Admin
Audit log
The audit log is a tamper-evident record of every security-relevant action in your workspace — who did what, when, and to which resource. Use it to investigate a change, satisfy an auditor, or stream activity into your own security tooling.
What it's for
- Investigate — trace exactly what happened around a change or an incident.
- Prove accountability — show an auditor a complete, tamper-evident history.
- Forward and retain — stream events to your SIEM and generate compliance evidence.
The screens in it
There are two views, switched with the tabs under the page title:
- Logs — the searchable event stream everyone with access can read.
- Admin Settings — delivery, integrity, exports, and compliance tooling, shown to administrators who can manage audit configuration.
The Logs view
Header actions
| Control | What it does |
|---|---|
| Refresh | Re-pulls the latest events for your current filters. |
| Live | Toggles a live tail — new events stream in as they happen. It's off by default so the list you're reading doesn't change under you. |
| Export | Opens the export dialog to download the events matching your current filters. |
Finding events
| Control | What it does |
|---|---|
| KPI stats bar | A quick summary of activity for the current view. |
| Search | Free-text search across events. |
| Time range | Limits events to a chosen window. |
| Attribute filters | Narrow by attributes such as category, module, outcome, severity, and who performed the action. Reset clears them all. |
| Timeline | A histogram of event volume over the selected range, so bursts are easy to spot. |
Reading events
The event list shows one row per action. A burst of related actions collapses into a single expandable activity, while standalone actions appear as plain rows. Click an event to open a detail panel on the right with its full information; close it with the ✕. When you're viewing a single activity, a banner offers a Clear button to return to the full list.
The Admin Settings view
Administrators who can manage audit configuration get four tabs:
| Tab | What it does |
|---|---|
| SIEM | Configure forwarding of audit events to your security tooling, send a test delivery, and review a delivery log of what was sent and whether it succeeded. |
| Chain | Verify the cryptographic integrity of the log, confirming it hasn't been tampered with. |
| Exports | Manage export jobs that package events for download. |
| Compliance | Generate evidence reports for audits and reviews. |
Common workflows
Workflow: investigate what happened to a resource
-
Open the Logs view and enter what you're looking for in Search, or set the attribute filters (for example a category or a person).
-
Narrow the time range to the window you care about.
Step 1 — filtering to the relevant activity -
Click an event to open its detail panel and read the full record. If the event is part of a burst, expand the activity to see everything that happened together.
Workflow: forward audit events to your SIEM
-
Open Admin Settings and go to the SIEM tab.
-
Enter your delivery configuration, then use Test Connection to confirm ThreatWeaver can reach your system.
Step 1 — configuring and testing SIEM delivery -
Watch the delivery log to confirm events are being delivered successfully.
Workflow: export events for an auditor
- In the Logs view, set the filters and time range so the list shows exactly the events you need.
- Click Export and complete the dialog to download them.