Title here
Summary here
Audit Log Tab
What the Audit Log Records
The Audit Log is an append-only, immutable evidence trail of every significant action performed in Aegis. It records:
- Every finding creation, status change, severity change, linking to a case, and bulk import
- Every case creation, status change, assignment change, and severity change
- Every exception creation, approval, expiry, and revocation
- Every SLA breach detection
- Every exposure snapshot computation
- Every drift alert firing
- Every evidence export generation
- Every configuration change (score weights, SLA policy, roles, retention, alert rules)
- Every content classification label set or removed
- Every Jira link creation or failure
Additionally, the Audit Log includes scan job run records (from the job-run entity), showing content scan and permission scan start/completion/failure with duration and statistics.
Note: Audit Log entries are never deleted through the application interface. The only removal path is the automated data retention purge job, which respects the configured retention period (default: 365 days for evidence events).
Audit Log Entry Fields
Each row in the Audit Log represents one evidence event:
| Field | Content |
|---|---|
| Time | Timestamp of the event. Shown as “Today, HH:MM”, “Yesterday, HH:MM”, or “Mon DD, HH:MM” for older events |
| Action | Human-readable event name (e.g., “Finding Created”, “Status Changed”, “SLA Breached”) |
| Entity | Entity type (Finding / Case / Exception / Exposure / Scan / Config) with an inline detail showing state changes where available (e.g., “→ in progress”) |
| Actor | Display name of the Confluence user who performed the action; “System” for automated job actions |
Detail inline text examples:
- For status changes: “→ in_progress” (the new status)
- For severity changes: “→ high” (the new severity)
- For assignments: “reassigned”
- For bulk imports: “47 items”
- For scan runs: “Content Scan · 12.4s · 23 spaces · 8,451 pages · 3 findings”
Before State and After State
The underlying evidence event record stores both a beforeState and afterState field as JSON. These are not directly displayed in the table view (to keep the log readable), but are available:
- The inline detail in the Entity column shows the key changed field from
afterState - For JSON exports from the Cases tab, the full before/after state is included in the evidence bundle
What before/after state contains:
- For
finding_status_changed:{ status: 'triaged' }(after) and{ status: 'open' }(before) - For
case_assigned:{ assigneeId: 'accountId123' }(after) and{ assigneeId: '__unassigned__' }(before) - For
config_changed: the full settings object before and after the change