Audit logs

Audit logs serve as an effective tool to understand changes made within your workspace. This feature documents a detailed record of actions taken by users, allowing you to track who made specific changes, when they were implemented, and what entity was altered.

Audit logs are a great way to track changes, identify discrepancies, and gain a holistic view of changes that have been made in your workspace. You can access the audit log through the Cortex UI or the public API endpoint.

Managing audit logs

Managing audit logs via the API

Audit logs can also be accessed through the public API endpoint. Please refer to our Audit Logs API documentation to learn how to retrieve audit logs.

View audit logs in the Cortex UI

You must have the View audit logs permission.

You can access audit logs under Settings > Audit logs.

From the audit log page, you will see a list of user activities. Each log includes information categorized in the following columns:

• Actor: The user or API key who performed the action.

  • N/A indicates that the change is attributed to GitOps or the auto-import of entities.

• Action type: The action that was performed - "created", "deleted", or "updated".

• Object type: The object that changed.

  • See the full list of possible object types below.

• Object identifier: The unique identifier of the object.

• Date: When the action occurred.

You can click into any row to open a side panel with more details about the change.

Filtering audit logs

Click Filter in the upper right corner to select and apply filters to narrow the scope of your list. You can apply filters for:

• API key identifier

• Action type

• Actor IP address

• Actor email

• Actor type

• Anonymous request type

• Date range

• Entity

• Object type

How the filters work

When filtering by email address or

You can select one or more items from the dropdowns for each field. When multiple items are selected for a given field, Cortex queries with an OR operator. When multiple field filters are applied, Cortex separates the queries with an AND operator.

For example:

• If CREATE is selected for Action type and SCORECARD is selected for Object type, the backend query is create AND scorecard.

• If both CREATE and DELETE are selected for Actions and SCORECARD is selected for Types, the query would be (create OR delete) AND scorecard. This would show all Scorecards that have been created or deleted within the selected timeframe.

Audit log reference

Object types

The following object types are included in audit logs:

• ACCOUNT_FLAG

• ALLOW_LIST_ENTRY

• API_KEY

• CATALOG

• CATALOG_FILTER

• CORTEX_USER

• CUSTOM_ROLE

• DOMAIN

• ENTITY_TYPE_DEFINITION

• INITIATIVE

• OAUTH_CONFIGURATION

• OPENAPI_DEFINITION

• PERSONAL_API_KEY

• RESOURCE

• SCORECARD

• SECRET

• SECRET_GROUP

• SERVICE

• TEAM

• WORKFLOW

• Integrations

  • Configuration (e.g. OKTA_CONFIGURATION)

  • OAuth configuration (e.g. BITBUCKET_OAUTH_CONFIGURATION)

  • OAuth registration (e.g. JIRA_OAUTH_REGISTRATION)

  • On-prem configuration (e.g. JIRA_ONPREM_CONFIGURATION)

  • On-prem webhook secret (e.g. BITBUCKET_ONPREM_WEBHOOK_SECRET)

  • Personal configuration (e.g. BITBUCKET_PERSONAL_CONFIGURATION)

  • SAST configuration (e.g. MEND_SAST_CONFIGURATION)

GitHub also has some unique types associated with it: GITHUB_APP_CONFIGURATION, GITHUB_APP_INSTALLATION, GITHUB_PERSONAL_TOKEN, and GITHUB_WEBHOOK_SECRET.

Actors

Actors include the following information:

• Actor Types: ANONYMOUS, API_KEY, BACKSTAGE, OAUTH2, or PERSONAL_API_KEY

• API Key Identifiers: When filtering by this field, enter API key names or the last 4 characters of an API key.

• Emails: When filtering by this field, the email address must be an exact match to the user's email.

• IP Addresses

• Anonymous Request Types:

  • API_KEY_ENTITY

  • BRAIN_AI

  • CUSTOM_INTEGRATION

  • SCORECARD_BADGES

  • SLACK_COMMAND

  • Integration webhooks (e.g. ATLASSION_WEBHOOK)