,
      "ip_blocks_active": 14
    },
    "anomalies": [
      {
        "id": "te-anom-042",
        "timestamp": "2025-06-12T18:15:00Z",
        "ip": "203.0.113.88",
        "threat_types": ["AnomalyDetected"],
        "severity": "High"
      }
    ]
  }
}

Query Parameter

The SOC 2 report accepts a ?window query parameter to control the reporting period. The default is 720h (30 days). Example: GET /sentinel/api/reports/soc2?window=2160h for 90 days.

API Endpoints

All report endpoints are authenticated. Include a valid JWT token in the Authorization header. Each endpoint returns the report data in a { "data": ... } envelope.

Method	Endpoint	Query Params	Description
`GET`	`/sentinel/api/reports/gdpr`	`?window=720h`	Generate a GDPR compliance report for the specified time window.
`GET`	`/sentinel/api/reports/pci-dss`	None (fixed 90 days)	Generate a PCI-DSS compliance report for the last 90 days.
`GET`	`/sentinel/api/reports/soc2`	`?window=720h`	Generate a SOC 2 compliance report for the specified time window.

Time Windows

GDPR and SOC 2 reports accept a ?window query parameter that controls how far back the report looks. The value is a Go-style duration string. If omitted, the default is 720h (30 days).

Value	Duration	Use Case
`168h`	7 days	Weekly reviews and quick checks on recent activity.
`720h`	30 days	Standard monthly compliance reporting. Default.
`2160h`	90 days	Quarterly audits, SOC 2 Type II evidence collection.

Custom Windows

You can pass any valid Go duration, not just the predefined values. For example, ?window=336h produces a 14-day report. If the value cannot be parsed, the endpoint falls back to the default 720h window.

Dashboard

The Sentinel dashboard includes a dedicated Reports page that provides a graphical interface for generating compliance reports without using the API directly.

Report type selector -- choose between GDPR, PCI-DSS, and SOC 2 using toggle buttons at the top of the page.
Date range picker -- select the time window from a dropdown. The dropdown is hidden for PCI-DSS since it always covers 90 days.
Generate button -- click to generate the report on demand. A loading indicator is shown while the report is being computed.
Structured display -- the report is rendered with summary statistics in a grid layout, followed by detailed sections (requirements status, user data summary, anomaly events, etc.) depending on the report type.
JSON export -- an Export JSON button appears after a report is generated, allowing you to download the report data as a JSON file.

Access the Reports page at http://localhost:8080/sentinel/ui and navigate to the Reports section.

JSON Export

Both the dashboard and the API return reports as JSON. From the dashboard, clicking the Export JSON button downloads the report as a file named sentinel-<type>-report-<date>.json, where <type> is the report type (gdpr, pci-dss, or soc2) and <date> is the current date in YYYY-MM-DD format.

sentinel-gdpr-report-2025-06-15.json
sentinel-pci-dss-report-2025-06-15.json
sentinel-soc2-report-2025-06-15.json

When consuming reports programmatically via the API, pipe the response through jq to extract the .data field and redirect it to a file:

curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/gdpr?window=720h" \
  | jq '.data' > gdpr-report.json

Testing

Use the following curl commands to generate each report type. Replace <token> with a valid JWT token obtained from the dashboard login endpoint.

Generate GDPR Report

# GDPR report for the last 30 days (default)
curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/gdpr?window=720h" | jq .

# GDPR report for the last 7 days
curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/gdpr?window=168h" | jq .

# GDPR report for the last 90 days
curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/gdpr?window=2160h" | jq .

Generate PCI-DSS Report

# PCI-DSS report (always 90 days, no window parameter)
curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/pci-dss" | jq .

Generate SOC 2 Report

# SOC 2 report for the last 30 days (default)
curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/soc2?window=720h" | jq .

# SOC 2 report for the last 90 days
curl -s -H "Authorization: Bearer <token>" \
  "http://localhost:8080/sentinel/api/reports/soc2?window=2160h" | jq .

Authentication

All report endpoints require authentication. Obtain a JWT token by logging into the dashboard at POST /sentinel/api/login with your dashboard credentials. Include the token as Authorization: Bearer <token> in every request.

How It Works

Reports are generated on demand by the reports.Generator struct, which queries the storage layer for the relevant data. Each report type has a dedicated generator method that assembles data from multiple storage queries into a single response.

GDPR -- queries user activity, READ/DELETE audit logs, and anomaly-type threat events to build the user data access summary and unusual access patterns list.
PCI-DSS -- queries authentication audit logs, all threat events, and blocked threats over a fixed 90-day window. Computes failure rates and maps results to PCI-DSS requirement categories.
SOC 2 -- queries threat stats, the security score, resolved incidents, audit logs, blocked IPs, and anomaly events to build evidence across monitoring, incident response, and access control sections.

reports/compliance.gogo

1// Generator produces compliance reports from stored Sentinel data.
2type Generator struct {
3    store storage.Store
4}
5
6// NewGenerator creates a new compliance report generator.
7func NewGenerator(store storage.Store) *Generator {
8    return &Generator{store: store}
9}
10
11// GenerateGDPR produces a GDPR compliance report for the given time window.
12func (g *Generator) GenerateGDPR(ctx context.Context, window time.Duration) (*GDPRReport, error) {
13    // Queries user activity, audit logs (READ/DELETE), and anomaly threats
14    // Returns structured report with per-user summaries
15}
16
17// GeneratePCIDSS produces a PCI-DSS compliance report for the last 90 days.
18func (g *Generator) GeneratePCIDSS(ctx context.Context) (*PCIDSSReport, error) {
19    // Fixed 90-day window, no configurable parameter
20    // Queries auth audit logs, all threats, and blocked threats
21}
22
23// GenerateSOC2 produces a SOC2 compliance report for the given time window.
24func (g *Generator) GenerateSOC2(ctx context.Context, window time.Duration) (*SOC2Report, error) {
25    // Queries threat stats, security score, resolved incidents,
26    // audit logs, blocked IPs, and anomaly events
27}

Next Steps

Dashboard -- Access the Reports page and generate reports from the UI
Anomaly Detection -- Powers the unusual access patterns in GDPR and anomalies in SOC 2 reports
WAF -- Threat events from the WAF feed into PCI-DSS and SOC 2 incident data
Auth Shield -- Authentication events that populate PCI-DSS auth metrics
Security Score -- The security score is included in SOC 2 monitoring evidence
Alerting -- Configure real-time alerts alongside periodic compliance reporting

Built with by JB