Documentation
PolicyCortex Audit Logging for Complete Visibility & Compliance
Comprehensive audit logging system that captures all platform activities with immutable storage, real-time monitoring, and compliance-ready reporting. Maintain complete visibility into user actions, system changes, and data access for regulatory requirements and security investigations.
Audit Logging: Quick Start, Installation & System Requirements
Audit System Overview
Complete Activity Tracking
Every user action, system change, and data access is automatically logged with detailed context and metadata.
• User activity monitoring
• System configuration changes
• Data access and modifications
Immutable Storage
Tamper-proof audit logs with cryptographic integrity verification and blockchain-backed immutability.
• Cryptographic checksums
• Write-once storage
• Blockchain verification
Real-time Monitoring
Live audit stream with intelligent alerting for suspicious activities and compliance violations.
• Real-time event streaming
• Anomaly detection
• Automated alerting
Compliance Framework Support
Regulatory Compliance
• SOX - Sarbanes-Oxley financial controls
• SOC 2 - Service Organization Control
• HIPAA - Healthcare data protection
• GDPR - European data privacy
Security Standards
• ISO 27001 - Information security management
• PCI DSS - Payment card industry standards
• NIST - Cybersecurity framework
• FedRAMP - Federal cloud security
Audit Log Categories
User Activity Logs
Comprehensive tracking of all user interactions with the platform, including authentication events, feature usage, and permission changes.
Authentication Events
Successful Login
User authentication with session details
Failed Login Attempt
Invalid credentials or blocked access
MFA Challenge
Multi-factor authentication events
Session Events
Login, logout, and session expiration
Platform Operations
Policy Management
Policy creation, modification, deployment
Scan Operations
Scan initiation, progress, completion
Report Generation
Report creation, download, sharing
Configuration Changes
Settings, integrations, preferences
User Activity Log Examplejson
{
"event_id": "evt_1234567890abcdef",
"timestamp": "2024-01-21T14:30:00.123Z",
"event_type": "user_action",
"category": "policy_management",
"action": "policy_deployed",
"severity": "medium",
"user": {
"id": "usr_abc123def456",
"email": "sarah.johnson@company.com",
"name": "Sarah Johnson",
"role": "compliance_manager",
"teams": ["compliance_team"],
"session_id": "sess_xyz789"
},
"resource": {
"type": "policy",
"id": "pol_encryption_s3",
"name": "S3 Encryption Enforcement",
"version": "2.1.0"
},
"details": {
"deployment_strategy": "canary",
"environments": ["staging", "production"],
"canary_percentage": 10,
"auto_promote": false,
"previous_version": "2.0.0"
},
"request_context": {
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"geo_location": {
"country": "US",
"region": "NY",
"city": "New York"
},
"device_fingerprint": "fp_abcd1234"
},
"outcome": {
"status": "success",
"deployment_id": "dep_deploy123",
"estimated_completion": "2024-01-21T15:00:00Z"
},
"compliance_tags": ["sox", "soc2"],
"risk_score": 3.2,
"checksum": "sha256:a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3"
}System and Configuration Logs
Track all system-level changes, configuration modifications, and administrative actions with complete before/after state comparison.
System Configuration Change Logjson
{
"event_id": "evt_sys_9876543210fedcba",
"timestamp": "2024-01-21T16:45:00.456Z",
"event_type": "system_change",
"category": "configuration",
"action": "integration_modified",
"severity": "high",
"administrator": {
"id": "usr_admin_001",
"email": "admin@company.com",
"name": "System Administrator",
"role": "system_administrator"
},
"resource": {
"type": "integration",
"id": "int_aws_prod",
"name": "AWS Production Integration",
"provider": "aws"
},
"change_details": {
"operation": "credentials_updated",
"fields_changed": ["access_key_id", "regions", "scan_frequency"],
"before_state": {
"access_key_id": "AKIA***OLD",
"regions": ["us-east-1", "us-west-2"],
"scan_frequency": "daily",
"last_scan": "2024-01-20T08:00:00Z"
},
"after_state": {
"access_key_id": "AKIA***NEW",
"regions": ["us-east-1", "us-west-2", "eu-west-1"],
"scan_frequency": "every_6_hours",
"last_scan": "2024-01-20T08:00:00Z"
},
"change_reason": "Security rotation and expanded coverage"
},
"approval_workflow": {
"required": true,
"approved_by": {
"id": "usr_ciso_001",
"email": "ciso@company.com",
"name": "Chief Information Security Officer"
},
"approval_timestamp": "2024-01-21T16:30:00Z",
"ticket_id": "CHG-2024-001234"
},
"impact_assessment": {
"affected_policies": 23,
"affected_resources": 1547,
"estimated_scan_time": "45m",
"compliance_frameworks": ["soc2", "iso27001"]
},
"rollback_info": {
"rollback_available": true,
"rollback_window": "24h",
"rollback_procedure": "automated"
},
"checksum": "sha256:b776877f46f9d7e1b8a2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4"
}Data Access and Privacy Logs
Detailed logging of data access patterns, privacy controls, and sensitive information handling for GDPR, CCPA, and HIPAA compliance.
