Skip to content

Reading the audit log

How to read, filter, export, and use the audit log for forensic scenarios.

The /audit-log page shows an append-only record of every significant action taken against your account's resources.

What is logged

The audit log captures all write and publish actions:

  • Rules — create, edit (draft), publish, archive, unarchive.
  • Profiles — create, draft, publish, archive, unarchive.
  • Spec jobs — enqueue (with the engine version used) and cancel.
  • API keys — create, revoke. Renaming a key is not audited.
  • Engine versions — registration, deprecation, and retirement of engine versions on the platform.

Logins and bundle downloads are not recorded in the audit log.

Each entry contains:

Column Meaning
Occurred at UTC timestamp (minute precision); hover to see a second-precise timestamp with timezone offset.
Actor User ID, or API key: <name> when an API key authenticated the request.
Action Technical action name (e.g. RuleCreated, ProfilePublished).
Entity Affected resource with a link to its detail page where applicable.
Engine version Engine used, when relevant (spec jobs).
Details Full payload as JSON — click "Show" to expand.

Filtering and date range

Use the filter bar at the top to narrow down the stream:

  • From / To — UTC date range. Default: last 30 days.
  • Entity type — restrict to Rule, Profile, API key, Spec job, or Engine version.
  • Action — filter to a specific action type.
  • Slug — exact match on the entity slug.

After changing any filter, click Apply to reload the table. The table shows 100 entries per page; use the Prev / Next controls below the table to page through.

CSV export for external tools

Click Export CSV (top right) to download all matching entries as a CSV file. The export uses the same filters as the currently displayed view and is capped at 100 000 rows.

Columns in the CSV: occurredAt, actor, entityType, entitySlug, entityVersion, action, engineVersion, clientIp, payload.

Typical downstream use:

  • Excel / Google Sheets — open the file and format the occurredAt column as a date.
  • SIEM / Splunk — ingest the CSV as a data source and alert on action or actor.

Note that the audit log and its CSV export are only available from a logged-in browser session. API keys cannot read the audit log, so the export cannot be automated with an API key.

Retention

Audit entries are kept for 24 months. After that they are purged automatically. Export entries you need to keep longer before they are removed.

Common forensic scenarios

Why is my build stricter since yesterday?

  1. Set the date range to yesterday.
  2. Choose Entity type = Profile and Action = ProfilePublished.
  3. Click the profile slug in the Entity column to open the new profile version and see the changed rules or severity overrides.

Alternatively: Entity type = Rule, Action = RulePublished — shows all rules that received a new version yesterday.

Who published?

  1. Filter on Action = ProfilePublished or RulePublished.
  2. The Actor column shows the user ID or API key name that triggered the publish.

When was an API key created or revoked?

  1. Choose Entity type = API key.
  2. Set the date range to the suspected period.
  3. The actions ApiKeyCreated and ApiKeyRevoked show the exact time and the user who acted.

Which spec jobs ran on engine X?

  1. Choose Entity type = Spec job.
  2. Enter the rule slug you are interested in into the Slug field.
  3. The Engine version column shows which engine version was used for each run.