Audit Logging
Guardian Pro maintains a comprehensive audit trail of every action taken within your organization. Every scan, remediation, configuration change, and user action is recorded with full context, providing the accountability and traceability required for security governance and compliance reporting.
What Gets Logged
Guardian Pro captures audit events across all operations in the platform:
User Actions
| Action | Details Logged |
|---|---|
| Sign in / Sign out | User identity, timestamp, IP address, success/failure status |
| Account switch | User, source account, target account, timestamp |
| Remediation initiated | User, finding ID, resource, action taken, approval status |
| Remediation completed | Outcome (success/failure), changes applied, duration |
| Rollback initiated | User, remediation ID, reason, resource affected |
| Settings changed | User, setting name, previous value, new value |
| User invited | Inviting user, invited email, assigned permissions |
| User removed | Removing user, removed user identity |
| Framework subscribed | User, framework name, timestamp |
System Actions
| Action | Details Logged |
|---|---|
| Scan started | Trigger (scheduled/manual), account, timestamp |
| Scan completed | Duration, resources discovered, findings generated, health score |
| Cost analysis run | Account, time period, anomalies detected |
| Compliance assessment | Account, framework, score, controls passed/failed |
| Architecture analysis | Account, risks detected, health score changes |
Data Access
| Action | Details Logged |
|---|---|
| Findings viewed | User, finding IDs accessed |
| Cost data accessed | User, account, time range |
| Export generated | User, export type (PDF/CSV/JSON), data scope |
| AI Assistant queries | User, query topic, tools invoked |
Correlation IDs
Every action in Guardian Pro is tagged with a correlation ID -- a unique identifier that links related events across the system. This is especially valuable for:
- Tracing a remediation end-to-end -- From the user clicking "Fix" through the preview, execution, status checks, and final outcome, every step shares the same correlation ID.
- Debugging issues -- If a scan produces unexpected results, the correlation ID lets support trace the entire scan pipeline.
- Connecting user actions to system events -- When you initiate a remediation, the correlation ID connects your click to the backend execution, status updates, and any subsequent rollbacks.
When contacting support, include the correlation ID from the relevant action. This dramatically speeds up investigation.
Finding Correlation IDs
Correlation IDs appear in several places within the Guardian Pro console:
- Remediation details -- Each remediation record shows its correlation ID.
- Scan results -- Each scan execution includes a correlation ID.
- Error messages -- When an operation fails, the error message includes the correlation ID.
- Browser developer tools -- API responses include the correlation ID in response headers.
Viewing Audit Logs
From the Guardian Pro Console
- Navigate to Settings in the sidebar.
- Select Audit Log (available to users with organization read permissions).
- Browse the chronological list of events.
Filtering
Audit logs can be filtered by:
- Date range -- View events within a specific time period.
- User -- Filter to actions taken by a specific team member.
- Action type -- Show only remediations, only sign-ins, only configuration changes, etc.
- Account -- Scope to events affecting a specific AWS account.
- Correlation ID -- Search for a specific correlation ID to see all related events.
Exporting
Audit logs can be exported for external analysis or compliance evidence:
- CSV -- Tabular format suitable for spreadsheet analysis.
- JSON -- Structured format for integration with log aggregation tools.
Audit log exports include all events matching your current filters. For large date ranges, exports may take a moment to generate.
Remediation Audit Trail
Remediations have the most detailed audit trail in Guardian Pro, since they involve changes to your AWS infrastructure:
Remediation Lifecycle Events
- Preview requested -- User requested a preview of what the remediation will change.
- Preview generated -- System generated the impact assessment, risk level, and reversibility status.
- Execution approved -- User confirmed and initiated the remediation.
- Execution started -- System began applying the change in the target AWS account.
- Execution completed -- System confirmed the change was applied successfully (or failed with details).
- Status verified -- Post-remediation check confirmed the resource is now compliant.
- Finding updated -- The original finding status was updated to reflect the remediation outcome.
If a rollback is initiated, additional events are logged:
- Rollback requested -- User initiated a rollback of the remediation.
- Cascade analysis -- System analysed dependencies to determine if rollback is safe.
- Rollback executed -- System reverted the change.
- Rollback outcome -- Final status of the rollback (completed, failed, blocked).
Every event in the remediation lifecycle includes the same correlation ID, making it easy to trace the full history of any remediation from start to finish.
Audit Logs for Compliance
Audit logs are a critical component of compliance evidence. Guardian Pro's audit trail supports compliance requirements by providing:
- Immutable records -- Audit events cannot be modified or deleted by users.
- Timestamp accuracy -- All events are timestamped with UTC precision.
- User attribution -- Every action is linked to the user who performed it.
- Change tracking -- Before and after states are recorded for configuration changes.
Using Audit Logs for Compliance Evidence
When preparing for compliance audits (SOC 2, ISO 27001, GDPR, etc.):
- Navigate to Audit Logs and set the date range to your audit period.
- Filter by action type to show relevant events (e.g., all remediations, all access events).
- Export the filtered logs as CSV or JSON.
- Include the export in your compliance evidence package alongside your Compliance Dashboard reports.
Combine audit log exports with compliance framework exports from the Compliance Dashboard to create a comprehensive evidence package for auditors.
Retention
Audit logs are retained for the duration of your Guardian Pro subscription. There is no automatic purge of audit events while your subscription is active.
| Plan | Audit Log Retention |
|---|---|
| Starter | 90 days |
| Business | 1 year |
| Enterprise | Full subscription duration (unlimited) |
If your compliance requirements mandate longer retention than your plan provides, consider upgrading to the Enterprise plan or exporting logs regularly to your own log management system. See Subscription Plans.
Integration with External Systems
Enterprise plan customers can forward audit events to external log management and SIEM systems for centralized monitoring. Contact support for integration options.
Frequently Asked Questions
Can audit logs be modified or deleted? No. Audit logs are immutable. Once an event is recorded, it cannot be altered or removed by any user, including administrators.
Do audit logs include AI Assistant conversations? Audit logs record that an AI Assistant query was made, including the topic category and tools invoked. The full conversation content is stored separately in the conversation history.
Are failed actions logged? Yes. Failed sign-in attempts, failed remediations, and other unsuccessful actions are all recorded in the audit log with their failure reasons.
Can I set up alerts based on audit events? Guardian Pro's notification system can alert you on key events such as remediation actions. For custom alerting based on audit events, use the Enterprise log forwarding integration.
Next Steps
- IAM Permissions -- Understand what permissions Guardian Pro uses.
- Data Privacy -- Learn how your data is protected.
- Compliance Overview -- Assess your infrastructure against compliance frameworks.
- Contact Support -- Get help with audit log questions.