Filtering, Export & Retention

Filtering the Audit Log#

The toolbar provides three filter mechanisms:

Action filter (dropdown): Filter to a specific action type. Options include all 18+ defined event types plus “All Actions”. Selecting an action type reloads the log from the server with that filter applied.

Entity type filter (dropdown): Filter by entity category:

• All Types
• Finding
• Case (matches case-entity)
• Exception
• Exposure
• Scan
• System
• Config

Search bar (free text): Client-side filter applied to the currently loaded events. Searches the Action label, Entity type, Actor name, and detail text simultaneously. Results update as you type.

Filter interaction: Action and Entity Type filters trigger a server-side reload. The search bar is applied client-side on top of the loaded results. Combining all three filters is supported.

Pagination and Load More#

The Audit Log shows 15 events per page (client-side pagination from the currently loaded set). Use Previous / Next buttons to navigate pages.

The initial server fetch loads up to 50 events. A “Load More from Server” button appears at the bottom when more events are available (indicated by a nextCursor value in the API response). Click it to append the next 50 events to the loaded set.

Note: The Load More button only appears when the server has more records than the current loaded set. If no button appears, all available events for the current filter are loaded.

Summary Line#

Above the audit log rows, a one-line summary shows:

• Total event count (with “filtered from N” if filters are active)
• Unique actor count
• Date range covered by the loaded events (e.g., “Jan 15, 2026 – Feb 28, 2026”)

This summary is useful for quickly sizing an audit window before exporting.

Export Considerations#

Copy to Clipboard: The Copy button in the toolbar copies all currently visible (filtered) events to the system clipboard in a plain-text format:

[Feb 28, 2026, 14:23] Finding Created | finding | AWS key detected | by Alice Smith
[Feb 28, 2026, 14:25] Case Created | case-entity | Critical Exposure in ENG | by Bob Jones

This format is suitable for pasting into incident reports, emails, or ticketing system descriptions.

Full evidence export: For a complete, structured export of audit data suitable for auditor submission:

• Export individual cases as JSON/HTML from the Case Detail modal (includes all evidence events for that case)

Note: There is no “export entire audit log to CSV” function in the current version. The Copy button is the intended export path.

Retention Policy#

Audit Log (evidence event) records are retained according to the configured retention period:

Admins can adjust these values in Admin > Retention. The minimum allowed period is 7 days per entity type.

The daily retention purge job automatically deletes records older than the configured period. There is no “recycle bin”, deletion is permanent.

Note: Ensure the retention period for evidence-event is set according to your organization’s requirements before the daily purge removes older records. The default is 365 days.

Audit Log Use Cases#

Audit trail: When preparing for an external audit, the Audit Log provides evidence of:

• Finding triage and remediation activity
• Case management and SLA adherence
• Exception approvals and reviews
• Configuration changes (settings were not altered during the audit window)
• Access control reviews (exposure snapshots, access analyses)

Incident investigation: When investigating a security incident, filter the Audit Log by entity type “Case” or “Finding” and date range to reconstruct the timeline of how the incident was detected, triaged, and remediated. The Actor column shows who took each action, supporting accountability analysis.

End of Part B. Continue to Part C for Administration, Configuration, and Integration reference.