Audit Trail
The Audit Trail panel records security and compliance events for your organization. Navigate to Insights > Audit Trail.
What Gets Audited
NextEpoch automatically records these events:
| Action | Trigger |
|---|---|
user_login | User authenticates via SSO |
login_failed | Authentication failure |
user_created | New user account created via SSO |
member_invited | Team member invitation sent |
member_role_changed | Member role updated (includes old and new role) |
member_removed | Member removed from organization |
credential_created | API credential created |
credential_revoked | API credential revoked |
Audit Entry Fields
Each audit entry contains:
| Field | Description |
|---|---|
received_at | When the event occurred |
action | The audit action (see table above) |
actor_type | Who performed it (user, system) |
actor_id | The actor's ID |
actor_name | The actor's display name |
actor_ip | IP address of the actor |
resource_type | What was affected (user, member, credential) |
resource_id | The affected resource's ID |
resource_name | The affected resource's name |
outcome | success or failure |
reason | Failure reason (if applicable) |
user_agent | Client user agent string |
request_id | Request identifier for correlation |
context_json | Additional metadata as JSON |
Filters
- Time range — Last hour, 24 hours, 7 days, or 30 days
- Action — Filter by specific audit action
- Outcome — Filter by success or failure
Expanded Details
Click an audit entry row to expand it. The expanded view shows the context_json parsed as key-value pairs, which includes action-specific metadata like old and new roles for member_role_changed events.
Querying Audit Data with SQL
For advanced analysis, query the audit table directly via the Insights API:
sql
-- Failed logins in the last 24 hours
SELECT actor_name, actor_ip, received_at, reason
FROM audit
WHERE action = 'login_failed'
AND received_at > NOW() - INTERVAL '24 hours'
ORDER BY received_at DESC
-- Role changes this week
SELECT actor_name, resource_name, context_json, received_at
FROM audit
WHERE action = 'member_role_changed'
AND received_at > NOW() - INTERVAL '7 days'
ORDER BY received_at DESCNext Steps
- Set up credentials for API access
- Configure webhooks for event notifications
- Query audit data with SQL for custom analysis