Skip to content
DeepintShield DeepintShield

Audit Logs

Overview

Section titled “Overview”

Audit Logs in DeepIntShield provide complete visibility into security-critical events, user activities, configuration changes, and data access patterns. Enterprise audit logging ensures compliance with regulatory requirements including SOC 2, GDPR, HIPAA, and ISO 27001 through comprehensive, immutable audit trails.

Key Features

Section titled “Key Features”
FeatureDescription
Immutable LogsTamper-proof audit trails with cryptographic verification
Real-Time CaptureInstant logging of all security-relevant events
Granular FilteringQuery by user, action, resource, or time range
Long-Term RetentionConfigurable retention policies for compliance
SIEM IntegrationExport to Splunk, Datadog, Elastic, and more
Alert TriggersAutomated alerts on suspicious activities

What Gets Logged

Section titled “What Gets Logged”

Authentication Events

Section titled “Authentication Events”
  • User login (successful/failed)
  • User logout
  • Session creation/expiration
  • MFA verification
  • Password changes
  • Failed authentication attempts
  • Account lockouts
  • SSO redirects

Authorization Events

Section titled “Authorization Events”
  • Model access attempts
  • Provider access checks
  • Virtual key usage
  • Budget limit checks
  • Rate limit violations
  • Permission denials

Configuration Changes

Section titled “Configuration Changes”
  • Virtual key creation/modification/deletion
  • Team/customer creation/updates
  • User provisioning/deprovisioning
  • Budget adjustments
  • Rate limit changes
  • Provider key updates
  • Guardrail configuration changes
  • SAML/OIDC settings updates

Data Access Events

Section titled “Data Access Events”
  • PII detection and handling
  • Data export operations
  • Log access and queries
  • Sensitive configuration access
  • API key exposure attempts

Security Events

Section titled “Security Events”
  • Prompt injection attempts
  • Jailbreak attempts
  • Unusual access patterns
  • Multiple failed authentication attempts
  • API key abuse
  • Rate limit violations
  • Suspicious IP addresses
  • Guardrail violations

Configuration

Section titled “Configuration”

Basic Audit Logging Setup

Section titled “Basic Audit Logging Setup”
{
  "enterprise": {
    "audit_logs": {
      "enabled": true,
      "retention": {
        "duration": "365d",
        "archive_after": "90d"
      },
      "capture": {
        "authentication": true,
        "authorization": true,
        "configuration_changes": true,
        "data_access": true,
        "security_events": true
      },
      "immutability": {
        "enabled": true,
        "verification_method": "cryptographic_hash"
      }
    }
  }
}

Advanced Configuration

Section titled “Advanced Configuration”
{
    "audit_logs": {
      "enabled": true,
        "backup": {
          "type": "s3",
          "bucket": "deepintshield-audit-logs",
          "region": "us-west-2",
          "encryption": "AES256"
        }
      },
      "retention": {
        "duration": "365d",
        "archive_after": "90d",
        "delete_after": "2555d",
        "hot_storage_days": 30
      },
      "capture": {
        "authentication": {
          "enabled": true,
          "include_failed_attempts": true,
          "track_session_duration": true
        },
        "authorization": {
          "enabled": true,
          "log_allowed_access": false,
          "log_denied_access": true
        },
        "configuration_changes": {
          "enabled": true,
          "track_before_after": true,
          "exclude_fields": ["password", "api_key"]
        },
        "data_access": {
          "enabled": true,
          "log_pii_detection": true,
          "log_sensitive_operations": true
        },
        "security_events": {
          "enabled": true,
          "severity_threshold": "medium"
        }
      },
      "enrichment": {
        "geo_location": true,
        "user_agent_parsing": true,
        "ip_reputation": true
      },
      "immutability": {
        "enabled": true,
        "verification_method": "cryptographic_hash",
        "signing_key": "${AUDIT_LOG_SIGNING_KEY}"
      }
    }
}

Querying Audit Logs

Section titled “Querying Audit Logs”

API-Based Queries

Section titled “API-Based Queries”

Query Authentication Events:

Terminal window
curl -X GET "http://localhost:8080/api/audit-logs?event_type=authentication&start_date=2024-01-01&end_date=2024-01-31" \
  -H "Authorization: Bearer admin-token"

Query by User:

Terminal window
curl -X GET "http://localhost:8080/api/audit-logs?user_id=user-alice-001&limit=100" \
  -H "Authorization: Bearer admin-token"

Query Failed Access Attempts:

Terminal window
curl -X GET "http://localhost:8080/api/audit-logs?action=access_denied&severity=high" \
  -H "Authorization: Bearer admin-token"

