Skip to content

Data Tracks

Data Tracks is the per-flow evidence view. For every data flow between two entities, it records the data classes touched, the PII patterns that matched, and the rule that produced the detection. It is the evidence layer behind data governance: did a customer's email leave for OpenAI yesterday is a Data Tracks query, not a survey.

Every flow carries its lineage: the agent that initiated it, the destination it reached, the PII classes observed, the rule that fired, and the request and byte counts for the time window.

Data classes AI Hypervisor recognises

  • PII classes: email, SSN, payment card, health record, source code, secrets, plus user-defined patterns.

  • Data classifications: PII, PCI, MNPI, GLBA, EU AI Act high-risk, public, internal, confidential, regulator-grade.

The classification taxonomy ships with sensible defaults and supports tenant-defined regex tags for custom data classes. Tenant-defined patterns are managed by your Wallarm representative.

How detections are produced

Detections populate as traffic flows. No scheduled run, no batch job. Per flow, the platform records:

  • Source and destination entities, both cross-linked to Registry.

  • PII classes and data classification observed in the payload.

  • Volume: request count and bytes over the time window.

  • Rule fired: the exact rule that matched (for example, \b\d{3}-\d{2}-\d{4}\b in field prompt).

  • Time window: first-seen, last-seen, sample count.

Cross-references

From Data Tracks You land in
Source or destination entity Registry, entity detail
Initiating session User Tracks, session waterfall
Recent alerts on the flow Notifications, filtered
Evidence for compliance Compliance, entity- or flow-scoped bundle
View in Topology Topology, focused on the flow's two endpoints

You typically arrive at Data Tracks from the Findings PII column, a Registry entity's PII-flows view, a Topology edge, or a Notifications PII alert.

Settings that affect Data Tracks

  • Scan frequency (Settings → Cluster Infrastructure) controls how often scanners poll, and therefore how fresh detections are.

  • The applications and namespaces observed are determined by where the scanner is deployed via Helm and which workloads carry the higgs.scan=enabled label. See Labels and Annotations.