Activity across your corp and sites over the last 30 days is tracked and available to review in the audit logs. There are two different audit logs available: the Corp Audit Log for corp-level activity and the Site Audit Log for site-level activity. These logs can also be filtered by type of activity to more easily identify specific events.
Email notifications and integrations with third-party applications can be set up to automatically notify you of activity within your corp and sites. For additional information, see Integrations.
Corp Audit Log
The Corp Audit Log tracks activity related to your corp itself, such as the creation of new users and sites.
You can view the Corp Audit Log by going to the Corp Manage menu and selecting Corp Audit Log.
Activity types
The corp activity types that are logged include:
| Activity type | Description |
|---|---|
| User invited | A new user was invited to the corp |
| User re-invited | The invitation email was re-sent to an invited user |
| User updated | A user was edited, including changes to user role |
| User password updated | A user updated their password |
| User added to site | A user was added to one or more sites |
| User removed from site | A user was removed from one or more sites |
| User email marked undeliverable | A user’s email address bounced |
| User removed from corp | A user was deleted |
| User SSO exemption changed | A user’s ability to bypass Single Sign-On (SSO) was changed |
| Corp integration created | A new corp-level integration was created |
| Corp integration updated | A corp-level integration was updated |
| Corp integration removed | A corp-level integration was removed |
| Corp integration tested | A corp-level integration was tested |
| Two-factor authentication enabled | A user enabled two-factor authentication (2FA) |
| Two-factor authentication updated | A user updated their two-factor authentication (2FA) secret |
| Two-factor authentication disabled | A user disabled two-factor authentication (2FA) |
| SSO enabled | Single Sign-On (SSO) was enabled for the corp |
| SSO disabled | Single Sign-On (SSO) was disabled for the corp |
| Site created | A new site was created |
| Site deleted | A site was deleted |
| User authentication setting updated | A user authentication setting was changed, including the account timeout setting, API access token creation permission and expiration settings, and restrictions of which IP addresses can access the console |
| API access token created | An API Access Token was created |
| API access token deleted | An API Access Token was deleted |
| SAML request certificate created | A new SAML request certificate was created |
| CloudWAF corp SSL certificate uploaded | An SSL certificate for CloudWAF was uploaded to the corp |
| CloudWAF corp SSL certificate deleted | An SSL certificate for CloudWAF was deleted from the corp |
| CloudWAF instance created | A new CloudWAF instance was created |
| CloudWAF instance updated | A CloudWAF instance was updated |
| CloudWAF instance deleted | A CloudWAF instance was deleted |
| CloudWAF certificate about to expire | A CloudWAF certificate is about to expire. Includes certificate ID and expiration date |
Site Audit Log
The Site Audit Log tracks activity related to your individual sites. This includes activity such as flagged IPs, the creation of new rules, and site configuration changes.
You can view the Site Audit Log by going to the Manage menu and selecting Site Audit Log.
Activity types
The site activity types that are logged include:
| Activity type | Description |
|---|---|
| Site display name changed | The display name of a site was changed |
| Site short name changed | The short name of a site was changed |
| Agent mode changed | The agent mode (“Blocking”, “Not Blocking”, “Off”) was changed |
| Agent IP anonymization mode changed | The agent IP anonymization mode was changed |
| Client IP Header changed | A header used to determine the client IP address was changed |
| IP flagged | An IP address was flagged |
| IP flag expired | An IP address flag was manually expired |
| New agent online | A new agent was detected |
| Site integration created | A new site-level integration was created |
| Site integration updated | A site-level integration was updated |
| Site integration removed | A site-level integration was removed |
| Site integration tested | A site-level integration was tested |
| Agent key created | A new agent key was created |
| Agent key deleted | An agent key was deleted |
| Primary agent key changed | The primary agent key was changed |
| Custom redaction created | A custom redaction was created |
| Custom redaction updated | A custom redaction was updated |
| Custom redaction removed | A custom redaction was removed |
| Header link created | A header link was created |
| Header link updated | A header link was updated |
| Header link removed | A header link was removed |
| Rule created | A rule was created |
| Rule updated | A rule was updated |
| Rule deleted | A rule was deleted |
| Templated rule created | A templated rule was created |
| Templated rule updated | A templated rule was updated |
| Templated rule removed | A templated rule was removed |
| List created | A list was created |
| List updated | A list was updated |
| List deleted | A list was removed |
| Custom signal created | A custom signal was created |
| Custom signal updated | A custom signal was updated |
| Custom signal removed | A custom signal was removed |
| Custom alert created | A custom alert was created |
| Custom alert updated | A custom alert was updated |
| Custom alert removed | A custom alert was removed |
| Rate limited IP expired | A rate limited IP was manually expired |
| Rate limited IPs bulk expired | All rate limited IPs were manually expired |
| Custom dashboard created | A custom dashboard was created |
| Custom dashboard updated | A custom dashboard was updated |
| Custom dashboard reset | A custom dashboard was reset |
| Custom dashboard deleted | A custom dashboard was removed |
| Custom dashboard card created | A custom dashboard card was created |
| Custom dashboard card updated | A custom dashboard card was updated |
| Custom dashboard card deleted | A custom dashboard card was removed |
| Default dashboard updated | The default dashboard was changed |
| Agent alert | An agent alert was triggered |
| Weekly digest sent | The weekly digest was sent |
| Monitor URL enabled | The monitor view URL for a dashboard was enabled |
| Monitor URL disabled | The monitor view URL for a dashboard was disabled |
| Monitor URL created | The monitor view URL for a dashboard was updated |
| Monitor URL invalidated | The previous monitor view URL for a dashboard was disabled |
| CloudWAF SSL certificate uploaded | An SSL certificate for CloudWAF was uploaded to the site |
| CloudWAF SSL certificate deleted | An SSL certificate for CloudWAF was deleted from the site |
| CloudWAF config updated | The CloudWAF configuration was updated |