Audit logging
Jutsu records security-relevant actions in audit trails so that you can reconstruct what happened, who did it, and when — both during an investigation and for compliance reporting.
What is audited
Jutsu keeps three complementary audit trails, each tuned to a different kind of activity.
| Trail | Captures | Example entries |
|---|---|---|
| User audit logs | Account-level actions by a user | Sign-in, permission and role changes |
| Audit events | Actions taken on resources | An action performed against a named resource, with metadata |
| Alert audit logs | Lifecycle changes on an alert | An alert marked seen, escalated, or otherwise updated |
Each entry is timestamped and attributed. User and alert audit entries record the who, what, and when of an action (with optional where/why/how and structured metadata), and resource audit events record the acting user, the action, the affected resource, and when it occurred. Together they answer "who changed this, and when" for accounts, resources, and individual alerts.
How analysts use audit trails
Audit trails turn a current state into a history you can reason about.
- Investigations. When you work a case or incident, the audit trail shows the sequence of actions on an alert — when it was first seen, who triaged it, and when it was escalated — so you can rebuild a timeline rather than infer one.
- Accountability. Permission and role changes are recorded, so a change in who can do what is itself reviewable.
- Compliance. Because entries are attributed and timestamped, the audit trail supports evidence requirements: you can show that an action occurred, who performed it, and when.
Case activity and status changes also feed the audit record, so the narrative of an analyst-driven investigation stays consistent with the underlying alert history. See Cases.
Auditing automated response
Automated response is held to the same standard as human action. AgentSOAR executions are themselves recorded: each run is captured as an auditable event, and supported actions are revertible, so you can see exactly what an automated response did and undo it if needed. This keeps automation accountable — an action taken by the system is as traceable as one taken by a person. See Executions & revert.
Retention
Audit data is retained and, for high-volume trails such as alert audit history, tiered to longer-term storage over time rather than discarded. See Data retention & regions for the data lifecycle and how retention is configured.