System Audit
The System Audit page records all significant actions performed in the platform. Use audit logs to track who did what and when, for both security review and compliance requirements.
Audit logs are immutable. They cannot be edited or deleted by any user, including administrators.
What Gets Logged
The audit system captures three categories of events:
User Actions
Actions performed by authenticated users through the UI or API:
- Login and logout events
- Policy creation, modification, and deletion
- Tag creation, assignment, and removal
- Settings modifications (timezone, client configuration, health scoring weights)
- Report creation and export
- Manual task execution (update installs, log collection, scans)
System Events
Automated actions performed by the platform:
- Agent enrollment and de-enrollment
- Automated rule execution (e.g., auto-tagging rules, scheduled policies)
- Scheduled task results (update installations, telemetry collection)
- Agent health score changes
- Vulnerability scan completions
Administrative Changes
High-privilege actions that affect platform access and configuration:
- User invitations and role assignments
- Role creation and permission modifications
- User deactivation and reactivation
- API key generation and revocation
- Authentication provider configuration changes
Viewing Audit Logs
Navigate to System Audit from the sidebar. The audit log displays entries in reverse chronological order. Each entry includes:
| Field | Description |
|---|---|
| Timestamp | When the action occurred, displayed in your configured timezone |
| User | The user who performed the action, or "System" for automated actions |
| Action Type | The category of action (create, update, delete, login, system) |
| Resource | The type and identifier of the affected resource |
| Details | A summary of what changed, including before and after values where applicable |
Click any entry to expand it and view the full details of the action, including the complete set of changed fields and their previous values.
Searching and Filtering
Use the search bar and filter controls to find specific events:
| Filter | Options |
|---|---|
| Date range | Select a start and end date to narrow results to a specific time window |
| User | Filter by the user who performed the action, or select "System" for automated events |
| Action type | Create, Update, Delete, Login, System |
| Resource type | Policy, Agent, Tag, User, Setting, API Key, Role |
Combine multiple filters to narrow results precisely. For example, filter by "Delete" action type and "Policy" resource type to see all policy deletions within a date range.
Audit Log Retention
Audit logs are retained according to your platform's data retention settings. The default retention period covers the full duration of your subscription.
Review audit logs after making bulk changes to verify that all actions completed as expected.
For compliance purposes, export logs regularly if your retention policy is shorter than your audit requirements. Exported logs include all fields and can serve as an offline compliance record.
Export
Export audit log data for use in external security tools or compliance documentation:
- Apply the desired filters to narrow the result set.
- Click Export.
- Select CSV or JSON format.
- The export includes all matching entries, not just the currently visible page.
Exported audit logs are suitable for ingestion into SIEM platforms, compliance reporting tools, or long-term archival storage.