Skip to content

Searching the Audit Log

The audit log search interface allows you to find specific events, filter by action type, and narrow results to specific actors, environments, or date ranges.

Navigate to Account > Audit Log. The search and filter controls are at the top of the log view.

Search and Filter Options

Free Text Search

Enter any text in the search bar to search across:

  • CVE IDs (e.g., "CVE-2025-32433")
  • Actor email addresses (e.g., "[email protected]")
  • Resource IDs (e.g., ticket ID, asset ID)
  • Notes content (text entered in acknowledgment or ticket notes)

The search is case-insensitive and matches partial strings.

Date Range Picker

Set a "From" and "To" date to limit results to a specific period. Useful for:

  • Compliance reporting periods (e.g., Q2 2026: April 1 - June 30).
  • Incident investigation windows (e.g., the 48 hours around a security event).
  • Weekly review (e.g., last 7 days).

Action Filter

Select one or more action types from the dropdown to show only those events:

  • FINDING_ACKNOWLEDGED
  • TICKET_CREATED
  • TICKET_CLOSED
  • LOGIN
  • ENV_CREATED
  • ASSET_ADDED
  • And all other action types listed in the Audit Log documentation.

Select multiple actions to combine them (e.g., FINDING_ACKNOWLEDGED + TICKET_CREATED to see all triage activity).

Environment Filter

Show only actions related to a specific environment. Useful when preparing site-specific compliance evidence or investigating activity at a particular facility.

Actor Filter

Show actions performed by a specific team member. Useful for:

  • Reviewing a team member's activity during a compliance period.
  • Investigating who performed a specific action.
  • Generating per-person activity summaries for team management.

Common Search Scenarios

"Who acknowledged CVE-2025-32433?"

  • Action filter: FINDING_ACKNOWLEDGED
  • Free text: CVE-2025-32433
  • Result: Shows the acknowledgment entry with the actor, reason, notes, and timestamp.

"What did [email protected] do last week?"

  • Actor filter: [email protected]
  • Date range: Last 7 days
  • Result: All actions performed by Sarah in the past week.

"Show all tickets created in Water Plant Alpha this month."

  • Action filter: TICKET_CREATED
  • Environment filter: Water Plant Alpha
  • Date range: This month
  • Result: Every ticket created for the water plant environment in the current month.

"Show all logins this week."

  • Action filter: LOGIN
  • Date range: Last 7 days
  • Result: Every authentication event in the past week, with IP addresses and user agents.

"Show all findings acknowledged as compensating_control."

  • Action filter: FINDING_ACKNOWLEDGED
  • Free text: compensating_control
  • Result: Every finding that was acknowledged with a compensating control reason. Use this to compile your compensating controls register for an audit.

"What happened to asset PLC-A-Line3?"

  • Free text: PLC-A-Line3
  • Result: All log entries referencing this asset -- additions, updates, findings, tickets, acknowledgments.

Reading a Log Entry

Each entry in the search results shows:

  • Timestamp: When it happened (UTC). Hover for your local timezone.
  • Actor: Who did it (name and email).
  • Action: What they did (action code in a colored badge).
  • Resource: What it affected (CVE ID, asset name, ticket ID, environment name).
  • Detail: Expandable section with the full context (reason, notes, destination, IP address).

Click any entry to expand the detail section and see the full JSON context.

Audit Log Immutability

The audit log is read-only. No user, including administrators, can edit or delete log entries. This ensures the log is a reliable evidence record for auditors.

If you believe a log entry contains an error (e.g., a misspelled note in an acknowledgment), the correct approach is to restore the finding and re-acknowledge it with corrected notes. The original entry remains in the log, and the new entry shows the correction. Both entries are visible to auditors, demonstrating a transparent correction process.