Manage Mondoo

Continuously Export Audit Logs

Continuously export audit logs from Mondoo to Google Cloud Storage in OCSF format for long-term retention, SIEM ingestion, or compliance evidence.

Mondoo can continuously export your audit logs to Google Cloud Storage (GCS) in OCSF (Open Cybersecurity Schema Framework) v1.5.0 format. Once configured, exports run automatically on a recurring schedule, delivering new audit events as JSONL files to a GCS bucket.

Common reasons to set up a continuous audit log export:

  • SIEM and security analytics. Feed Mondoo audit events into Splunk, Chronicle, Elastic, or another SIEM that ingests OCSF-formatted data from GCS.
  • Compliance evidence. Maintain an immutable record of administrative events in your own storage for audit readiness.
  • Long-term retention. Keep audit history beyond Mondoo's built-in retention window.
  • Correlation. Join Mondoo events with logs from other systems in a central data lake.

How it works

You create an audit log export integration scoped to a platform, organization, or space:

ScopeWhat is exported
PlatformAll audit events across every organization and space
OrganizationAudit events for the organization and all spaces within it
SpaceAudit events for that space only

After creation, Mondoo runs the export on a recurring interval (default: every 60 minutes, minimum: every 5 minutes). Each run picks up only events that are new since the last successful export, using an internal watermark to track progress. Files are written as JSONL (one OCSF event per line) with deterministic, non-overlapping filenames so that retries are safe and idempotent.

On the very first run you can optionally include all historical audit logs. If you don't enable this option, the export starts from the current point in time and only captures new events going forward.

Requirements

  • A Google Cloud project with a GCS bucket. See the Google Cloud Storage documentation for setup.
  • A GCP service account with the Storage Object Creator role (roles/storage.objectCreator) on the target bucket.
  • One of the following authentication methods:
    • Workload Identity Federation (WIF) (recommended because it requires no stored credentials), or
    • A service account key (JSON).
  • Owner access to the Mondoo organization (or platform, depending on the scope you want).

Set up GCP authentication

Mondoo supports two ways to authenticate with GCP. Choose one:

  • Workload Identity Federation (WIF) eliminates the need to store and rotate service account keys. Mondoo authenticates to GCP using short-lived OIDC tokens that GCP validates and exchanges for temporary credentials. This is the recommended approach.

  • Service account key uses a static JSON key file. This is simpler to set up but requires you to securely store and regularly rotate the key.

The GCP-side WIF setup (creating a service account, Workload Identity Pool, and OIDC provider for Mondoo) is the same as for other Mondoo GCS-based integrations. Follow Steps 1 through 4 in the Export Data to Google BigQuery guide, with these differences:

  • In Step 1, grant the service account the Storage Object Creator role (roles/storage.objectCreator) instead of the BigQuery roles.
  • You do not need a BigQuery dataset. Skip any BigQuery-specific instructions.

After completing Steps 1–4 you should have:

  • A GCP service account email (for example, mondoo-audit-export@PROJECT_ID.iam.gserviceaccount.com)
  • A WIF audience URL (for example, https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID)

You'll use both values when creating the integration in Mondoo.

After creating the integration (next section), you must also complete Steps 6 and 7 from the BigQuery guide. Copy the computed WIF subject from the Mondoo response and authorize it to impersonate the GCP service account. The integration will not work until this binding is in place.

Service account key

  1. Create a GCP service account and grant it the Storage Object Creator role (roles/storage.objectCreator) on the target bucket. For instructions, read Creating and managing service accounts in the Google documentation.

  2. Create a JSON key for the service account. For instructions, read Create and manage service account keys in the Google documentation. Save the JSON file. You'll need it when creating the integration.

Create the integration

This integration is not available in the Mondoo App UI. Use the GraphQL API or Terraform provider to create it.

Use the mondoo_integration_audit_log_export resource from the Mondoo Terraform provider.

With WIF:

resource "mondoo_integration_audit_log_export" "example" {
  org_id             = "your-mondoo-org-id"
  name               = "Audit Log Export to GCS"
  bucket             = "my-audit-log-bucket"
  include_historical = false

  wif_audience              = "https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
  wif_service_account_email = "mondoo-audit-export@PROJECT_ID.iam.gserviceaccount.com"
}

With a service account key:

resource "mondoo_integration_audit_log_export" "example" {
  org_id             = "your-mondoo-org-id"
  name               = "Audit Log Export to GCS"
  bucket             = "my-audit-log-bucket"
  include_historical = false

  service_account_json = file("path/to/service-account-key.json")
}

For a complete example that provisions the GCS bucket, service account, WIF binding, and the Mondoo integration together, see the Terraform provider documentation.

Platform-level export: Use scope_mrn instead of org_id:

resource "mondoo_integration_audit_log_export" "platform" {
  scope_mrn = "//platform.api.mondoo.app"
  name      = "Platform Audit Log Export"
  bucket    = "my-audit-log-bucket"
  # ... authentication fields
}

Use the createClientIntegration mutation. You need an API token with Owner access to the target scope.

EU region

Replace https://api.mondoo.com/query with https://eu.api.mondoo.com/query if your organization is in the EU region.

