TATER Activity Log & Audit Trail
Every create, update, and delete action in TATER is automatically recorded in the Activity Log. This tamper-evident audit trail captures who did what, when, and exactly what changed — providing the evidence auditors need to verify that your compliance program is operating as documented.
Accessing the Activity Log
Navigate to Admin > Activity Log in the sidebar. This page is accessible to users with the Admin (OrgAdmin) role or higher within the current organization. Auditor-level users can view the log but cannot filter by user or export raw records.
The Activity Log shows records for the currently selected organization only. SuperAdmins can switch organizations using the organization selector in the topbar and then view the log for each one. Cross-organization audit queries require direct Cosmos DB access.
What Gets Logged
Every API write operation in TATER is automatically logged. The following entity types generate audit records:
| Entity Type | Actions Logged |
|---|---|
| Scan | Create (upload or trigger), Delete |
| Override | Create, Update (status, expiry, justification), Delete |
| Control (V2) | Create, Update (threshold, mappings, title), Delete |
| Catalog Item | Create, Update, Delete, Bulk import |
| Assignment | Create (single or bulk), Update (status, due date), Delete |
| Comment | Create, Update, Delete |
| Person | Create, Update, Delete |
| Policy | Create, Update (content, variables), Delete |
| Organization | Create, Update (name, settings, MSP toggle), Delete |
| User | Create (first login), Update (role change) |
| API Key | Create (prefix only — secret never logged), Delete |
| Framework | Create, Update, Delete |
| Standard | Create, Update, Delete |
| Compliance Zone (AppDef) | Create, Update, Delete |
| Settings | Update (branding, SIEM config, scan schedule, features) |
| Remediation | Create (trigger), Status update (runbook callback) |
| Risk | Create, Update, Delete |
| Exception | Create, Update (approval, expiry), Delete |
| Audit | Create, Update (findings, evidence), Delete |
| Training Campaign | Create, Update, Delete |
| Control Test | Create, Update (results), Delete |
| BCP/DR Plan | Create, Update, Delete |
| Data Classification | Create, Update, Delete |
| Regulatory Change | Create, Update, Delete |
The Activity Log records only write operations (create, update, delete). Read-only operations such as viewing a scan result, loading the dashboard, or generating a report do not create audit records. Usage analytics (pageviews) are tracked separately in the Usage Analytics dashboard (SuperAdmin only).
Understanding a Log Entry
Each Activity Log entry contains the following fields:
| Field | Description |
|---|---|
| Timestamp | ISO 8601 date and time the operation occurred, in UTC. Displayed in the browser's local timezone in the UI. |
| Actor | The user who performed the action. Shown as display name with email in parentheses. Runbook operations show the API key prefix (e.g., apikey:abc12345). AI Analyst actions show ai-analyst as the source tag. |
| Action | One of: Create, Update, or Delete. |
| Entity Type | The type of record affected (e.g., "Override", "Control", "Scan"). |
| Entity ID | The unique ID of the affected record. Click this to navigate directly to the record if it still exists. |
| Delta | For Update actions, a before/after comparison of every field that changed. Unchanged fields are omitted. See Delta Records below. |
| Organization | The organization ID under which the action was taken. |
| IP Address | The client IP address from the request, extracted from the rightmost non-proxy IP in the X-Forwarded-For header. |
| Source | Optional tag identifying automated or AI-generated records: ai-analyst or evidence-agent. Human-created records have no source tag. |
Delta Records (Before/After Changes)
When a record is updated, the Activity Log computes and stores the exact set of fields that changed, along with the old and new values. This delta is displayed inline in the log entry as a side-by-side comparison.
Example: If an Override's expiry date is extended from 2026-06-01 to 2026-12-31 and its justification is updated, the delta shows:
{
"expiryDate": {
"before": "2026-06-01",
"after": "2026-12-31"
},
"justification": {
"before": "Vendor patch delayed.",
"after": "Vendor patch delayed. Compensating control: additional monitoring enabled."
}
}Sensitive fields such as API key secrets, client secrets, and encrypted credentials are never included in delta records, even partially. Only the field name is recorded for these, noting that a change occurred.
Delta records are particularly useful for demonstrating to auditors that a risk acceptance was not silently modified after approval. The log shows the exact moment the justification was written and whether it was changed afterward, and by whom.
