View Audit Logs
Mondoo tracks administrative events, such as organization and access management tasks, in audit logs. You access the logs in the Mondoo Console. There are two types of logs:
-
For each organization in your account, an organization log tracks member (user) access management.
-
For each space in an organization, a space log tracks management tasks, such as creation and deletion of service accounts and agents.
Access a space audit log
-
Navigate to the organization that contains the space you want to see the log for.
-
Select the space you want to see the log for.
-
In the left navigation bar, select Settings.
-
Select Audit Log.
Access an organization audit log
-
Navigate to the organization you want to see the log for.
-
In the left navigation bar, select Settings.
-
Select Audit Log.
Retrieve audit logs using the API
Organization audit logs are available via Mondoo's GraphQL API. To access an organization's logs using the API, you must have:
-
An API token.
-
The organization's ID. Find it on the organization page, under the organization name.
Use this GraphQL query to get the audit log for an organization, providing the organization's ID:
{
"variables": {
"first": 25,
"resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>"
},
"query": "query AuditLogForwardPagination($first: Int, $after: String, $orderBy: AuditLogOrder = {direction: DESC, field: TIMESTAMP}, $resourceMrn: String!) {
auditlog(
first: $first
after: $after
orderBy: $orderBy
resourceMrn: $resourceMrn
) {
totalCount
edges {
cursor
node {
identity {
name
mrn
}
resource
action
timestamp
msg
}
}
pageInfo {
startCursor
endCursor
hasNextPage
}
}
}"
}
To test this task using cURL, store the query in a file named "query.json" and execute as shown below. Be sure to specify your organization ID in the query.
If you're operating in the EU region, replace the https://api.mondoo.com/query
URL with https://eu.api.mondoo.com/query
.
$ cat query.json
{
"variables": {
"first": 25,
"resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>"
},
"query": "query AuditLogForwardPagination($first: Int, $after: String, $orderBy: AuditLogOrder = {direction: DESC, field: TIMESTAMP}, $resourceMrn: String!) {
auditlog(
first: $first
after: $after
orderBy: $orderBy
resourceMrn: $resourceMrn
) {
totalCount
edges {
cursor
node {
identity {
name
mrn
}
resource
action
timestamp
msg
}
}
pageInfo {
startCursor
endCursor
hasNextPage
}
}
}"
}
$ curl -g -X POST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d @query.json https://api.mondoo.com/query | jq
{
"data": {
"auditlog": {
"totalCount": 36,
"edges": [
{
"cursor": "172213",
"node": {
"identity": {
"name": "Jane Doe",
"mrn": "//captain.api.mondoo.app/users/26OR1GOGsqmfjXOOO8joxgJDdtM"
},
"resource": "//agents.api.mondoo.app/organizations/mondoo-organization-1/serviceaccounts/2e3NzLkD73yQe7MTJZLw3",
"action": "mondoo.agents.AgentManager.CreateServiceAccount",
"timestamp": "2024-03-22T17:46:03Z",
"msg": "created service account"
}
},
{
"cursor": "143156",
"node": {
"identity": {
"name": "John Smith",
"mrn": "//captain.api.mondoo.app/users/1zYNjiRERS59LsS8iCloxPxbxLo"
},
"resource": "//captain.api.mondoo.app/users/2AdPauBAGEqnOjIFXx6AIyWrhxh",
"action": "mondoo.captain.Captain.SetOrganizationMembership",
"timestamp": "2024-01-30T00:01:04Z",
"msg": "owner added"
}
},
...
Get help
Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.
Filtering audit logs based on their timestamp
It is possible to filter the audit logs based on their timestamp. To do so, add a timestamp filter to your query:
query AuditLogForwardPagination(
$first: Int
$after: String
$orderBy: AuditLogOrder = { direction: DESC, field: TIMESTAMP }
$resourceMrn: String!
$timestampFilter: TimestampFilter
) {
auditlog(
first: $first
after: $after
orderBy: $orderBy
resourceMrn: $resourceMrn
timestampFilter: $timestampFilter
) {
totalCount
edges {
cursor
node {
identity {
name
mrn
}
resource
action
timestamp
msg
}
}
pageInfo {
startCursor
endCursor
hasNextPage
}
}
}
For example, to retrieve the audit logs for an organization that occurred after a a specific timestamp, add the following variables to your query:
"variables": {
"first": 25,
"resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>",
"timestampFilter": {
"timestamp": "2024-05-06T13:48:33+03:00",
"operator": "LT"
}
}