Audit Logs
Flowstate logs security-relevant events for compliance reporting, incident investigation, and operational visibility. Every authentication attempt, configuration change, API call, and data modification generates a structured audit event that is retained and queryable from the Flowstate UI.
Overview
The audit log captures a comprehensive record of activity across your Flowstate tenant. Each event includes the actor who performed the action, the resource that was affected, a timestamp, and contextual details. Events are categorized and assigned a severity level so you can filter, search, and alert on the activity that matters most.
Event Categories
Audit events are organized into five categories:
| Category | Description | Example Events |
|---|---|---|
authentication | Sign-in, sign-out, and session activity | Login success, login failure, magic link sent, SSO redirect, session expiry |
audit | Configuration and settings changes | Auth provider created, role mapping updated, user role changed, user deactivated |
api_activity | REST API usage and key lifecycle | API key created, API key revoked, API request, rate limit exceeded |
data_access | Reads and writes to workforce planning data | Employee created, contractor updated, plan published, report exported |
infrastructure | System-level integration events | SCIM sync completed, SIEM delivery failed, webhook delivery |
Severity Levels
Each event is assigned a severity level indicating its security significance:
| Severity | Description | Examples |
|---|---|---|
critical | Immediate attention required | Multiple failed login attempts, API key compromised |
high | Significant security event | Auth provider deleted, admin role granted, rate limit exceeded |
medium | Notable activity worth tracking | New API key created, user deactivated, employee deleted |
low | Routine operational events | Successful login, API request, employee updated, data export |
info | Informational, low-priority events | Magic link sent, session refreshed, SCIM sync completed |
Event Payload Structure
Every audit event follows a consistent JSON structure:
{
"id": "evt_x7k9m2p4q1w3e5r8",
"timestamp": "2026-03-11T14:32:07.123Z",
"category": "authentication",
"type": "login.success",
"severity": "low",
"actor": {
"userId": "clx1a2b3c4d5e6f7g8h9",
"email": "jane.chen@acme.com",
"ipAddress": "203.0.113.42",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"
},
"resource": {
"type": "session",
"id": "ses_r8t3l1m1t9a2b3c4"
},
"details": {
"method": "saml",
"provider": "Okta SSO",
"domain": "acme.com"
},
"organization": {
"id": "clx9o8r7g6i5d4",
"name": "Acme Corp"
},
"tenant": "acme"
}Payload Fields
| Field | Type | Description |
|---|---|---|
id | string | Unique event identifier |
timestamp | string | ISO 8601 timestamp with millisecond precision |
category | string | Event category (see table above) |
type | string | Specific event type (e.g., login.success) |
severity | string | Event severity level |
actor.userId | string | ID of the user who triggered the event |
actor.email | string | Email of the actor |
actor.ipAddress | string | Source IP address |
actor.userAgent | string | Browser or client user agent string |
resource.type | string | Type of resource affected |
resource.id | string | ID of the affected resource |
details | object | Event-specific metadata |
organization.id | string | Organization ID |
organization.name | string | Organization display name |
tenant | string | Tenant subdomain |
Common Event Types
The following table lists the most common event types across all categories:
Authentication Events
| Type | Severity | Description |
|---|---|---|
login.success | low | User signed in successfully |
login.failure | medium | Failed sign-in attempt |
login.failure.repeated | critical | Multiple failed attempts for one account |
magic_link.sent | info | Magic link email dispatched |
sso.redirect | info | User redirected to SSO provider |
session.expired | info | User session expired |
Audit Events
| Type | Severity | Description |
|---|---|---|
auth_provider.created | high | New auth provider configured |
auth_provider.updated | high | Auth provider settings changed |
auth_provider.deleted | high | Auth provider removed |
role_mapping.updated | high | Group-to-role mapping changed |
user.role_changed | high | User's role was changed |
user.deactivated | medium | User account deactivated |
API Activity Events
| Type | Severity | Description |
|---|---|---|
api_key.created | medium | New API key generated |
api_key.revoked | medium | API key revoked |
api_key.expired | medium | API key reached expiration |
api.request | low | API endpoint called |
api.rate_limited | high | Rate limit exceeded |
Data Access Events
| Type | Severity | Description |
|---|---|---|
employee.created | low | Employee record created |
employee.updated | low | Employee record modified |
employee.deleted | medium | Employee record deleted |
contractor.created | low | Contractor record created |
contractor.updated | low | Contractor record modified |
contractor.deleted | medium | Contractor record deleted |
team.created | low | Team created |
team.updated | low | Team structure modified |
team.deleted | medium | Team deleted |
project.created | low | Project created |
project.updated | low | Project modified |
project.deleted | medium | Project deleted |
plan.published | medium | Scenario plan published |
report.exported | low | Report or data export generated |
Infrastructure Events
| Type | Severity | Description |
|---|---|---|
scim.sync_completed | info | SCIM provisioning sync completed |
siem.delivery_failed | high | Failed to deliver events to SIEM endpoint |
webhook.delivery_failed | high | Failed to deliver webhook payload |
Viewing Audit Logs
Navigate to Settings > Security > Audit Logs to view the audit log for your organization.
