title: Audit Logging & Change Tracking category: Security tags: audit, logging, change-tracking, compliance, evidence priority: Normal
Audit Logging & Change Tracking
IdentityCenter maintains a comprehensive audit trail of every action taken in the system. The Audit page at Administration > Audit (/admin/audit) is your central hub for reviewing, searching, and exporting these records. For organizations subject to regulatory compliance, this audit trail serves as critical evidence during audits.
What Gets Audited
IdentityCenter captures a wide range of events across all system modules. Every audited action records who performed it, when, from where, and what changed.
Audit Categories
| Category | Events Captured |
|---|---|
| User Management | Create, update, delete, enable, disable user accounts |
| Group Modifications | Add/remove members, create/delete groups, modify group properties |
| Permission Changes | Role assignments, role revocations, scope changes |
| Policy Operations | Policy creation, modification, deletion, enforcement actions |
| Workflow Decisions | Approval, denial, delegation, escalation of workflow requests |
| Sync Operations | Sync project executions, step completions, object imports, failures |
| Configuration Changes | Settings modifications, connection changes, provider updates |
| Authentication Events | Login success, login failure, logout, MFA verification, SSO events |
| Data Access | Report generation, data export, bulk operations, API queries |
| Object Write-Back | Field updates, enable/disable, manager changes written to Active Directory |
| Access Reviews | Campaign creation, reviewer decisions, certification completions |
| Lifecycle Events | Joiner/mover/leaver workflow triggers, automated actions |
The ChangeAuditLog Model
At the heart of the audit system is the ChangeAuditLog model, which captures granular before-and-after values for every attribute change. When a field is modified, the audit log records:
| Field | Description |
|---|---|
| Timestamp | Exact date and time of the change (UTC) |
| User | Who made the change (username and user ID) |
| Action | The type of operation (Create, Update, Delete, Enable, Disable, etc.) |
| Entity Type | What kind of object was changed (User, Group, Policy, Setting, etc.) |
| Entity ID | The unique identifier of the changed object |
| Property Name | The specific field that changed |
| Old Value | The value before the change |
| New Value | The value after the change |
| Source | Where the change originated (Web UI, API, Sync, Lifecycle, System) |
| IP Address | The IP address of the client that initiated the change |
This level of detail means you can answer questions like "Who changed John Smith's department from Finance to IT, when, and from what workstation?" with a single audit log search.
Searching and Filtering Audit Logs
The Audit page provides powerful search and filtering capabilities:
Filter Options
| Filter | Description | Example |
|---|---|---|
| Date Range | Start and end date for the search window | Last 7 days, Last 30 days, Custom range |
| User | The user who performed the action | "admin@example.com" |
| Action | The type of operation | Create, Update, Delete, Login, etc. |
| Entity Type | The type of object affected | User, Group, Policy, Connection |
| Entity Name | Search by the name of the affected object | "john.smith", "Domain Admins" |
| Source | Where the action originated | Web UI, API, Sync, System |
| Keyword | Free-text search across all audit fields | "password", "admin", "disabled" |
Common Search Scenarios
Who modified a specific user?
- Filter by Entity Type = "User" and Entity Name = the username
- Review all changes with before/after values
What did an administrator do during a specific time window?
- Filter by User = the admin's username and set the Date Range
- Review all actions in chronological order
Were any security settings changed recently?
- Filter by Entity Type = "Setting" and Action = "Update"
- Review changes to security-related configuration
Which accounts were disabled in the last month?
- Filter by Action = "Disable" and Entity Type = "User"
- Set Date Range to last 30 days
Audit Log Services
The audit system is powered by two core services:
| Service | Responsibility |
|---|---|
| IAuditLogService | Records audit events from across the application; provides the write interface |
| IAuditRepository | Reads and queries audit data; handles search, filtering, and pagination |
These services are used internally by all modules. When the IObjectWriteBackService updates a field in Active Directory, the audit log captures the change automatically. When a workflow approval is submitted, the decision and reasoning are logged. No module bypasses the audit system.
Exporting Audit Logs
For compliance evidence and external analysis, export audit logs in multiple formats:
- Navigate to Administration > Audit
- Apply your desired filters (date range, user, action type, etc.)
- Click Export
- Select the output format:
| Format | Best For |
|---|---|
| CSV | Spreadsheet analysis, SIEM import, archival |
| Compliance evidence packages, management reports | |
| JSON | Programmatic processing, API-based SIEM integration |
Tip: For compliance audits, export the specific date range and categories relevant to the audit scope. Include the filter criteria in your evidence package to demonstrate that the export is complete and unaltered.
Audit Log Retention
Configure how long audit logs are retained through Logging Settings:
- Navigate to Administration > Settings > Logging
- Set the Audit Log Retention Period
Recommended Retention Periods
| Compliance Framework | Minimum Retention | Recommended Retention |
|---|---|---|
| SOX (Sarbanes-Oxley) | 7 years | 7 years |
| HIPAA | 6 years | 7 years |
| PCI-DSS | 1 year | 3 years |
| GDPR | As long as necessary | 2-3 years (balance with data minimization) |
| SOC 2 | 1 year | 3 years |
| No specific requirement | 1 year | 2 years |
Important: Once audit logs are purged after the retention period, they cannot be recovered. If you need longer retention, export logs to an external archive before they expire.
Integration with Compliance Reporting
Audit logs feed directly into IdentityCenter's compliance reporting features:
- Access Review Evidence — Audit logs document every reviewer decision, including approvals, denials, and the reasoning provided
- Policy Violation History — Track when violations were detected, who was notified, and what remediation actions were taken
- Change Management — Demonstrate that all changes to privileged access followed your change management process
- Segregation of Duties — Prove that no single person both requested and approved a change
When generating compliance reports, IdentityCenter pulls relevant audit data automatically. See the Dashboard & Reporting article for details on available reports.
Real-Time Audit Monitoring
For security operations teams, consider these real-time monitoring strategies:
Events to Monitor Daily
- Failed login attempts (especially repeated failures for the same account)
- MFA resets and new MFA enrollments
- Administrator role assignments
- Changes to identity provider configurations
- API key creation and revocation
- Sync failures (could indicate connectivity or credential issues)
Events to Monitor Weekly
- All configuration changes
- Bulk operations (large-scale user modifications)
- Export operations (potential data exfiltration)
- Changes to audit log settings (attempts to cover tracks)
SIEM Integration
Forward audit data to your SIEM platform for centralized monitoring:
- Use IdentityCenter's REST API to periodically pull audit logs
- Or configure webhook notifications for critical events
- Set up correlation rules in your SIEM for identity-related alerts
Best Practices
- Set appropriate retention — Match your compliance requirements; when in doubt, retain longer
- Export regularly — Do not rely solely on in-application retention; export monthly to a secure archive
- Review security events daily — Failed logins, MFA resets, and config changes need prompt attention
- Protect audit log integrity — Restrict who can access and export audit logs; log access to audit logs is itself audited
- Include audit evidence in compliance packages — Pre-built exports save significant time during audits
- Use filters effectively — Narrow searches to find relevant events quickly rather than scrolling through all records
- Monitor for audit log tampering — Any changes to audit settings should trigger an immediate alert
- Train your team — Ensure all administrators understand what gets audited and how to search the logs
Next Steps
- Identity Providers & SSO — Audit authentication configuration
- Multi-Factor Authentication — Secure access to audit data
- API Key Management — Programmatic access for SIEM integration
- Dashboard & Reporting — Compliance reports powered by audit data
- Using the AI Chat — Query audit data with natural language