> For the complete documentation index, see [llms.txt](https://docs.cortex.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cortex.io/configure/settings/audit-logs.md).

# Audit logs

Audit logs document a detailed record of actions taken in your workspace, letting you track who made a change, when it happened, and what was altered. This includes entity edits, integration configuration changes, API key activity, and updates to custom roles and their assigned permissions.

Use audit logs to investigate changes, identify discrepancies, and get a holistic view of activity across your workspace. You can access them through the Cortex UI or the [public API](/api/readme/audit-logs.md).

## Viewing audit logs in the Cortex UI

Users with the `View Audit Logs` permission can view audit logs via the Cortex UI.

1. From the main sidebar, click your avatar in the bottom-left corner.
2. Click **Settings**.
3. From the **Settings** menu, locate the **Logging** section, then click **Audit logs**.<br>

   <div align="left" data-with-frame="true"><figure><img src="/files/FpNxldStuXyakeYbjpRz" alt="The audit logs page in the Cortex UI." width="563"><figcaption></figcaption></figure></div>

The audit logs page displays a list of user activities. Each log entry includes the following columns:

* **Actor** - The user or API key that performed the action. *N/A* indicates the change is attributed to GitOps or the auto-import of entities.
* **Action type** - The action performed (created, deleted, or updated).
* **Object type** - The type of object that changed. See the full list of object types below.
* **Object identifier** - The unique identifier of the object.
* **Date** - When the action occurred.

To view more information about a particular action, click its row:

<div align="left" data-with-frame="true"><figure><img src="/files/kJr9wD6Q32SpXLJDJfSF" alt="A highlighted action on the audit logs page." width="563"><figcaption></figcaption></figure></div>

A side panel opens with details about the action, including diff changes and the date and time of the action:

<div align="left" data-with-frame="true"><figure><img src="/files/QacmPoeXUD3pAAkxSGmm" alt="The side panel provides further information about the action." width="188"><figcaption></figcaption></figure></div>

### Filtering audit logs

On the audit logs page, you can narrow your search by using the filter and date range options.

<div align="left" data-with-frame="true"><figure><img src="/files/qxDokuOnzZm5jYf4yNRk" alt="The filter icons on the audit logs page." width="563"><figcaption></figcaption></figure></div>

To narrow the scope of your search, click **Filter**. You can filter by:

* API key identifier
* Action type
* Actor IP address
* Actor email
* Actor type
* Anonymous request type
* Entity
* Object type

To change the date range, click **Last 7 days**. You can filter by:

* Last 7 days
* Last 14 days
* Last 30 days
* Custom date range

#### How filters work

You can apply multiple filters at once, and select one or more criteria within each filter.

Within a single filter, multiple selections are combined with `OR`. Across different filters, selections are combined with `AND`.

**Example**

* Selecting `CREATE` for 'action type' and `SCORECARD` for 'object type' produces the query `create AND scorecard`.
* Selecting both `CREATE` and `DELETE` for 'action type' and `SCORECARD` for 'object type' produces `(create OR delete) AND scorecard`, which returns all Scorecards created or deleted within the selected timeframe.

## **Audit log reference**

### **Object types**

The following object types are included in audit logs:

<table><thead><tr><th width="226.67578125">Object type</th><th>Notes</th></tr></thead><tbody><tr><td><code>ACCOUNT_FLAG</code></td><td></td></tr><tr><td><code>ALLOW_LIST_ENTRY</code></td><td></td></tr><tr><td><code>API_KEY</code></td><td></td></tr><tr><td><code>CATALOG</code></td><td></td></tr><tr><td><code>CATALOG_FILTER</code></td><td></td></tr><tr><td><code>CORTEX_USER</code></td><td></td></tr><tr><td><code>CUSTOM_ROLE</code></td><td>Covers changes to the role itself (name, description)</td></tr><tr><td><code>CUSTOM_ROLE_PERMISSIONS</code></td><td><ul><li>Covers changes to the permissions granted by that role</li><li>Re-saving a custom role with no effective permission change does not produce a <code>CUSTOM_ROLE_PERMISSIONS</code> entry</li></ul></td></tr><tr><td><code>DOMAIN</code></td><td></td></tr><tr><td><code>ENTITY_TYPE_DEFINITION</code></td><td></td></tr><tr><td><code>INITIATIVE</code></td><td></td></tr><tr><td><code>OAUTH_CONFIGURATION</code></td><td></td></tr><tr><td><code>OPENAPI_DEFINITION</code></td><td></td></tr><tr><td><code>PERSONAL_API_KEY</code></td><td></td></tr><tr><td><code>RESOURCE</code></td><td></td></tr><tr><td><code>SCORECARD</code></td><td></td></tr><tr><td><code>SECRET</code></td><td></td></tr><tr><td><code>SECRET_GROUP</code></td><td></td></tr><tr><td><code>SERVICE</code></td><td></td></tr><tr><td><code>TEAM</code></td><td></td></tr><tr><td><code>WORKFLOW</code></td><td></td></tr><tr><td>Integrations</td><td><ul><li>Configuration, e.g. <code>OKTA_CONFIGURATION</code></li><li>OAuth configuration, e.g. <code>BITBUCKET_OAUTH_CONFIGURATION</code></li><li>OAuth registration, e.g. <code>JIRA_OAUTH_REGISTRATION</code></li><li>On-prem configuration, e.g. <code>JIRA_ONPREM_CONFIGURATION</code></li><li>On-prem webhook secret, e.g. <code>BITBUCKET_ONPREM_WEBHOOK_SECRET</code></li><li>Personal configuration, e.g. <code>BITBUCKET_PERSONAL_CONFIGURATION</code></li><li>SAST configuration, e.g. <code>MEND_SAST_CONFIGURATION</code></li></ul><p>Unique GitHub types:</p><ul><li><code>GITHUB_APP_CONFIGURATION</code></li><li><code>GITHUB_APP_INSTALLATION</code></li><li><code>GITHUB_PERSONAL_TOKEN</code></li><li><code>GITHUB_WEBHOOK_SECRET</code></li></ul></td></tr></tbody></table>

### **Actors**

The following actor identifiers are included in audit logs:

<table><thead><tr><th width="247.23046875">Identifier</th><th>Notes</th></tr></thead><tbody><tr><td><strong>Actor Types</strong></td><td><ul><li><code>ANONYMOUS</code></li><li><code>API_KEY</code></li><li><code>BACKSTAGE</code></li><li><code>OAUTH2</code></li><li><code>PERSONAL_API_KEY</code></li></ul></td></tr><tr><td><strong>API Key Identifiers</strong></td><td>When filtering by this field, enter API key names or the last 4 characters of an API key.</td></tr><tr><td><strong>Emails</strong></td><td>When filtering by this field, the email address must be an exact match to the user's email.</td></tr><tr><td><strong>IP Addresses</strong></td><td></td></tr><tr><td><strong>Anonymous Request Types</strong></td><td><ul><li><code>API_KEY_ENTITY</code></li><li><code>BRAIN_AI</code></li><li><code>CUSTOM_INTEGRATION</code></li><li><code>SCORECARD_BADGES</code></li><li><code>SLACK_COMMAND</code></li><li>Integration webhooks, e.g. <code>ATLASSION_WEBHOOK</code></li></ul></td></tr></tbody></table>
