Skip to main content

Audit Trail Guide

This guide covers the immutable audit trail in the TealTiger Playground — what gets logged, how to filter and search events, how to export audit data for compliance, and practical examples for common audit scenarios.
Audit trail features require authentication and a team workspace. See the Getting Started Guide for setup.

Overview

The audit trail is an append-only, immutable log of every significant action in your workspace. Events cannot be modified or deleted — this guarantees a complete, tamper-evident history for compliance audits and security investigations. Every audit event includes:
FieldDescription
idUnique event identifier (UUID)
workspaceIdWorkspace where the event occurred
actorIdUser who performed the action
actionEvent type (e.g., policy_created, member_added)
resourceTypeType of resource affected
resourceIdID of the affected resource
metadataAdditional context (policy name, version, reason, etc.)
createdAtTimestamp of the event

Audit Event Types

The audit trail captures 14 event types across five categories.

Policy Operations

ActionDescriptionMetadata
policy_createdA new policy was createdpolicyName
policy_updatedA policy was updated (new version saved)policyName, version
policy_deletedA policy was deletedpolicyName
policy_deployedA policy was deployed to an environmentpolicyName, environment
policy_evaluatedA policy was evaluated against a scenariopolicyName, decision

Approval Actions

ActionDescriptionMetadata
policy_approvedAn approver approved a policy versionpolicyName
policy_rejectedAn approver rejected a policy versionpolicyName, reason

Membership Changes

ActionDescriptionMetadata
member_addedA user was added to the workspaceusername, role
member_removedA user was removedusername
member_role_changedA user’s role was changedusername, oldRole, newRole

Authentication and Security

ActionDescription
auth_loginA user signed in
auth_logoutA user signed out
emergency_bypassA policy skipped the approval workflow
The Audit Filter Bar lets you narrow down events using four filter dimensions (combined with AND logic):
  • Date Range — Last 30/90/365 days or custom range
  • Actor — Filter by workspace member
  • Action Type — Select one or more action types
  • Resource Type — Narrow to policy, workspace_member, etc.

Exporting Audit Data

Export in three formats:
FormatBest For
CSVSpreadsheet analysis, GRC platform import
JSONProgrammatic analysis, external tool integration
PDFSharing with auditors and stakeholders

How to Export

  1. Open the Audit Trail → apply filters
  2. Click “Export” → select format
  3. The file downloads to your browser
Filters carry over to the export — what you see is what you get.

Tamper Detection

Every export includes a SHA-256 digital signature for tamper detection. 
const exportData = await auditTrailService.exportJSON(workspaceId, filters);
const signature = await auditTrailService.signExport(exportData);

// Later, verify integrity
const isValid = await auditTrailService.verifySignature(exportData, signature);

Sensitive Data Redaction

The audit trail automatically redacts sensitive information before storing events:
CategoryPatterns DetectedReplacement
API keys and tokensapiKey, token, accessToken[REDACTED]
Passwords and secretspassword, secret, privateKey[REDACTED]
Email addressesuser@domain.tld patterns[EMAIL_REDACTED]
Phone numbers555-123-4567 patterns[PHONE_REDACTED]
Redaction happens at write time — sensitive data never reaches the database.

Compliance Use Cases

SOC2 Type II — Access Controls

Filter by member_added, member_removed, member_role_changed → Export as PDF for the audit period.

GDPR — Data Processing Accountability

Filter by policy_evaluated → Export as JSON for your data processing register.

OWASP ASI — Security Event Monitoring

Filter by emergency_bypass and policy_deployed to track production changes.

ISO 27001 — Change Management Evidence

Filter by policy_created, policy_updated, policy_deleted → Export as CSV for your ISMS.

Best Practices

  • Export monthly — maintain a regular cadence of signed JSON exports
  • Always sign exports — the SHA-256 signature proves data integrity
  • Apply filters before exporting — export only what’s needed
  • Map audit events to framework controls using the Compliance Mapping guide
  • Keep exports for your retention period — most frameworks require 1–7 years