Audit Logs (Beta)¶
Manifest Platform maintains an immutable audit trail of every significant action taken across your organization. Audit logs capture who did what, when, where, and the outcome — providing the foundation for security investigations, compliance reporting, and operational troubleshooting.
How Audit Logging Works¶
Every authenticated action — whether initiated by a user, API key, service account, or the platform itself — generates an audit event. Events are written to an append-only store and cannot be modified or deleted, even by organization admins.
graph LR
A["User / API / System"] -->|"Action"| P["Platform"]
P -->|"Writes"| AL["Audit Log<br/>(append-only)"]
AL -->|"Query"| UI["Dashboard & Search"]
AL -->|"Stream"| EX["Export & SIEM"]
Each audit event includes:
| Field | Description |
|---|---|
event_id |
Unique identifier for the event |
event_type |
Structured event name (e.g., user.login, deployment.promoted) |
timestamp |
ISO 8601 timestamp with millisecond precision |
actor |
The user, service account, or system process that performed the action |
actor_ip |
IP address of the actor (when applicable) |
resource_type |
The type of resource affected (e.g., solution, connector, user) |
resource_id |
The identifier of the affected resource |
action |
The specific action taken (e.g., create, update, delete, promote) |
outcome |
success or failure with an optional error code |
metadata |
Action-specific details (varies by event type) |
workspace_id |
The workspace context, if applicable |
Viewing Audit Logs¶
Platform UI¶
Navigate to Security > Audit Logs to access the audit log viewer. The viewer provides:
- Timeline view -- Chronological list of events with summary cards
- Filters -- Narrow results by event type, actor, resource, date range, and outcome
- Detail panel -- Click any event to see full metadata and related events
- Quick filters -- Pre-built views for common queries (e.g., "All role changes in the last 7 days")
API¶
curl "https://api.flow.marut.cloud/api/v1/audit/events?event_type=auth.login&limit=50" \
-H "Authorization: Bearer $FLOW_TOKEN"
Platform admin access
The audit events API requires a platform administrator token. Organization-level audit log access is available through the Security > Audit Logs UI.
Searching Audit Events¶
The audit log supports structured queries for precise filtering.
Search Operators¶
| Operator | Example | Description |
|---|---|---|
event_type: |
event_type:deployment.promoted |
Exact event type match |
event_type:* |
event_type:deployment.* |
Wildcard event type match |
actor: |
actor:alice@company.com |
Events by a specific actor |
resource: |
resource:solution/sol-abc123 |
Events affecting a specific resource |
outcome: |
outcome:failure |
Filter by success or failure |
from: / to: |
from:2026-03-01 to:2026-03-15 |
Date range |
workspace: |
workspace:engineering |
Events within a workspace |
Example: Find all failed deployment attempts in the last week
Example: Find all role changes made by a specific admin
Event Types and Categories¶
Audit events are organized into categories. Each category covers a functional area of the platform.
Authentication Events¶
| Event Type | Description |
|---|---|
auth.login |
User logged in via SSO or API key |
auth.login.failed |
Failed login attempt |
auth.logout |
User logged out |
auth.token.created |
API key or service token created |
auth.token.revoked |
API key or service token revoked |
auth.sso.configured |
SSO provider configuration changed |
User Management Events¶
| Event Type | Description |
|---|---|
user.invited |
User invitation sent |
user.activated |
User accepted invitation and activated account |
user.deactivated |
User account deactivated |
user.role.assigned |
Role assigned to a user |
user.role.revoked |
Role revoked from a user |
Solution & Component Events¶
| Event Type | Description |
|---|---|
solution.created |
New solution created |
solution.updated |
Solution configuration modified |
solution.deleted |
Solution deleted |
component.created |
Component added to a solution |
component.updated |
Component configuration changed |
component.deleted |
Component removed from a solution |
Deployment Events¶
| Event Type | Description |
|---|---|
deployment.triggered |
Deployment initiated |
deployment.succeeded |
Deployment reached Active state |
deployment.failed |
Deployment failed during build, deploy, or validation |
deployment.promoted |
Deployment promoted to a higher ring |
deployment.rolled_back |
Deployment rolled back to a previous version |
deployment.approval.requested |
Promotion approval requested |
deployment.approval.granted |
Promotion approved |
deployment.approval.rejected |
Promotion rejected |
Data & Connector Events¶
| Event Type | Description |
|---|---|
connector.created |
Connector instance created |
connector.credential.updated |
Connector credential rotated or changed |
dataset.created |
Dataset created |
dataset.queried |
Dataset queried (logged when audit-level is verbose) |
dataset.deleted |
Dataset deleted |
AI & Model Events¶
| Event Type | Description |
|---|---|
model.configured |
AI model configuration changed |
model.invoked |
Model inference request (logged when audit-level is verbose) |
guardrail.triggered |
A guardrail blocked or modified a request/response |
redteam.evaluation.started |
Red team evaluation initiated |
redteam.finding.created |
Red team finding recorded |
Organization & Settings Events¶
| Event Type | Description |
|---|---|
org.settings.updated |
Organization settings changed |
org.billing.updated |
Billing configuration changed |
workspace.created |
Workspace created |
workspace.deleted |
Workspace deleted |
policy.created |
Compliance policy created or updated |
Retention and Export¶
Retention Policies¶
Audit logs are retained based on your organization's plan:
| Plan | Retention Period |
|---|---|
| Starter | 90 days |
| Professional | 1 year |
| Enterprise | 7 years (configurable) |
Compliance retention
Organizations subject to regulatory requirements can configure extended retention periods. Enterprise customers can set retention to match their compliance obligations (e.g., 7 years for SOX, 6 years for HIPAA).
Exporting Audit Logs¶
Export audit data for offline analysis, compliance evidence, or integration with external SIEM systems.
Exports can be configured in the Platform UI under Security > Audit Logs > Export. You can export audit events in CSV or JSON format, filtered by date range and event type.
For continuous delivery of audit events to an external system, configure a streaming destination from the same export page. Supported streaming destinations:
| Destination | Configuration |
|---|---|
| Webhook | HTTPS endpoint with custom headers |
| AWS S3 | Bucket, prefix, and IAM role ARN |
| Google Cloud Storage | Bucket and service account |
| Splunk | HEC endpoint and token |
| Datadog | API key and site |
Compliance evidence
When preparing for an audit, use the export feature to generate a report covering the audit period. Filter by relevant event types (e.g., auth.*, role.*, deployment.*) to create focused evidence packages.