Filtering
Use the filter controls to narrow down the log:
| Filter | Description |
|---|---|
| Category | Filter by event category (authentication, audit, api_activity, data_access, infrastructure) |
| Severity | Filter by minimum severity level (critical, high, medium, low, info) |
| Date Range | Restrict to a specific time window |
| Actor | Search by user email or user ID |
TIP
Start with the critical and high severity filters when investigating a security incident. Expand to medium and low once you have identified the relevant time window and actors.
Event Detail View
Click on any event in the log to view its full payload, including the details object with event-specific metadata. This is useful for understanding exactly what changed -- for example, which fields were modified on an employee record or which permission scopes were granted to a new API key.
Retention
Audit logs are retained for compliance purposes and are available for the lifetime of your Flowstate tenant. Events cannot be modified or deleted by any user, including tenant administrators.
TIP
For organizations with regulatory requirements (SOC 2, ISO 27001, GDPR), the immutable audit log provides an authoritative record of all security-relevant activity. Export audit data periodically for long-term archival if your compliance framework requires it.
SIEM Integration
For real-time streaming of audit events to an external security platform, configure a SIEM integration. SIEM integration delivers the same event payloads described on this page to your Splunk, Microsoft Sentinel, Datadog, or custom HTTPS endpoint as they occur.
This is complementary to the in-app audit log:
| Capability | Audit Logs (In-App) | SIEM Integration |
|---|---|---|
| Viewing events | Flowstate UI | Your SIEM platform |
| Filtering | Category, severity, date, actor | Full SIEM query language |
| Alerting | Not available | Configure in your SIEM |
| Correlation | Flowstate events only | Correlate with other systems |
| Retention | Managed by Flowstate | Managed by your SIEM |
TIP
Use the in-app audit log for quick investigations and ad-hoc queries. Use SIEM integration for automated alerting, cross-system correlation, and long-term analytics.
Required Permissions
| Action | Permission |
|---|---|
| View audit logs | AUDIT_VIEW |
| Configure audit settings | AUDIT_CONFIGURE |
| Confirm audit findings | AUDIT_CONFIRM |
| Export audit data | AUDIT_EXPORT |
Best Practices
- Review audit logs regularly -- Schedule periodic reviews of high-severity events, especially
login.failure.repeated,auth_provider.*, anduser.role_changedevents. These may indicate unauthorized access attempts or unintended configuration changes. - Set up SIEM alerts for critical events -- Configure alerts in your SIEM platform for critical-severity events such as repeated login failures, auth provider changes, and API rate limiting. Automated alerts catch incidents faster than manual review.
- Investigate anomalies promptly -- If you see unusual patterns (logins from unexpected IP addresses, API keys used outside business hours, bulk data exports), investigate immediately. The audit log provides the actor, timestamp, and resource details you need to assess the situation.
- Use audit logs for compliance reporting -- Export audit data on a regular cadence to satisfy compliance requirements. The structured event format integrates well with GRC (governance, risk, and compliance) tools.
- Correlate with SIEM data -- If you use SIEM integration, correlate Flowstate audit events with events from other systems (VPN logs, IdP logs, endpoint detection) to build a complete picture of security incidents.
- Restrict audit access -- The
AUDIT_VIEWandAUDIT_EXPORTpermissions should be limited to security, compliance, and IT administration roles. Not every user needs access to the full audit trail.
Related Pages
- SIEM Integration -- Stream audit events to your SIEM platform in real time
- API Keys -- API key lifecycle events tracked in the audit log
- Roles & Permissions -- Permission model and role change tracking
- SAML 2.0 Setup -- Authentication provider events in the audit trail
- OAuth 2.0 Setup -- OAuth authentication events
- SCIM 2.0 Provisioning -- User provisioning sync events