Data Access Log Examplejson
{
"event_id": "evt_data_access_456789",
"timestamp": "2024-01-21T18:15:00.789Z",
"event_type": "data_access",
"category": "privacy",
"action": "sensitive_data_accessed",
"severity": "medium",
"user": {
"id": "usr_analyst_003",
"email": "analyst@company.com",
"name": "Security Analyst",
"role": "security_analyst",
"clearance_level": "confidential"
},
"data_classification": {
"level": "confidential",
"categories": ["pii", "financial"],
"retention_period": "7_years",
"geographic_restrictions": ["eu"]
},
"access_details": {
"resource_type": "compliance_report",
"resource_id": "rpt_quarterly_audit_2024_q1",
"data_elements": [
{
"type": "customer_pii",
"fields": ["email", "phone", "address"],
"record_count": 1247
},
{
"type": "financial_data",
"fields": ["account_number", "transaction_amount"],
"record_count": 5632
}
],
"access_method": "report_download",
"purpose": "quarterly_audit_review",
"legal_basis": "legitimate_interest"
},
"privacy_controls": {
"data_minimization": true,
"pseudonymization": true,
"encryption_at_rest": true,
"encryption_in_transit": true,
"access_logging": true,
"retention_enforced": true
},
"compliance_context": {
"frameworks": ["gdpr", "ccpa", "hipaa"],
"data_subject_rights": {
"right_to_access": "enabled",
"right_to_rectification": "enabled",
"right_to_erasure": "enabled",
"right_to_portability": "enabled"
},
"consent_status": "not_required_legitimate_interest",
"data_processing_agreement": "dpa_2024_001"
},
"audit_trail": {
"download_location": "/secure/downloads/rpt_quarterly_audit_2024_q1.pdf",
"watermark_applied": true,
"access_expires": "2024-01-28T18:15:00Z",
"sharing_restrictions": "internal_only"
},
"checksum": "sha256:c887988f57g0e8f2c9b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f5g5"
}Real-time Monitoring & Alerting
Intelligent Threat Detection
Advanced machine learning algorithms analyze audit logs in real-time to detect suspicious activities, policy violations, and potential security threats.
