Skip to content

Exporting the Audit Log for Auditors

The audit log can be exported in CSV and PDF formats for submission to auditors, inclusion in compliance packages, or long-term archival.

CSV Export (Professional Tier and Above)

How to Export

  1. Navigate to Account > Audit Log.
  2. Apply your desired filters:
    • Date range (e.g., Q2 2026: 2026-04-01 to 2026-06-30).
    • Environment (e.g., Water Treatment Plant Alpha).
    • Action types (e.g., FINDING_ACKNOWLEDGED, TICKET_CREATED, TICKET_CLOSED).
    • Actor (if reviewing a specific person's activity).
  3. Click Export CSV.
  4. The CSV file downloads immediately.

CSV Columns

Column Description
timestamp ISO 8601 UTC timestamp with millisecond precision
actor_email Email of the user who performed the action
actor_name Name of the user
action Action code (e.g., FINDING_ACKNOWLEDGED)
resource_type Type of resource affected (finding, ticket, environment, etc.)
resource_id Identifier of the affected resource
environment_name Environment name, if applicable
detail_json Full action context as a JSON string (reason, notes, destination, etc.)
ip_address IP address from which the action was performed

Working with the CSV

The CSV can be opened in any spreadsheet application (Excel, Google Sheets) or imported into a database for analysis.

The detail_json column contains structured data. In Excel, use the JSON parsing functions or a text-to-columns workflow to extract specific fields like acknowledgment reasons or ticket close notes.

PDF Export (Enterprise Tier)

How to Export

  1. Navigate to Account > Audit Log.
  2. Apply your filters.
  3. Click Export PDF.
  4. The PDF generates and downloads.

PDF Format

The PDF includes:

  • Header: BreachSpider / CITED Relevance LLC letterhead.
  • Metadata: Organization name, date range, filters applied, report generation timestamp.
  • Log entries: All matching entries in a formatted table.
  • Page numbers and total entry count.
  • Footer: "This report was generated by BreachSpider. Entries are immutable and cannot be modified."

The PDF is suitable for direct submission to auditors without additional formatting.

API Access (Enterprise Tier)

For programmatic access to the audit log:

curl -H "Authorization: Bearer bs_live_..." \
  "https://breachspider.com/api/v1/audit-log?from=2026-01-01&to=2026-03-31&action=FINDING_ACKNOWLEDGED"

Query Parameters

Parameter Description
from Start date (ISO 8601)
to End date (ISO 8601)
action Filter by action type (comma-separated for multiple)
environment_id Filter by environment
actor_email Filter by actor
limit Results per page (default 100, max 1000)
offset Pagination offset

Response Format

{
  "status": "success",
  "data": {
    "entries": [
      {
        "timestamp": "2026-06-07T12:00:00.123Z",
        "actor_email": "[email protected]",
        "actor_name": "Sarah Chen",
        "action": "FINDING_ACKNOWLEDGED",
        "resource_type": "finding",
        "resource_id": "42",
        "environment_id": 5,
        "environment_name": "Water Treatment Plant Alpha",
        "detail": {
          "cve_id": "CVE-2025-32433",
          "reason": "compensating_control",
          "notes": "Isolated to VLAN 10.3.x"
        },
        "ip_address": "203.0.113.45"
      }
    ],
    "total": 847,
    "limit": 100,
    "offset": 0
  }
}

What to Give Your Auditor

For NERC CIP

Export the audit log for the compliance period, filtered to:

  • FINDING_ACKNOWLEDGED
  • TICKET_CREATED
  • TICKET_CLOSED
  • REPORT_GENERATED
  • ASSET_ADDED, ASSET_UPDATED, ASSET_REMOVED

This proves:

  • Your team identified and evaluated security patches (findings).
  • Remediation actions were initiated (tickets created).
  • Remediation was completed or risk was documented (tickets closed, findings acknowledged).
  • Evidence reports were generated (reports).
  • Your asset baseline was maintained (asset changes logged).

For SOC 2

Export filtered to:

  • LOGIN, LOGOUT, SESSION_REVOKED (access control evidence)
  • API_KEY_CREATED, API_KEY_REVOKED (credential management)
  • MEMBER_INVITED, MEMBER_REMOVED, ROLE_CHANGED (user lifecycle)
  • FINDING_ACKNOWLEDGED, REPORT_GENERATED (continuous monitoring)

This demonstrates:

  • Logical access controls (CC6.1).
  • New user provisioning (CC6.2).
  • Access removal (CC6.3).
  • Threat detection and monitoring (CC7.1, CC7.2).

For IEC 62443

Export filtered to:

  • FINDING_ACKNOWLEDGED (vulnerability management documentation)
  • TICKET_CREATED, TICKET_CLOSED (remediation tracking)
  • ASSET_ADDED, ASSET_UPDATED (configuration management)
  • SAGE_QUERIED (vulnerability assessment activity)

This supports IEC 62443-2-1 Section 4.2.3.9 (patch and vulnerability management).

Archival Best Practices

Export and archive the audit log at the end of each compliance period. While BreachSpider retains logs according to your tier's retention policy (30 days for Standard, 90 days for Professional, 1 year for Enterprise), your organization may require longer retention for regulatory purposes.

Store exported logs in a secure, access-controlled location (encrypted file storage, compliance document management system). Include the export date and the person who performed the export in your archival metadata.