Query Configuration Changes:

Terminal window
curl -X GET "http://localhost:8080/api/audit-logs?event_type=configuration_change&resource_type=virtual_key" \
  -H "Authorization: Bearer admin-token"

Advanced Filtering

Section titled “Advanced Filtering”
Terminal window
curl -X POST http://localhost:8080/api/audit-logs/query \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer admin-token" \
  -d '{
    "filters": {
      "event_types": ["authentication", "authorization"],
      "date_range": {
        "start": "2024-01-01T00:00:00Z",
        "end": "2024-01-31T23:59:59Z"
      },
      "actors": {
        "user_ids": ["user-alice-001", "user-bob-002"],
        "ip_addresses": ["203.0.113.0/24"]
      },
      "status": ["failed", "blocked"],
      "severity": ["medium", "high", "critical"]
    },
    "sort": {
      "field": "timestamp",
      "order": "desc"
    },
    "limit": 1000,
    "include_details": true
  }'

Response Format

Section titled “Response Format”
{
  "total_count": 347,
  "returned_count": 100,
  "page": 1,
  "audit_logs": [
    {
      "event_id": "evt_001",
      "timestamp": "2024-01-15T10:30:00.123Z",
      "event_type": "authentication",
      "action": "user_login",
      "status": "failed",
      "severity": "medium",
      "actor": {
        "user_id": "user-alice-001",
        "email": "alice@company.com",
        "ip_address": "203.0.113.42"
      },
      "details": {
        "auth_method": "password",
        "failure_reason": "invalid_password",
        "attempts_count": 3
      },
      "verification": {
        "hash": "sha256:abc123...",
        "verified": true
      }
    }
  ],
  "next_page": "/api/enterprise/audit-logs?page=2"
}

SIEM Integration

Section titled “SIEM Integration”

Splunk Integration

Section titled “Splunk Integration”
{
    "audit_logs": {
      "siem_integration": {
        "splunk": {
          "enabled": true,
          "hec_endpoint": "https://splunk.company.com:8088/services/collector",
          "hec_token": "${SPLUNK_HEC_TOKEN}",
          "source_type": "deepintshield:audit",
          "index": "security",
          "batch_size": 100,
          "flush_interval": "10s"
        }
      }
    }
}

Datadog Integration

Section titled “Datadog Integration”
{
    "audit_logs": {
        "siem_integration": {
        "datadog": {
                "enabled": true,
                "api_key": "${DATADOG_API_KEY}",
                "site": "datadoghq.com",
                "service": "deepintshield",
                "tags": ["env:production", "team:security"]
            }
        }
    }
}

Elastic Security Integration

Section titled “Elastic Security Integration”
{
    "audit_logs": {
      "siem_integration": {
        "elastic": {
          "enabled": true,
          "endpoint": "https://elastic.company.com:9200",
          "api_key": "${ELASTIC_API_KEY}",
          "index": "deepintshield-audit-logs",
          "pipeline": "security-enrichment"
        }
      }
    }
}

Webhook Integration

Section titled “Webhook Integration”
{
    "audit_logs": {
      "webhooks": {
        "enabled": true,
        "endpoints": [
          {
            "name": "security_incidents",
            "url": "https://security.company.com/webhooks/audit",
            "auth": {
              "type": "bearer",
              "token": "${WEBHOOK_AUTH_TOKEN}"
            },
            "filters": {
              "event_types": ["security_incident"],
              "severity": ["high", "critical"]
            },
            "retry": {
              "max_attempts": 3,
              "backoff": "exponential"
            }
          }
        ]
      }
    }
}

Compliance Reporting

Section titled “Compliance Reporting”

Generate Audit Reports

Section titled “Generate Audit Reports”
Terminal window
curl -X POST http://localhost:8080/api/enterprise/audit-logs/reports \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer admin-token" \
  -d '{
    "report_type": "compliance_audit",
    "compliance_framework": "soc2_type2",
    "date_range": {
      "start_date": "2024-01-01T00:00:00Z",
      "end_date": "2024-03-31T23:59:59Z"
    },
    "include_sections": [
      "authentication_events",
      "authorization_events",
      "configuration_changes",
      "security_incidents"
    ],
    "format": "pdf",
    "include_evidence": true
  }'

Report Types

Section titled “Report Types”
Report TypeDescriptionUse Case
Access AuditAll user authentication and access eventsSOC 2, ISO 27001
Change AuditConfiguration and permission changesChange management
Security AuditSecurity incidents and violationsSecurity reviews
Compliance ReportFramework-specific compliance evidenceRegulatory audits
User ActivityIndividual user activity summaryHR investigations