Organization Audit Log Query Interface

Master guide to querying, filtering, and exporting audit logs for compliance, security investigations, and regulator requests

🎯 Quick Navigation

→ What Are Audit Logs?→ Accessing the Query Interface → Basic Search & Filters → Advanced Query Techniques → Understanding Results → Exporting for SOC 2 / Audits → CCO Panic Scenarios → FAQ & Best Practices

What Are Audit Logs?

Audit logs are immutable records of **who did what, when, and from where** in your compliance platform. Every action is logged automatically to provide:

🔒 Security

Detect unauthorized access, suspicious activity, and potential breaches

✅ Compliance

Prove SOC 2, ISO 27001, GDPR, HIPAA compliance to auditors

🔍 Forensics

Investigate data breaches, reconstruct event timelines

📋 Accountability

Track user actions, enforce separation of duties

Regulatory Requirements

Regulation	Requirement	Retention
SOC 2	Log all access to sensitive data	1 year minimum
ISO 27001	Record security events (A.12.4.1)	Defined in policy
GDPR Art. 30	Records of processing activities	Duration of processing
HIPAA § 164.308	Audit controls for ePHI access	6 years
EU AI Act Art. 12	Logging for high-risk AI systems	6 months minimum

What Gets Logged

Every action in the platform generates an audit log entry with:

Timestamp: Exact date/time (UTC) of the action
User: Email address of the person who performed the action
Action: CREATE, READ, UPDATE, DELETE, APPROVE, EXPORT, etc.
Resource: What was acted upon (DPIA, RoPA, Control, DSAR, etc.)
Resource ID: Unique identifier of the specific record
Result: SUCCESS or FAILURE
IP Address: Where the action originated from
Details: Additional context (e.g., "Status changed from DRAFT to APPROVED")

🔐 Immutability & Tamper-Proof

Audit logs **cannot be edited or deleted** by users (including admins). This ensures integrity for forensic investigations and regulatory audits. Logs are stored with cryptographic hashes to detect any tampering attempts.

Accessing the Query Interface

Navigation Paths

Professional Tier:

Dashboard → Audit

URL: /dashboard/professional/audit

Enterprise Tier:

Dashboard → Audit

URL: /dashboard/enterprise/audit

Enterprise Plus Tier:

Dashboard → Audit

URL: /dashboard/enterprise/audit (shares Enterprise audit interface)

Organization-Wide Audit (New!):

Dashboard → Compliance → Audit Logs

URL: /dashboard/compliance/audit-logs

⭐ This is the **recommended** interface for CCOs/CPOs - it includes advanced filtering and organization-wide visibility

Permission Requirements

Who Can Access Audit Logs?

✅ Organization Admins: Full access to all logs
✅ CCO / DPO roles: Full access (compliance oversight)
✅ Security Officers: Full access (incident response)
⚠️ Regular Users: Can only see their own actions (limited view)
❌ External Users: No access

Basic Search & Filters

The audit log interface provides powerful filtering to find exactly what you need:

Filter Types

1. Resource Type

Filter by what was accessed (dropdown menu):

DPIARoPACONTROLCONTROL_TESTDSAR_REQUESTDATA_BREACHUSERORGANIZATIONAI_MODEL

2. Action Type

Filter by what was done (dropdown menu):

CREATEREADUPDATEDELETEAPPROVEREJECTEXPORTLOGINLOGOUT

3. Result Status

Filter by outcome:

SUCCESSFAILURE

💡 Tip: Filter by FAILURE to detect unauthorized access attempts or permission errors

4. Date Range

Specify start and end dates:

📅 Common ranges: Last 7 days, Last 30 days, Last quarter, Custom

5. User Email

Filter by specific user:

🔍 Use this to track a specific employee's actions (e.g., during offboarding or investigation)

6. Full-Text Search

Search across all fields (action, resource, details, IP):

💡 Examples: "192.168.1.100" (IP address), "GDPR-DPIA-2024-001" (resource ID), "approved by"

Combining Filters

Example: Finding All DPIA Approvals by a Specific DPO

1. Resource Type: DPIA
2. Action: APPROVE
3. User Email: dpo@company.com
4. Date Range: 2024-01-01 to 2024-12-31
5. Click "Search"

Result: Audit trail showing all DPIAs approved by that DPO in 2024 (perfect for GDPR Article 35(2) compliance evidence)

Understanding Results

Query results display in a table with the following columns:

Column	What It Shows	Why It Matters
Timestamp	2024-11-28 14:32:15 UTC	Reconstruct event timeline
User	user@company.com	Who performed the action
Action	APPROVE	What they did
Resource	DPIA	What was acted upon
Result	SUCCESS	Whether it worked
IP Address	203.0.113.45	Where they accessed from

Security Event Examples

✅ Normal Activity

→ User accessed a DSAR request from office IP (expected)

🚨 Suspicious Activity

→ Admin exported controls at 2 AM from foreign IP (potential breach!)

⚠️ Failed Access Attempt

→ User tried to delete DPIA but lacked permission (audit trail captured the attempt)

Exporting for SOC 2 / Audits

Export filtered audit logs as CSV for auditors, regulators, or incident reports.