Anomaly Detection
High-Risk Activities
- • Multiple failed login attempts
- • Unusual access patterns
- • Privilege escalation attempts
- • After-hours administrative actions
Compliance Violations
- • Unauthorized data access
- • Policy deployment bypasses
- • Configuration drift detection
- • Segregation of duties violations
Suspicious Patterns
- • Geographic location anomalies
- • Unusual session durations
- • Bulk data access operations
- • API rate limit violations
Alert Configuration
Alert Rule Configurationjson
{
"alert_rules": [
{
"id": "rule_failed_logins",
"name": "Multiple Failed Login Attempts",
"description": "Detect brute force attacks",
"condition": {
"event_type": "authentication",
"action": "login_failed",
"threshold": {
"count": 5,
"time_window": "15m",
"per_user": true
}
},
"severity": "high",
"notifications": [
{
"channel": "email",
"recipients": ["security@company.com"],
"template": "security_alert"
},
{
"channel": "slack",
"webhook": "https://hooks.slack.com/...",
"channel": "#security-alerts"
}
],
"automated_response": {
"enabled": true,
"actions": [
"temporary_account_lock",
"require_mfa_reset",
"notify_user_manager"
]
}
},
{
"id": "rule_privilege_escalation",
"name": "Unauthorized Privilege Escalation",
"condition": {
"event_type": "user_management",
"action": "role_change",
"filter": {
"new_role": ["system_administrator", "compliance_manager"],
"approver_required": true,
"approval_missing": true
}
},
"severity": "critical",
"immediate_response": true
}
]
}Real-time Dashboard
- • Live audit event stream
- • Security metrics and KPIs
- • Threat intelligence feeds
- • Compliance status monitoring
- • User behavior analytics
- • System health indicators
Alert Channels
- • Email notifications with PGP encryption
- • Slack and Microsoft Teams integration
- • SMS alerts for critical events
- • SIEM integration (Splunk, QRadar)
- • Webhook endpoints for custom systems
- • Mobile push notifications
Audit Search and Analysis
Advanced Search Capabilities
Powerful search and filtering capabilities enable security teams and auditors to quickly locate specific events, analyze patterns, and generate compliance reports.
Audit Log Search Examplesbash
# Search audit logs via API
curl -X GET "https://api.policycortex.com/v1/audit/search" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"query": {
"time_range": {
"start": "2024-01-01T00:00:00Z",
"end": "2024-01-31T23:59:59Z"
},
"filters": {
"event_type": ["user_action", "system_change"],
"user_email": "admin@company.com",
"action": ["policy_deployed", "user_created"],
"severity": ["high", "critical"],
"resource_type": "policy"
},
"search_text": "encryption policy",
"sort": {
"field": "timestamp",
"order": "desc"
},
"limit": 100
}
}'
# Complex search with aggregations
curl -X POST "https://api.policycortex.com/v1/audit/analytics" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"analysis_type": "user_activity_summary",
"time_range": {
"start": "2024-01-01T00:00:00Z",
"end": "2024-01-31T23:59:59Z"
},
"group_by": ["user_id", "action"],
"metrics": ["count", "unique_resources", "risk_score_avg"],
"filters": {
"role": ["system_administrator", "compliance_manager"]
}
}'
# Export audit logs for external analysis
curl -X POST "https://api.policycortex.com/v1/audit/export" \
-H "Authorization: Bearer sk_live_1234567890abcdef" \
-H "Content-Type: application/json" \
-d '{
"format": "json",
"compression": "gzip",
"filters": {
"time_range": {
"start": "2024-01-01T00:00:00Z",
"end": "2024-01-31T23:59:59Z"
},
"compliance_tags": ["sox", "soc2"]
},
"delivery": {
"method": "download_link",
"encryption": {
"enabled": true,
"algorithm": "AES-256-GCM"
},
"expires_in": "24h"
}
}'Search Response Example
Audit Search Resultsjson
{
"search_id": "search_abc123def456",
"total_results": 1247,
"execution_time": "245ms",
"events": [
{
"event_id": "evt_1234567890abcdef",
"timestamp": "2024-01-21T14:30:00.123Z",
"event_type": "user_action",
"action": "policy_deployed",
"user": {
"id": "usr_abc123",
"email": "admin@company.com",
"name": "System Administrator"
},
"resource": {
"type": "policy",
"id": "pol_encryption_s3",
"name": "S3 Encryption Policy"
},
"severity": "medium",
"compliance_tags": ["sox", "soc2"],
"risk_score": 3.2,
"highlighted_fields": {
"resource.name": "S3 <em>Encryption</em> Policy",
"details.description": "<em>encryption</em> enforcement policy"
}
}
],
"aggregations": {
"by_user": {
"admin@company.com": 342,
"compliance@company.com": 189,
"security@company.com": 156
},
"by_action": {
"policy_deployed": 89,
"scan_executed": 67,
"report_generated": 45
},
"by_severity": {
"critical": 12,
"high": 45,
"medium": 234,
"low": 956
}
},
"pagination": {
"current_page": 1,
"total_pages": 13,
"has_more": true,
"next_cursor": "cursor_xyz789"
}
}Search Features
- • Full-text search across all log fields
- • Advanced filtering and faceted search
- • Time-based queries with relative dates
- • Regular expression pattern matching
- • Geolocation and IP address filtering
- • Risk score and severity thresholds
Analytics Capabilities
- • User behavior pattern analysis
- • Trend analysis and forecasting
- • Compliance violation trending
- • Security incident correlation
- • Resource access heat maps
- • Custom dashboard creation
Data Retention and Archival
Compliance-Driven Retention Policies
Configurable retention policies ensure audit logs are maintained according to regulatory requirements while optimizing storage costs through intelligent archival strategies.
