View Audit Logs
Track administrative events and access management changes with organization and space audit logs.
Mondoo records administrative events in audit logs you can view in the Mondoo App or pull through the GraphQL API. There are two scopes:
- An organization log tracks member access changes for the organization.
- A space log tracks space-level management, like creating or deleting service accounts and agents.
View a space audit log
-
Navigate to the organization that contains the space.
-
Select the space.
-
In the left navigation, select Settings.
-
Select the Audit Log tab.
View an organization audit log
-
Navigate to the organization.
-
In the left navigation, select Settings.
-
Select the Audit Log tab.
Retrieve audit logs through the API
Organization audit logs are available through Mondoo's GraphQL API. You need:
-
An API token with at least read access to the organization.
-
The organization ID. Find it on the Organizations page, just below the organization name.
Query
Save this query to query.gql. Replace <ORG_ID> with your organization ID.
query AuditLogForwardPagination(
$first: Int
$after: String
$orderBy: AuditLogOrder = { direction: DESC, field: TIMESTAMP }
$resourceMrn: String!
) {
auditlog(first: $first, after: $after, orderBy: $orderBy, resourceMrn: $resourceMrn) {
totalCount
edges {
cursor
node {
identity {
name
mrn
}
resource
action
timestamp
msg
}
}
pageInfo {
startCursor
endCursor
hasNextPage
}
}
}Variables
Save this variables payload to variables.json, again replacing <ORG_ID>:
{
"first": 25,
"resourceMrn": "//captain.api.mondoo.app/organizations/<ORG_ID>"
}Call the API
EU region
Replace https://api.mondoo.com/query with https://eu.api.mondoo.com/query if your organization
is in the EU region.
export TOKEN='YOUR_API_TOKEN'
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
--data-binary @<(jq -nc --arg q "$(cat query.gql)" --argjson v "$(cat variables.json)" \
'{query: $q, variables: $v}') \
https://api.mondoo.com/query | jqA successful response looks like:
{
"data": {
"auditlog": {
"totalCount": 36,
"edges": [
{
"cursor": "172213",
"node": {
"identity": {
"name": "Jane Doe",
"mrn": "//captain.api.mondoo.app/users/26OR1GOGsqmfjXOOO8joxgJDdtM"
},
"resource": "//agents.api.mondoo.app/organizations/mondoo-organization-1/serviceaccounts/2e3NzLkD73yQe7MTJZLw3",
"action": "mondoo.agents.AgentManager.CreateServiceAccount",
"timestamp": "2024-03-22T17:46:03Z",
"msg": "created service account"
}
}
]
}
}
}Filter by timestamp
Add a timestampFilter variable to limit results to events before or after a given time. Update the query to accept the variable:
query AuditLogForwardPagination(
$first: Int
$after: String
$orderBy: AuditLogOrder = { direction: DESC, field: TIMESTAMP }
$resourceMrn: String!
$timestampFilter: TimestampFilter
) {
auditlog(
first: $first
after: $after
orderBy: $orderBy
resourceMrn: $resourceMrn
timestampFilter: $timestampFilter
) {
# ...same body as above
}
}And include the filter in your variables:
{
"first": 25,
"resourceMrn": "//captain.api.mondoo.app/organizations/<ORG_ID>",
"timestampFilter": {
"timestamp": "2024-05-06T13:48:33+03:00",
"operator": "LT"
}
}LT returns events before the timestamp; use GT for events after.
Get help
Can't find what you need? Join the Mondoo community Slack channel to chat with the Mondoo team and other users.