Audit Log
The audit log is a complete, tamper-evident record of every action taken in your BreachSpider account. It exists for one purpose: to prove to an auditor that your team responded appropriately to every finding.
The audit log is read-only. Entries cannot be edited, modified, or deleted by any user, including administrators. This immutability is by design -- the log is an evidence record, not a management tool.
What is Logged
Authentication Events
| Action | Description |
|---|---|
| LOGIN | User authenticated via magic link |
| LOGOUT | User explicitly logged out |
| SESSION_REVOKED | An active session was invalidated |
| API_KEY_CREATED | A new API key was generated |
| API_KEY_REVOKED | An API key was deactivated |
Environment and Asset Management
| Action | Description |
|---|---|
| ENV_CREATED | A new environment was created |
| ENV_UPDATED | An environment's name, description, type, or criticality was changed |
| ENV_DELETED | An environment was permanently deleted |
| ASSET_ADDED | A new asset was added to an environment |
| ASSET_UPDATED | An asset's fields were modified |
| ASSET_REMOVED | An asset was removed from an environment |
| ASSET_CSV_IMPORTED | A CSV asset import was committed |
Finding Actions
| Action | Description |
|---|---|
| FINDING_ACKNOWLEDGED | A finding was acknowledged with a reason and optional notes |
| FINDING_DISMISSED | A finding was dismissed from the active view |
| FINDING_RESTORED | A dismissed or acknowledged finding was restored to active status |
| FINDING_SHARED | A share link was generated for environment findings |
Tickets
| Action | Description |
|---|---|
| TICKET_CREATED | A new ticket was created (includes CVE, asset, assignee, destination) |
| TICKET_CLOSED | A ticket was closed (includes resolution reason and notes) |
| TICKET_REOPENED | A closed ticket was reopened (includes reason) |
Reports
| Action | Description |
|---|---|
| REPORT_GENERATED | A report was generated (includes type and environment) |
| REPORT_VIEWED | A report was viewed in the browser |
| REPORT_EXPORTED | A report was downloaded (includes format: PDF or CSV) |
| REPORT_SHARED | A report was shared with an external recipient |
Integrations
| Action | Description |
|---|---|
| WEBHOOK_CREATED | A new webhook connection was configured |
| WEBHOOK_FIRED | A webhook notification was sent |
| CONNECTION_TESTED | An integration connection was tested |
| KEY_GENERATED | An integration key was generated |
| KEY_REVOKED | An integration key was revoked |
| ALERT_RULE_CREATED | A new alert rule was created |
| ALERT_RULE_CHANGED | An alert rule was modified or toggled |
Team Management
| Action | Description |
|---|---|
| MEMBER_INVITED | A new team member was invited |
| MEMBER_REMOVED | A team member was removed |
| ROLE_CHANGED | A team member's role was changed (admin/member) |
Billing
| Action | Description |
|---|---|
| TIER_UPGRADED | Subscription was upgraded to a higher tier |
| TIER_DOWNGRADED | Subscription was downgraded to a lower tier |
| SUBSCRIPTION_CANCELLED | Subscription was cancelled |
SAGE
| Action | Description |
|---|---|
| SAGE_QUERIED | A SAGE query was submitted (logs CVE ID and query type -- response content is never logged) |
Log Entry Structure
Each audit log entry contains:
| Field | Description |
|---|---|
| Timestamp | UTC, millisecond precision |
| Actor Email | The email of the user who performed the action |
| Actor Name | The name of the user |
| Action | The action code (e.g., FINDING_ACKNOWLEDGED) |
| Resource Type | What was affected (finding, ticket, environment, etc.) |
| Resource ID | The identifier of the affected resource |
| Environment ID | The environment context, if applicable |
| Detail | A JSON object with action-specific context (reason, notes, destination, etc.) |
| IP Address | The IP address from which the action was performed |
| User Agent | The browser or API client used |
Retention by Tier
| Tier | Retention | Access |
|---|---|---|
| Free | No audit log access | N/A |
| Standard | 30-day rolling log | In-app view only |
| Professional | 90-day log | In-app view + CSV export |
| API | 90-day log | In-app + CSV + API access |
| Enterprise | 1-year log | In-app + CSV + PDF export + API access |
After the retention period, log entries are permanently deleted. Export your audit log regularly if you need long-term retention beyond your tier's limit.
Accessing the Audit Log
Navigate to Account > Audit Log to view the log in the browser.
The default view shows the most recent entries, sorted by timestamp (newest first).
See Searching the Audit Log for filtering and search instructions. See Exporting for Auditors for export instructions.