Audit Log

The workspace audit log provides a complete, tamper-evident record of all significant actions taken within a workspace. Every change -- from creating an asset to viewing a credential -- is logged with the user who performed it, the timestamp, and the IP address from which the action originated.

How It Works

Every workspace in Hawkra maintains its own audit log. When a user performs an action that modifies data or accesses sensitive information, Hawkra automatically records an entry containing:

Who -- The user who performed the action (user ID and email).
What -- The action type and the resource affected.
When -- The exact timestamp of the action.
Where -- The IP address from which the request was made.
Details -- Additional context where applicable (e.g., the name of the resource, a description of the change).

Audit log entries are immutable -- they cannot be edited or deleted by any user, including the workspace owner. All workspace members (Owner, Editor, Remediation Analyst, and Viewer) can view the audit log.

What Actions Are Logged

Hawkra logs a comprehensive set of actions across all workspace features:

Workspace Management

Action	Description
`workspace.create`	A new workspace was created.
`workspace.update`	Workspace settings were modified (name, description, status, dates).
`workspace.delete`	The workspace was deleted.
`workspace.rotate_encryption_key`	An encryption key rotation was initiated.
`dashboard_layout.update`	The workspace dashboard layout was saved.

Team and Invitations

Action	Description
`invitation.create`	A team member invitation was sent.
`invitation.accept`	An invitation was accepted.
`invitation.decline`	An invitation was declined.
`invitation.cancel`	A pending invitation was cancelled.
`member.role_change`	A member's role was changed.
`member.remove`	A member was removed from the workspace.

Assets, Networks, and Ports

Action	Description
`asset.create`	A new asset was added.
`asset.update`	An asset was modified.
`asset.delete`	An asset was deleted.
`asset.import_mac_data`	MAC address data was imported for assets.
`network.create`	A new network was created.
`network.update`	A network was modified.
`network.delete`	A network was deleted.
`port.create`	A new port was added to an asset.
`port.update`	A port was modified.
`port.delete`	A port was deleted.

Vulnerabilities

Action	Description
`vulnerability.create`	A new vulnerability was created.
`vulnerability.update`	A vulnerability was modified.
`vulnerability.delete`	A vulnerability was deleted.
`vulnerability.created_from_library`	A vulnerability was created from the shared library.
`vulnerability.saved_to_library`	A vulnerability was saved to the shared library.
`vulnerability_asset.link`	A vulnerability was linked to an asset.
`vulnerability_asset.unlink`	A vulnerability was unlinked from an asset.
`vulnerability_asset.status_change`	The status of a vulnerability-asset link was changed.

Sensitive Data Access

Action	Description
`credential.view_sensitive`	A user viewed the decrypted value of a credential. This is logged as sensitive access.
`credential.create`	A new credential was stored.
`credential.update`	A credential was modified.
`credential.delete`	A credential was deleted.

Scans and Imports

Action	Description
`scan.create`	A new scan was initiated.
`scan.cancel`	A running scan was cancelled.
`scan.delete`	Scan results were deleted.
`import.create`	Scan data was imported (e.g., Nessus, Nmap files).

Compliance

Action	Description
`compliance.select_framework`	A compliance framework was selected for the workspace.
`compliance.deselect_framework`	A compliance framework was deselected.
`compliance.update_response`	A compliance control response was updated.
`compliance.add_evidence`	Evidence was attached to a compliance control.
`compliance.delete_evidence`	Evidence was removed from a compliance control.
`compliance.auto_populate`	Compliance controls were auto-populated from workspace data.

Reports, Exports, and Documents

Action	Description
`report.generate`	A report was generated.
`export.assets`	Asset data was exported.
`export.vulnerabilities`	Vulnerability data was exported.
`export.compliance`	Compliance data was exported.
`document.create`	A document was created.
`document.update`	A document was modified.
`document.delete`	A document was deleted.
`file.upload`	A file was uploaded.
`file.delete`	A file was deleted.

Remediation

Action	Description
`remediation.assign`	A vulnerability was assigned for remediation.
`remediation.unassign`	A remediation assignment was removed.
`remediation.comment`	A comment was added to a remediation task.

Other

Action	Description
`note.create`	A note was created.
`note.update`	A note was modified.
`note.delete`	A note was deleted.
`agent.deploy`	A scan agent was deployed.
`agent.approve`	A scan agent was approved.
`agent.revoke`	A scan agent was revoked.
`agent.delete`	A scan agent was deleted.
`agent_task.create`	A task was assigned to a scan agent.
`agent_task.cancel`	An agent task was cancelled.
`agent_task.delete`	An agent task was deleted.
`ai.message`	An AI assistant message was sent.
`proof.create`	A proof of finding was created.
`proof.update`	A proof of finding was modified.
`proof.delete`	A proof of finding was deleted.

Sensitive Access Logging

Credential views are logged as sensitive access events (credential.view_sensitive). Every time a user decrypts and views a stored credential, it is recorded with their identity and IP address. This provides a clear chain of custody for sensitive data.

Key Actions

Viewing the Audit Log

Navigate to the workspace.
Open the Audit Log section (or view the Audit Log widget on the dashboard).
Browse the paginated list of events, showing the most recent actions first.

Each entry displays the user's email, the action performed, the resource type and ID, any additional details, the originating IP address, and the timestamp.

Pagination

The audit log is paginated with a default of 50 entries per page (up to 100). Use the page controls to navigate through the history.

Tips and Notes

Using the Audit Log for Compliance

The audit log serves as evidence for compliance frameworks that require proof of access controls and change management. You can reference audit log entries to demonstrate who accessed what data and when, which is valuable for SOC 2, ISO 27001, PCI DSS, and similar standards. Export your workspace's compliance data to include audit trail evidence in your compliance reports.

Immutable records -- Audit log entries cannot be modified or deleted by any user. They are a trustworthy record of what happened.
All roles can view -- Every workspace member, regardless of role, can view the audit log. This transparency helps teams maintain accountability.
IP address tracking -- Each action records the IP address it originated from, which helps identify unauthorized access or unusual activity.
Dashboard widget -- You can add the Audit Log widget to your workspace dashboard for quick access to recent activity without leaving the overview page.

How It Works​

What Actions Are Logged​

Workspace Management​

Team and Invitations​

Assets, Networks, and Ports​

Vulnerabilities​

Sensitive Data Access​

Scans and Imports​

Compliance​

Reports, Exports, and Documents​

Remediation​

Other​

Key Actions​

Viewing the Audit Log​

Pagination​

Tips and Notes​