Skip to content
DeepintShield DeepintShield

Audit Logs

Overview

Section titled “Overview”

Audit Logs in DeepIntShield provide complete visibility into security-critical events, user activities, configuration changes, and data access patterns. Enterprise audit logging ensures compliance with regulatory requirements including SOC 2, GDPR, HIPAA, and ISO 27001 through comprehensive, immutable audit trails.

Key Features

Section titled “Key Features”
FeatureDescription
Immutable LogsTamper-proof audit trails with cryptographic verification
Real-Time CaptureInstant logging of all security-relevant events
Granular FilteringQuery by user, action, resource, or time range
Long-Term RetentionConfigurable retention policies for compliance
SIEM IntegrationExport to Splunk, Datadog, Elastic, and more
Alert TriggersAutomated alerts on suspicious activities

What Gets Logged

Section titled “What Gets Logged”

Authentication Events

Section titled “Authentication Events”
  • User login (successful/failed)
  • User logout
  • Session creation/expiration
  • MFA verification
  • Password changes
  • Failed authentication attempts
  • Account lockouts
  • SSO redirects

Authorization Events

Section titled “Authorization Events”
  • Model access attempts
  • Provider access checks
  • Virtual key usage
  • Budget limit checks
  • Rate limit violations
  • Permission denials

Configuration Changes

Section titled “Configuration Changes”
  • Virtual key creation/modification/deletion
  • Team/customer creation/updates
  • User provisioning/deprovisioning
  • Budget adjustments
  • Rate limit changes
  • Provider key updates
  • Guardrail configuration changes
  • SAML/OIDC settings updates

Data Access Events

Section titled “Data Access Events”
  • PII detection and handling
  • Data export operations
  • Log access and queries
  • Sensitive configuration access
  • API key exposure attempts

Security Events

Section titled “Security Events”
  • Prompt injection attempts
  • Jailbreak attempts
  • Unusual access patterns
  • Multiple failed authentication attempts
  • API key abuse
  • Rate limit violations
  • Suspicious IP addresses
  • Guardrail violations

Configuration

Section titled “Configuration”

Audit logging is enabled by default. Events are recorded in a CADF-compliant format and signed for tamper-evidence. You only need two settings to control it, both managed from the DeepIntShield Web UI under GovernanceAudit Logs:

SettingDefaultDescription
EnabledOnToggle audit logging on or off for the workspace.
HMAC signing key-HMAC secret used to sign audit events (minimum 32 bytes). Set it once to enable tamper-evident chaining. Store it in your secrets manager.

Querying Audit Logs

Section titled “Querying Audit Logs”

Browse, search, and filter audit events from Governance → Audit Logs in the DeepIntShield dashboard. The events table updates in real time and supports the filters below.

Filtering Events

Section titled “Filtering Events”

Use the filter bar above the events table to narrow the view:

FilterWhat it does
Event typeLimit to a category - authentication, authorization, configuration_change, data_access, or security.
Date rangeRestrict to a window (last 24 hours, 7 days, 30 days, or a custom start/end).
ActorFilter by user, email, or source IP / CIDR range.
ResourceFilter configuration changes by resource type (e.g. virtual_key, team, provider).
StatusShow only failed or blocked events.
SeverityFilter by low, medium, high, or critical.

Common reviews you can run from these filters:

  • Authentication activity - set Event type to authentication and a date range to review logins and MFA events.
  • Failed access attempts - set Status to failed/blocked and Severity to high to surface denials.
  • Configuration changes - set Event type to configuration_change and Resource to virtual_key to audit key changes.
  • Per-user history - filter by Actor to see everything a given user did.

Sort the table by timestamp and click any row to expand its full detail, including the actor, action, status, and verification hash.

Event Detail

Section titled “Event Detail”

Each event captures the actor, action, status, severity, and a verification hash. An expanded event looks like this:

{
  "event_id": "evt_001",
  "timestamp": "2024-01-15T10:30:00.123Z",
  "event_type": "authentication",
  "action": "user_login",
  "status": "failed",
  "severity": "medium",
  "actor": {
    "user_id": "user-alice-001",
    "email": "alice@company.com",
    "ip_address": "203.0.113.42"
  },
  "details": {
    "auth_method": "password",
    "failure_reason": "invalid_password",
    "attempts_count": 3
  },
  "verification": {
    "hash": "sha256:abc123...",
    "verified": true
  }
}

Exporting Audit Events

Section titled “Exporting Audit Events”

Audit events can be exported to a file and forwarded to your SIEM or long-term storage. From Governance → Audit Logs:

  1. Apply the filters for the events you want to export (event type, date range, actor, severity).
  2. Click Export and choose the format - CSV or JSON.
  3. The export is generated as a job; once it completes, download the artifact from the Exports list on the same page.

Verifying Tamper-Evidence

Section titled “Verifying Tamper-Evidence”

When an HMAC signing key is configured, you can confirm the audit chain has not been altered. On Governance → Audit Logs, click Verify chain integrity - DeepIntShield re-computes the signed hash chain and reports whether the trail is intact. The same page shows a summary of audit activity (event counts by type, status, and severity) for the selected period.