Output Schema
The Data Collector produces a single structured JSON file written atomically to the Ephemeral Data Store at the end of collection. This is the binding interface contract between Component 1 and Component 3 (Assessment Engine).
Interface contract
The Assessment Engine treats this schema as stable. Any change to field names, nesting structure, or item_status values in graph_results must be versioned via collection_version and handled with backward compatibility in the Assessment Engine.
Top-Level Schema
{
"job_id": "uuid",
"tenant_id": "uuid",
"collected_at": "ISO8601 timestamp",
"collection_version": "1.0",
"modules": ["ALZ", "AKS"],
"retention_opted_in": false,
"tenant_structure": {
"management_groups": [...],
"subscriptions": [...],
"resource_groups": { "subscription_id": [...] },
"tag_names": { "subscription_id": [...] },
"locations": { "subscription_id": [...] }
},
"graph_results": {
"checklist_item_guid": {
"query": "string — excluded from logs",
"results": [{ "id": "resource_id", "compliant": true }],
"item_status": "compliant | non_compliant | not_applicable | error"
}
},
"rest_results": {
"policy_assignments": {...},
"policy_definitions": {...},
"role_assignments": {...},
"role_definitions": {...},
"defender_secure_scores": {...},
"defender_assessments": {...},
"defender_pricings": {...},
"defender_auto_provisioning": {...},
"diagnostic_settings": {...},
"activity_log_alerts": {...},
"scheduled_query_rules": {...},
"log_analytics_workspaces": {...},
"cost_query": {...},
"budgets": {...},
"reservation_recommendations": {...}
},
"sentinel_results": {
"deployed": true,
"alert_rules": {...},
"data_connectors": {...},
"automation_rules": {...},
"open_incidents": { "total": 12, "high": 3, "medium": 7, "low": 2 }
},
"entra_results": {
"conditional_access_policies": [...],
"directory_roles": [...],
"authorization_policy": {...},
"subscribed_skus": [...]
},
"collection_quality": { "...see quality-scoring..." },
"collection_errors": [ "...see error-handling..." ]
}