Audit logs every actions

daniel.castronovo · July 23, 2021, 9:42am

Feature: Audit logs every actions

Description: I would like to list every actions done on web app Auth0 (like modification on setup application, databases, tenant, etc.)

Use-case: Security review, verify if a CRUD (on the web app) on application, databases, tenant, organizations has been created.

dan.woda · July 23, 2021, 9:39pm

Hi @daniel.castronovo,

Welcome to the Auth0 Community!

You should be able to see this type of information in the Monitoring → Logs tab of the dashboard. If you filter by type:"sapi" you should see all the successful management API requests in your tenant (these would be admin-type actions).

Can you tell us more about how your feature would be different? E.G. seperate tabs for authentication events and management events, etc.

Hash562 · July 24, 2021, 8:37am

Audit logs take note of just about every change within a system , providing a complete track record of your system’s operations. Therefore, audit logs are a valuable resource for admins and auditors who want to examine suspicious activity on a network or diagnose and troubleshoot issues.

daniel.castronovo · July 26, 2021, 5:43am

Hello @dan.woda,

Thanks for your reply.

I want to be able to view all actions made by a admin, on web interface.
Possibility to filter by type of actions (like : delete an application, modify the tenant name, etc.)
Because, audit logs is demanded by lot of certifications like pci-dss, iso 27001, etc.

dan.woda · July 26, 2021, 3:08pm

Thanks for providing the extra context.

lee.nave · May 4, 2022, 6:08pm

Our use case: figuring out who edited our application’s list of allowed web origins. As far as I can tell this is not surfaced in the logs, have tried numerous filters including type:"sapi" and I’m just not seeing it.

dan.woda · May 4, 2022, 6:15pm

@lee.nave,

When I update an application’s list of allowed web origins I see the following log:

...
"type": "sapi",
"description": "Update a client",
...
"body": {
        "name": "App Name",
        "web_origins": [
          "https://example.com"
        ],
...
"user_id": "{ADMIN_USER_ID}"

This info should help you determine when this action was taken, what happened, and by whom the action was taken.

lee.nave · May 4, 2022, 6:19pm

Thanks! It was buried in with all the “Update a user” logs. This query is finding them: type:"sapi" AND description:"Update a client"

wim.provoost · May 4, 2022, 8:04pm

I would like to have this also. I need this for auditing purposes ISO 27001. I need to be able to download a (cvv) log of what admins have done (eg resetting a user his passwd or MFA device)