Mondoo Docs
Manage Mondoo

View Audit Logs

Learn about Mondoo's audit logs

Mondoo tracks administrative events, such as organization and access management tasks, in audit logs. You access the logs in the Mondoo Console. There are two types of logs:

  • For each organization in your account, an organization log tracks member (user) access management.

  • For each space in an organization, a space log tracks management tasks, such as creation and deletion of service accounts and agents.

Access a space audit log

  1. Navigate to the organization that contains the space you want to see the log for.

    Select a Mondoo organization

  2. Select the space you want to see the log for.

    Mondoo space log

  3. In the left navigation, select Settings.

  4. Select Audit Log.

Access an organization audit log

  1. Navigate to the organization you want to see the log for.

    Select a Mondoo organization

  2. In the left navigation, select Settings.

  3. Select Audit Log.

Retrieve audit logs using the API

Organization audit logs are available via Mondoo's GraphQL API. To access an organization's logs using the API, you must have:

  • An API token.

  • The organization's ID. Find it on the Organizations page, under the organization name.

    Mondoo organization ID

Use this GraphQL query to get the audit log for an organization, providing the organization's ID:

{
  "variables": {
    "first": 25,
    "resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>"
  },
  "query": "query AuditLogForwardPagination($first: Int, $after: String, $orderBy: AuditLogOrder = {direction: DESC, field: TIMESTAMP}, $resourceMrn: String!) {
               auditlog(
                  first: $first
                  after: $after
                  orderBy: $orderBy
                  resourceMrn: $resourceMrn
               ) {
                  totalCount
                  edges {
                     cursor
                     node {
                     identity {
                        name
                        mrn
                     }
                     resource
                     action
                     timestamp
                     msg
                     }
                  }
                  pageInfo {
                     startCursor
                     endCursor
                     hasNextPage
                  }
            }
         }"
}

To test this task using cURL, store the query in a file named "query.json" and execute as shown below. Be sure to specify your organization ID in the query.

EU region

If you're operating in the EU region, replace the https://api.mondoo.com/query URL with https://eu.api.mondoo.com/query.

$ cat query.json
{
  "variables": {
    "first": 25,
    "resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>"
  },
  "query": "query AuditLogForwardPagination($first: Int, $after: String, $orderBy: AuditLogOrder = {direction: DESC, field: TIMESTAMP}, $resourceMrn: String!) {
  auditlog(
    first: $first
    after: $after
    orderBy: $orderBy
    resourceMrn: $resourceMrn
  ) {
    totalCount
    edges {
      cursor
      node {
        identity {
          name
          mrn
        }
        resource
        action
        timestamp
        msg
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasNextPage
    }
  }
}"
}

$ curl -g -X POST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d @query.json https://api.mondoo.com/query | jq
{
"data": {
"auditlog": {
"totalCount": 36,
"edges": [
{
"cursor": "172213",
"node": {
"identity": {
"name": "Jane Doe",
"mrn": "//captain.api.mondoo.app/users/26OR1GOGsqmfjXOOO8joxgJDdtM"
},
"resource": "//agents.api.mondoo.app/organizations/mondoo-organization-1/serviceaccounts/2e3NzLkD73yQe7MTJZLw3",
"action": "mondoo.agents.AgentManager.CreateServiceAccount",
"timestamp": "2024-03-22T17:46:03Z",
"msg": "created service account"
}
},
{
"cursor": "143156",
"node": {
"identity": {
"name": "John Smith",
"mrn": "//captain.api.mondoo.app/users/1zYNjiRERS59LsS8iCloxPxbxLo"
},
"resource": "//captain.api.mondoo.app/users/2AdPauBAGEqnOjIFXx6AIyWrhxh",
"action": "mondoo.captain.Captain.SetOrganizationMembership",
"timestamp": "2024-01-30T00:01:04Z",
"msg": "owner added"
}
},
...

Get help

Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.

Filtering audit logs based on their timestamp

It is possible to filter the audit logs based on their timestamp. To do so, add a timestamp filter to your query:

query AuditLogForwardPagination(
  $first: Int
  $after: String
  $orderBy: AuditLogOrder = { direction: DESC, field: TIMESTAMP }
  $resourceMrn: String!
  $timestampFilter: TimestampFilter
) {
  auditlog(
    first: $first
    after: $after
    orderBy: $orderBy
    resourceMrn: $resourceMrn
    timestampFilter: $timestampFilter
  ) {
    totalCount
    edges {
      cursor
      node {
        identity {
          name
          mrn
        }
        resource
        action
        timestamp
        msg
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasNextPage
    }
  }
}

For example, to retrieve the audit logs for an organization that occurred after a a specific timestamp, add the following variables to your query:

"variables": {
  "first": 25,
  "resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>",
  "timestampFilter": {
    "timestamp": "2024-05-06T13:48:33+03:00",
    "operator": "LT"
  }
}

Vulnerability Export Schema

Vulnerability schema for the Mondoo JSONL export

Releases and Versions

Learn about Mondoo's versioning policy and how to make sure you have the latest release

On this page

Access a space audit logAccess an organization audit logRetrieve audit logs using the APIGet helpFiltering audit logs based on their timestamp