Skip to main content

Audit Log

Hub maintains a comprehensive audit log of all identity and access events. Every login, permission change, user invitation, and role modification is recorded with timestamps, actor information, and IP addresses.

🔒 audit.view(Owner or Admin)

What's Logged​

Event CategoryEvents
AuthenticationLogin success, login failure, logout, session expiry
UsersUser created, updated, invited, deactivated, removed
RolesRole created, updated, deleted, assigned, unassigned
Product AccessAccess granted, access revoked
PermissionsPermission granted, revoked, bulk update
BillingPlan changed, payment method updated, invoice generated

Each audit entry includes:

  • Timestamp — exact time in ISO 8601 format
  • Actor — who performed the action (email and user ID)
  • Action — what happened (e.g., user.created, product_access.granted)
  • Target — what was affected (user, role, or product)
  • Details — additional context (old value, new value, etc.)
  • IP address — where the action originated

Searching and Filtering​

The audit log page provides several filter options:

  • Date range — filter events between two dates
  • Action type — filter by specific event (e.g., only login failures)
  • Actor — filter by who performed the action
  • Target — filter by what was affected
  • Free text search — search across all fields

Filters can be combined. For example, show all product_access.revoked events by a specific admin in the last 30 days.

Exporting Audit Logs​

You can export filtered results in CSV format for use in spreadsheets or external tools.

  1. Apply your desired filters
  2. Click Export CSV
  3. The download includes: timestamp, actor email, action, target type, target ID, and IP address
💡Export audit logs monthly and store them in your organization's compliance archive. The built-in retention is 90 days — exports ensure you have records beyond that window.

Retention Policy​

Audit log entries are retained for 90 days. After 90 days, entries are automatically purged.

For organizations that require longer retention (compliance, regulatory):

  • Export logs regularly using the CSV export
  • Integrate with an external SIEM for long-term storage (see below)

SIEM Integration​

Hub audit events are published to The One Bus, making them available for integration with external security information and event management (SIEM) systems.

Events published to the bus include:

  • hub.auth.login_success
  • hub.auth.login_failed
  • hub.iam.user_created
  • hub.iam.permission_changed
  • hub.iam.access_granted
  • hub.iam.access_revoked

If you use Defend, Hub audit events are automatically ingested into the Defend security dashboard alongside endpoint telemetry.

ℹī¸SIEM integration requires the bus event subscription to be configured for your organization. Contact support for setup assistance.