How to Export

Apply your filters (resource, action, date range, etc.)
Click the "Search" button to see results
Verify the results match what you need
Click "Export CSV" button (top-right)
CSV file downloads automatically: audit-logs-{organization}-{date}.csv

CSV Format

"Timestamp","User","Action","Resource","Resource ID","Result","IP Address"
"2024-11-28T14:32:15Z","user@company.com","APPROVE","DPIA","dpia-123","SUCCESS","10.0.1.5"
"2024-11-28T14:35:22Z","dpo@company.com","REJECT","DPIA","dpia-456","SUCCESS","10.0.1.8"
...

Common Export Scenarios

SOC 2 Audit

Auditor requests: "Show me all data exports in Q3 2024"

• Action: EXPORT

• Date: 2024-07-01 to 2024-09-30

• Export CSV

ISO 27001 Audit

Prove access controls: "Who accessed customer data?"

• Resource: DSAR_REQUEST

• Action: READ

• Last 12 months

Data Breach Investigation

Forensics: "What did this user access before termination?"

• User: terminated@company.com

• Date: Last 30 days before termination

• Export all actions

Regulator Request

DPA asks: "Show me all DPIA approvals"

• Resource: DPIA

• Action: APPROVE

• All time

📦 Included in 24-File Compliance Package

Audit logs are automatically included in the full compliance package export (audit-trail.csv). This provides an audit-ready snapshot of all activities for the past 12 months.

CCO Panic Scenarios

Real-world scenarios where audit logs save your compliance program (and your career):

🚨 Scenario 1: "The Regulator Email"

"Dear [Company], we received a complaint that you processed customer health data without a DPIA. Please provide evidence of DPO consultation under Article 35(2) within 7 days."

Your Response Using Audit Logs:

1. Go to Audit Logs → Filter: Resource = DPIA, Action = APPROVE
2. Search for the processing activity in question
3. Export CSV showing: DPIA created, DPO consulted, approval timestamped
4. Send to regulator with cover letter: "Evidence attached of GDPR Article 35(2) compliance"

Result: Case closed. Audit log proves due diligence. €10M fine avoided.

⚠️ Scenario 2: "The Data Breach"

"We detected unusual database activity at 2 AM. We need to know: Who accessed what, and when?"

Investigation Using Audit Logs:

1. Filter by date/time: 2024-11-28 02:00:00 to 03:00:00
2. Look for unexpected users or IP addresses
3. Check for EXPORT actions (data exfiltration)
4. Correlate with firewall logs (IP addresses)

Result: Identified compromised admin account. Revoked access. Submitted breach notification with forensic timeline.

📋 Scenario 3: "The SOC 2 Audit"

"Auditor requests: Show me evidence that only authorized personnel can approve DPIAs. And prove it's logged."

Evidence Using Audit Logs:

1. Filter: Resource = DPIA, Action = APPROVE
2. Export CSV showing all approvals
3. Cross-reference with employee roster: All approvers have "DPO" role
4. Show audit log entry for failed approval attempt by non-DPO user (proves access control works)

Result: SOC 2 control satisfied. Auditor signs off.

👤 Scenario 4: "The Employee Offboarding"

"Employee was terminated. Did they download any customer data before leaving?"

Investigation Using Audit Logs:

1. Filter: User = terminated-employee@company.com
2. Date range: 30 days before termination
3. Look for EXPORT,READ, or DOWNLOAD actions
4. Check if they accessed resources they shouldn't have

Result: Found suspicious export of RoPA records 2 days before termination. Legal team notified for potential NDA violation.

❓ Frequently Asked Questions

Q: How long are audit logs retained?

A: Minimum 3 years, maximum 7 years (configurable by organization admin). HIPAA customers: automatically set to 6 years. Logs cannot be manually deleted to ensure forensic integrity.

Q: Can audit logs be edited or deleted?

A: No. Logs are immutable and tamper-proof. Even system administrators cannot modify or delete logs. This is required for SOC 2, ISO 27001, and forensic investigations.

Q: What if I need logs older than 7 years?

A: Logs older than the retention period are archived to cold storage (AWS Glacier). Contact support to request archived logs. Standard retrieval: 24-48 hours. Cost: $50 per request.

Q: Does the free tier have audit logs?

A: No. Audit logs are available in Professional tier and above. This is because comprehensive logging requires significant infrastructure (storage, search indexing, retention).

Q: Can I set up alerts for specific events?

A: Yes (Enterprise Plus only). Go to Dashboard → Alerts → Create Alert Rule. Example: "Email me when any user EXPORTS more than 100 records in a day" (data exfiltration detection).

Q: How do I prove logs haven't been tampered with?

A: Each log entry has a cryptographic hash (SHA-256). Export the logs along with hashes. Auditors can verify integrity by comparing hashes. We also provide a "Chain of Custody" certificate for legal proceedings.

📚 Related Resources

DPO Approval Workflows →

How to review and approve DPIAs

Compliance Health Score →

Understanding your compliance posture

Open Audit Log Interface →

Start querying audit logs now

Compliance Certifications →

SOC 2, ISO 27001 documentation