AttackLens Docs

Appearance

View Audit Logs

The Audit Logs page provides a comprehensive record of every significant action performed in AttackLens. Every user action that creates, modifies, or deletes data is logged with a timestamp, the acting user, and the affected resource. This audit trail supports compliance requirements, security investigations, and operational accountability.

INFO

Requires Admin role or higher.

Accessing Audit Logs

Navigate to Settings > Audit Logs in the left sidebar.

What Gets Logged

AttackLens records audit events for every significant operation across the platform. Each log entry captures:

FieldDescription
TimestampThe exact date and time the action occurred (UTC).
UserThe name and email of the user who performed the action.
ActionThe type of action performed (Created, Updated, Deleted, etc.).
Entity TypeThe type of resource affected (Asset, Policy, User, Sensor, etc.).
Entity IDThe unique identifier of the affected resource.
DetailsAdditional context about the action (e.g., which fields changed, old and new values).

Action Categories

CategoryLogged Actions
AuthenticationUser login (success), user login (failed attempt), user logout, password changed, password reset.
User ManagementUser created, user updated (name, role), user disabled, user enabled, user deleted.
Asset ManagementAsset created, asset updated, asset deleted, asset merged, asset group created/updated/deleted, asset conflict resolved.
Policy OperationsPolicy created, policy updated, policy deleted, posture evaluation triggered.
Ruleset OperationsRuleset created, ruleset updated, ruleset deleted.
DiscoveryAdapter connection created/updated/deleted, discovery sync triggered, discovery sync completed.
Sensor OperationsSensor enrolled, sensor linked to asset, sensor unlinked from asset, sensor deleted, enrollment token created/revoked/deleted.
Integration OperationsIntegration created/updated/deleted, issue created via integration.
Settings ChangesAttack graph settings updated, feed settings updated, SSO configuration updated, MCP server enabled/disabled.
Feed and UpdatesFeed sync completed, component update detected.

Browsing the Log

The audit log is displayed as a chronological list, with the most recent events at the top.

Each row shows:

  • The timestamp.
  • The user's avatar and name.
  • A human-readable description of the action (e.g., "John Doe created asset server-prod-01").
  • The action type badge (Created, Updated, Deleted).

Click on any log entry to expand it and see the full details, including the specific fields that changed and their before/after values.

Filtering Logs

Use the filter panel to narrow down the audit log to specific events.

Filter by User

Select a specific user to see only their actions. This is useful for:

  • Investigating what a specific user changed.
  • Reviewing a new team member's activity.
  • Auditing administrative actions by Super Admins.

Filter by Action

Filter by action type:

  • Created: Show only creation events.
  • Updated: Show only modification events.
  • Deleted: Show only deletion events.
  • Login: Show only authentication events.
  • Login Failed: Show only failed login attempts.

Filter by Entity Type

Filter by the type of resource affected:

  • Asset
  • Policy
  • Ruleset
  • Sensor
  • User
  • Integration
  • Adapter Connection
  • Settings

Filter by Date Range

Set a start and end date to view logs within a specific time window. This is essential for:

  • Compliance audits covering a specific reporting period.
  • Investigating an incident that occurred at a known time.
  • Reviewing changes made during a maintenance window.

Combining Filters

All filters can be combined. For example:

  • "Show all Deleted actions on Assets by john@company.com in the last 30 days" -- helps investigate unexpected asset deletions.
  • "Show all Login Failed events in the last 7 days" -- helps detect brute-force attempts or locked-out users.
  • "Show all Updated actions on Settings in the last 24 hours" -- helps review recent configuration changes.

Log Entry Details

Expanding a log entry reveals the full context of the action:

For Update Actions

The detail view shows a diff of what changed:

  • Field name: Which property was modified.
  • Previous value: The value before the change.
  • New value: The value after the change.

Example:

Field: role
Previous: Viewer
New: Admin

For Creation Actions

The detail view shows the key properties of the created resource.

For Deletion Actions

The detail view shows the key properties of the deleted resource for reference.

Exporting Audit Logs

To export audit logs for compliance reporting or external analysis:

  1. Apply any desired filters.
  2. Click the Export button.
  3. Select the export format:
    • CSV: Comma-separated values for spreadsheet analysis.
    • JSON: Structured data for programmatic processing.
  4. The export includes all log entries matching the current filters.

TIP

For compliance audits (SOC 2, ISO 27001, GDPR), export the relevant time period and entity types. The audit log provides the evidence trail auditors need to verify access controls and change management processes.

Retention

Audit logs are retained indefinitely by default. AttackLens does not automatically delete audit log entries. This ensures a complete history is always available for compliance and investigation purposes.

INFO

If storage is a concern in very large deployments, contact your system administrator about configuring log rotation at the database level. Audit logs are stored in the attacklens_audit MongoDB database.

Security

  • Audit logs are immutable: log entries cannot be edited or deleted through the AttackLens UI.
  • All users' actions are logged, including Super Admin actions.
  • Failed login attempts are logged to support intrusion detection.
  • The audit log itself is read-only for Admin and Super Admin roles. No role can modify or delete log entries through the application.

AttackLens - Continuous Exposure Management

Copyright 2026 AttackLens. All rights reserved.