Audit Logs

Export workspace audit logs for compliance monitoring and SIEM integration.

Pro Plus plan Audit log export is available on Pro Plus plans for compliance and SIEM workflows. Upgrade from Billing & Plans.

Audit log export requires both the audit-logs:read scope and a live workspace role of owner or admin. Member and viewer API keys cannot export audit logs.

Endpoints

Export workspace audit logs for SIEM integration (Pro Plus)

100/min

Scope

audit-logs:read

Parameters

sincenumberrequiredStart of time range (Unix timestamp in ms)
untilnumberEnd of time range (Unix timestamp, defaults to now)
limitnumberNumber of logs (max 1000, default 100)
categoriesstringComma-separated list: authentication, authorization, data_access, data_modification, configuration, security, system
formatstringResponse format: json (default), csv, or cef

Response

{
  "logs": [
    {
      "id": "log_abc123",
      "category": "authentication",
      "action": "user.login",
      "actorId": "usr_def456",
      "actorEmail": "jane@example.com",
      "ipAddress": "192.168.1.1",
      "userAgent": "Mozilla/5.0...",
      "timestamp": "2024-02-01T10:30:00Z",
      "metadata": {}
    }
  ],
  "total": 523,
  "hasMore": true
}

Event Categories

Filter audit logs by category to narrow down to specific event types:

authenticationLogin, logout, MFA, and session events
authorizationPermission changes, role updates, and access grants
data_accessRead operations on sensitive resources
data_modificationCreate, update, and delete operations
configurationSettings changes, integration updates
securityAPI key operations, SSO configuration changes
systemSystem-level events and administrative actions

Export Formats

jsonStandard JSON format (default)
csvCSV format for spreadsheet import
cefCommon Event Format for SIEM systems (Splunk, QRadar, etc.)