With WIF:

mutation {
  createClientIntegration(
    input: {
      scopeMrn: "//captain.api.mondoo.app/organizations/YOUR_ORG_ID"
      name: "Audit Log Export to GCS"
      type: AUDIT_LOG_EXPORT
      longLivedToken: false
      configurationOptions: {
        auditLogExportConfigurationOptions: {
          bucket: "my-audit-log-bucket"
          includeHistorical: false
          wifAudience: "https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
          wifServiceAccountEmail: "mondoo-audit-export@PROJECT_ID.iam.gserviceaccount.com"
        }
      }
    }
  ) {
    integration {
      mrn
      configurationOptions {
        ... on AuditLogExportConfigurationOptions {
          bucket
          format
          intervalMinutes
          wifSubject
          wifAudience
        }
      }
    }
  }
}

The response includes a computed wifSubject value. Use it to complete the WIF binding in GCP (see the authentication section above).

With a service account key:

mutation {
  createClientIntegration(
    input: {
      scopeMrn: "//captain.api.mondoo.app/organizations/YOUR_ORG_ID"
      name: "Audit Log Export to GCS"
      type: AUDIT_LOG_EXPORT
      longLivedToken: false
      configurationOptions: {
        auditLogExportConfigurationOptions: {
          bucket: "my-audit-log-bucket"
          includeHistorical: false
          serviceAccountJson: "{...your service account JSON...}"
        }
      }
    }
  ) {
    integration {
      mrn
      configurationOptions {
        ... on AuditLogExportConfigurationOptions {
          bucket
          format
          intervalMinutes
        }
      }
    }
  }
}

Platform-level export: Use //platform.api.mondoo.app as the scopeMrn.

After creation, the first export runs immediately. If the integration status becomes active, the setup is working correctly. If it shows error, check the error message and verify your GCP authentication setup.

Manage the integration

You can manage an existing audit log export integration through the GraphQL API or Terraform:

  • Check the status. active means the integration is healthy and exporting on schedule. error means the last export failed. Check the error message for details.
  • Pause and resume. Pause the integration to temporarily stop exports without deleting the configuration. Resume it to pick up where it left off.
  • Remove the integration. Delete the integration to stop all future exports. Mondoo does not delete data already written to your GCS bucket.

Exported data format

Exported files are written as JSONL (JSON Lines), with one OCSF event per line. Filenames follow the pattern:

{scope}-audit-logs-{fromID}-{toID}.jsonl

For example: org-abc123-audit-logs-500-1000.jsonl

Each event conforms to OCSF v1.5.0 and uses one of three event classes depending on the action:

OCSF classClass UIDUsed for
Account Change3001Membership changes (adding/removing users to orgs or spaces)
Entity Management3004CRUD operations on service accounts, agents, spaces, orgs, and integrations
API Activity6003Policy assignments, scan triggers, and all other actions

Example OCSF event

{
  "category_uid": 3,
  "class_uid": 3004,
  "activity_id": 1,
  "type_uid": 300401,
  "severity_id": 1,
  "time": 1719900000,
  "message": "created service account",
  "metadata": {
    "product": {
      "name": "Mondoo Platform",
      "vendor_name": "Mondoo"
    },
    "version": "1.5.0"
  },
  "actor": {
    "user": {
      "email_addr": "jane@example.com",
      "name": "Jane Doe"
    }
  },
  "entity": {
    "name": "my-service-account",
    "type": "Service Account"
  },
  "api": {
    "operation": "CreateServiceAccount",
    "service": {
      "name": "mondoo.agents.AgentManager"
    }
  },
  "unmapped": {
    "mondoo": {
      "identity_mrn": "//captain.api.mondoo.app/users/abc123",
      "resource_mrn": "//agents.api.mondoo.app/organizations/org-1/serviceaccounts/sa-1",
      "scope_mrn": "//captain.api.mondoo.app/organizations/org-1"
    }
  }
}

Mapped audit events

Mondoo actionOCSF classActivity
Add org/space membershipAccount ChangeCreate
Remove org/space membershipAccount ChangeDelete
Create service accountEntity ManagementCreate
Delete service accountEntity ManagementDelete
Register/unregister agentEntity ManagementCreate/Delete
Create/update/delete spaceEntity ManagementCreate/Update/Delete
Create/update/delete orgEntity ManagementCreate/Update/Delete
Create/update/delete integrationEntity ManagementCreate/Update/Delete
Assign/unassign policyAPI ActivityCreate/Delete
Set policy bundleAPI ActivityUpdate
Trigger scanAPI ActivityOther
All other actionsAPI ActivityOther

Limitations

  • Destination: Only Google Cloud Storage (GCS) is supported. Other object stores (S3, Azure Blob) are not currently available.
  • Format: Only OCSF v1.5.0 (JSONL) is supported. CSV and other formats are not available.
  • Export interval: Minimum 5 minutes, default 60 minutes. The interval is set at creation time and cannot be changed after the fact.
  • Authentication: Provide either a service account key or WIF credentials, not both.
  • Scope: Each integration exports from a single scope (platform, organization, or space). To export from multiple organizations independently, create one integration per organization.
  • Include historical: This setting only affects the first export run. Once the export has started, it always exports incrementally from the last watermark.
  • No UI: This integration must be created via the GraphQL API or Terraform provider.

See also

On this page