Filtering and Searching
The Activity Log provides several ways to narrow results:
Filter by Entity Type
Use the Entity Type dropdown to show only records for a specific type of record (e.g., show only Override changes, or only Scan events). The dropdown lists all entity types that have at least one log entry for the current organization.
Filter by Action
Use the Action dropdown to filter to Create, Update, or Delete operations independently. Selecting "Delete" is useful for accountability reviews — you can quickly see what records have been removed and by whom.
Filter by User
Type a partial name, email address, or user OID in the User field to show only activity from a specific actor. This is useful during a security investigation or to review a specific team member's recent activity.
Filter by Date Range
Set a Start Date and/or End Date to limit results to a specific time window. For example, use a date range to show all activity during the period covered by an audit (e.g., January 1 – March 31). Dates are interpreted in your browser's local timezone.
Free Text Search
The search bar performs a full-text match against entity IDs, user names, and action types. Use this to locate a specific record by its ID (e.g., paste an override ID to find when it was created and last modified).
Stacking Filters
All filters stack — you can combine entity type, action, user, and date range simultaneously. For example: Entity Type = Override, Action = Update, Date = last 90 days shows all risk acceptance modifications in the past quarter.
AI-Tagged and Automated Records
TATER distinguishes between actions taken by human users and those performed by automated processes.
AI Analyst Records
When the AI Compliance Analyst creates a risk acceptance, adds an evidence comment, or assigns a control, the resulting Activity Log entry is tagged with source: "ai-analyst". The actor field shows the authenticated user who initiated the AI session, but the source tag makes clear that the specific action was performed by the AI on the user's behalf.
This distinction matters for audits: if an auditor questions whether a risk acceptance was thoroughly reviewed by a human, you can point to the timestamp of the AI action and confirm whether human review followed.
Evidence Agent Records
When the Evidence Agent automatically collects screenshots and posts them as control evidence comments, those records are tagged with source: "evidence-agent". This lets auditors distinguish machine-collected evidence from human-written evidence notes.
Runbook Records
When Azure Automation runbooks upload scan results or update remediation job status via API key authentication, the actor field shows the API key prefix (e.g., apikey:abc12345) rather than a user's name. This confirms that the action was performed by an automated system, not a human user.
To see only human-initiated actions (excluding AI and runbook activity), filter the User field by searching for the specific team members you want to audit. Records from apikey: prefixed actors or ai-analyst source will be excluded from name-filtered results.
SIEM Forwarding
Audit events can be forwarded in real-time to your SIEM or log aggregation platform as they are created. TATER supports two forwarding methods:
Syslog (CEF Format)
TATER sends audit events over syslog using RFC 5424 format with a CEF (Common Event Format) payload. This is compatible with Splunk, Microsoft Sentinel, IBM QRadar, and most other enterprise SIEMs.
Configure syslog forwarding in Settings > SIEM:
| Field | Description |
|---|---|
| Host | Syslog collector hostname or IP address |
| Port | Syslog port (default: 514 for UDP, 6514 for TLS) |
| Protocol | UDP or TCP |
| Facility | Syslog facility code (default: 16, Local0) |
| Severity | Minimum severity to forward (default: Informational) |
Webhook (HMAC-Signed JSON)
TATER can POST audit events as JSON payloads to a webhook URL. Each request is signed with an HMAC-SHA256 signature in the X-TATER-Signature: sha256=... header so your receiver can verify authenticity.
Configure webhook forwarding in Settings > SIEM:
| Field | Description |
|---|---|
| Webhook URL | HTTPS endpoint that will receive POST requests with audit event payloads |
| Secret | Shared secret used to sign the HMAC payload. Store this in your receiver and validate each request. |
| Auth Header | Optional custom Authorization header value (e.g., Bearer token) added to each outbound request. Stored encrypted at rest. |
To verify the HMAC signature in your webhook receiver:
const crypto = require('crypto');
function verifyTaterSignature(payload, secret, signatureHeader) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(payload, 'utf8')
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signatureHeader)
);
}Testing SIEM Configuration
After configuring either syslog or webhook forwarding, click Send Test Event in Settings > SIEM. TATER sends a sample audit event immediately. Check your SIEM or webhook receiver to confirm it arrived and was parsed correctly before relying on production forwarding.
