Audit Trail
ClawNex maintains an immutable, append-only audit log of every significant action on the platform. This log serves as compliance evidence and cannot be modified or deleted through the application.
What Gets Tracked
- Shield blocks and reviews
- Block mode changes (OBSERVE to BLOCK and back)
- Break-glass activations and deactivations
- Whitelist changes
- Retention setting changes
- Configuration changes
- Operator management actions (create, edit, deactivate, password reset)
- API key creation and revocation
- Alert lifecycle changes (acknowledge, resolve, false positive)
Searching and Filtering
The audit trail supports filtering by:
- Action type — e.g.,
api_key_created,setting_changed,break_glass_activated - Actor — who performed the action
- Resource type — e.g.,
api_key,agent,operator - Time range — ISO 8601 timestamps with
sinceanduntilfilters - Free-text search — search across event details
Export
Audit data can be exported for external compliance tools and auditor review from the Audit & Evidence dashboard panel.
Retention
| Default | Range | Compliance Note |
|---|---|---|
| 365 days | 90d - Unlimited | SOC 2 typically requires 1 year minimum |
Configure retention in Configuration > Data Retention.
For SOC 2 or ISO 27001 compliance, set audit trail retention to 365 days or Unlimited.
API Access
The audit trail is available via the Public API:
curl "http://127.0.0.1:5001/api/v1/audit?action=break_glass_activated&limit=10" \
-H "X-ClawNex-Key: cnx_YOUR_API_KEY"Required scope: audit:read. See Public API for full details.