Retention Policy Configurationjson
{
"retention_policies": [
{
"name": "Financial Data Retention",
"description": "SOX compliance requires 7-year retention",
"applies_to": {
"event_types": ["user_action", "system_change", "data_access"],
"compliance_tags": ["sox", "financial"],
"data_classifications": ["financial", "audit"]
},
"retention_period": "7_years",
"storage_tiers": [
{
"tier": "hot",
"duration": "90_days",
"storage_class": "standard",
"search_enabled": true,
"real_time_alerts": true
},
{
"tier": "warm",
"duration": "1_year",
"storage_class": "infrequent_access",
"search_enabled": true,
"search_latency": "minutes"
},
{
"tier": "cold",
"duration": "6_years",
"storage_class": "glacier",
"search_enabled": false,
"retrieval_time": "hours"
}
]
},
{
"name": "GDPR Personal Data",
"description": "EU personal data processing logs",
"applies_to": {
"data_classifications": ["pii", "personal"],
"geographic_scope": ["eu"],
"compliance_tags": ["gdpr"]
},
"retention_period": "3_years",
"deletion_triggers": [
"data_subject_erasure_request",
"consent_withdrawal",
"processing_purpose_fulfilled"
],
"encryption": {
"at_rest": true,
"in_transit": true,
"key_rotation": "quarterly"
}
},
{
"name": "Security Incident Logs",
"description": "Extended retention for security investigations",
"applies_to": {
"severity": ["high", "critical"],
"categories": ["security", "breach"],
"event_types": ["failed_authentication", "privilege_escalation"]
},
"retention_period": "10_years",
"immutable_storage": true,
"legal_hold_capable": true
}
],
"global_settings": {
"minimum_retention": "1_year",
"deletion_verification": "required",
"backup_frequency": "daily",
"geographic_replication": true,
"disaster_recovery": {
"enabled": true,
"rpo": "1_hour",
"rto": "4_hours"
}
}
}Storage Optimization
- • Intelligent data compression (up to 90% reduction)
- • Automated tier migration based on access patterns
- • Deduplication for repeated event patterns
- • Cost-optimized cloud storage integration
- • Cross-region replication for disaster recovery
- • Blockchain-verified immutable storage
Legal and Compliance
- • Legal hold capabilities for litigation
- • Right to erasure (GDPR Article 17) support
- • Chain of custody documentation
- • Tamper-evident storage verification
- • Regulatory export formats (EIDAS, FedRAMP)
- • Court-admissible evidence packaging
Integration and Export
SIEM and Security Tools Integration
Seamlessly integrate audit logs with existing security infrastructure through standard protocols and format compatibility.
Supported Integrations
Splunk Enterprise
Native Splunk connector with custom dashboards
IBM QRadar
DSM integration with custom parsing rules
Azure Sentinel
Microsoft Sentinel data connector
Elasticsearch
ELK stack integration with Kibana dashboards
Export Formats
Export Configurationjson
{
"export_formats": {
"syslog": {
"protocol": "tcp",
"format": "rfc5424",
"facility": "local0",
"severity_mapping": {
"critical": "alert",
"high": "error",
"medium": "warning",
"low": "info"
}
},
"cef": {
"version": "0.1",
"vendor": "PolicyCortex",
"product": "Audit",
"device_version": "1.0"
},
"leef": {
"version": "2.0",
"delimiter": "|"
},
"json": {
"compression": "gzip",
"batch_size": 1000,
"include_metadata": true
},
"csv": {
"headers": true,
"delimiter": ",",
"quote_char": "\"",
"encoding": "utf-8"
}
}
}