TATER enforces SSRF protection on webhook URLs. Plain HTTP endpoints, private IP ranges, RFC 1918 addresses, and loopback addresses are rejected. The URL must resolve to a publicly routable HTTPS endpoint.
Using the Activity Log During Audits
The Activity Log is most valuable when you need to demonstrate to an auditor that a specific compliance-related action was taken, by an authorized person, at a specific time.
Risk Acceptance Evidence
When a control is marked as an accepted risk (Override), the auditor may want to know:
- Who created the risk acceptance and when?
- Was the justification entered at the time of creation, or added later?
- Has the acceptance been modified since it was first created?
- Who approved the risk acceptance?
Filter the Activity Log by Entity Type = Override, Entity ID = [the override's ID] to see the complete lifecycle of a specific risk acceptance — creation, any updates to the justification or expiry, and the identity of whoever made each change.
Remediation Evidence
When a failing control has been remediated, auditors need to verify that the remediation was performed and by whom. Filter by Entity Type = Remediation to see all triggered remediations, including the actor who triggered them, the timestamp, and the runbook callback status updates.
Assignment Evidence
Control assignments (linking a control to a team member with a due date) appear in the log as Assignment Create and Update events. Use these to demonstrate that accountability was formally assigned for each failing control.
Exporting Records for Auditors
The Activity Log does not currently offer a one-click CSV export from the UI. To provide audit evidence, use one of these approaches:
- SIEM export: If SIEM forwarding was configured, query your SIEM for the relevant date range and entity types and export from there. This is the recommended path for formal audit packages.
- Screenshot the filtered view: For individual records, filter the log and use the browser's print dialog (Ctrl+P) to produce a PDF of the filtered results.
- API access: Authenticated API requests to
GET /api/audit-logreturn JSON records that can be piped into a reporting script. Pass query parameters:entityType,action,actorEmail,startDate,endDate.
Retention and Storage
Activity Log entries are stored in the AuditLog Cosmos DB container. Unlike Usage Telemetry (which auto-expires after 90 days), audit log entries have no automatic expiry (TTL). Records are retained indefinitely unless manually deleted by a SuperAdmin with direct Cosmos DB access.
For long-term retention strategies, consider:
- SIEM forwarding: Forward events in real-time to a SIEM with configurable retention (e.g., Microsoft Sentinel, Splunk). The SIEM becomes the authoritative long-term store for audit records.
- Cosmos DB continuous backup: Azure Cosmos DB supports point-in-time restore for up to 30 days on accounts with continuous backup enabled. For longer retention, configure periodic exports to Azure Storage.
- Cosmos DB analytical store: Enable the Cosmos analytical store and query via Azure Synapse for historical reporting without impacting transactional performance.
High-volume activity (frequent scans, bulk catalog updates, large teams) will generate substantial audit log volume over time. Monitor your Cosmos DB storage in the Azure portal and set up a cost alert if needed. SIEM forwarding with Cosmos-side retention limits can reduce storage costs while preserving the audit record.
Troubleshooting
The audit log is written fire-and-forget — a failure in log writing never blocks the primary operation. Check that the AuditLog Cosmos DB container exists and that the API Function App has write access. Container auto-creation occurs on first write, so if this is a fresh deployment, perform any write operation to trigger container creation, then retry.
Use the Send Test Event button in Settings > SIEM after saving your configuration. For syslog, confirm the port is open and accessible from the API Function App's outbound IP addresses. For webhooks, confirm the endpoint returns HTTP 200 within 5 seconds — TATER does not retry on timeout. Check that the webhook URL is a publicly routable HTTPS address (private IPs are blocked by SSRF protection).
Verify that you are computing the HMAC over the raw request body bytes, not over a parsed/re-serialized JSON object. JSON serialization order can change field ordering, producing a different signature. Use the raw body buffer exactly as received. Also confirm that the shared secret in your receiver matches the secret configured in Settings > SIEM exactly, including case.
This occurs when an API key is used for authentication but the key's record in Cosmos has been deleted. The system still validates the key hash but cannot resolve the display name. To prevent this, do not delete API keys that are still in use by active runbooks or integrations. Rotate keys rather than deleting them.
Was this page helpful?