Skip to main content
Audit logs give you visibility over the changes made within your incident.io account. They cover configuration changes and permission updates (e.g. a user being given a new role, or granted access to a private incident). Audit logs are available on the Enterprise plan and powered by WorkOS. Each entry conforms to a versioned schema, so you can parse older events even as the schema evolves. Entries are retained for one year (starting from 18 April, 2023).

Viewing your audit log

You can view your audit log from Settings > Security. From there you can:
  • Browse entries with filters for target, event type, actor, and date
  • Export entries for a given time period to CSV
  • Set up a log stream to a provider of your choice (e.g. Splunk or Amazon S3)

Understanding entries

Each audit log entry includes:
  • Actor — who or what made the change (user, API key, system, workflow, external resource, or alert)
  • Action — the event type (e.g. api_key.created)
  • Targets — what was modified
  • Context — location and user agent, where applicable
  • Version — schema version for backwards compatibility

Actor types

Users

Changes triggered by a user in your account. 
{
  "type": "user",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Kelsey Mills",
  "metadata": {
    "user_base_role_slug": "admin",
    "user_custom_role_slugs": "engineering,security"
  }
}

API keys

Changes triggered by an API key. 
{
  "type": "api_key",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Lisa's development key",
  "metadata": {
    "api_key_roles": "incident_creator,global_access"
  }
}

Systems

Changes triggered by a system — either a third-party integration (e.g. a user created via Slack) or an internal process (e.g. a severity created during setup). 
{
  "type": "system",
  "id": "incident_setup",
  "name": "incident.io (setup)",
  "metadata": {}
}

Workflows

Changes triggered by a workflow, such as auto-inviting users to a private incident. 
{
  "type": "workflow",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Auto-invite security team to private incidents",
  "metadata": {}
}

External resources

Changes triggered by an external resource (also known as an attachment). 
{
  "type": "external_resource",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "#1234 Increased API latency",
  "metadata": {
    "external_resource_type": "pager_duty_incident",
    "external_resource_external_id": "q1234"
  }
}

Alerts

Changes triggered by an alert (e.g. from Datadog or Grafana). 
{
  "type": "alert",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Staging: pod CPU high",
  "metadata": {
    "alert_source_id": "01HB0ZG3B0HM04RCXNSPV1EDYG"
  }
}