Audit Logs
The Audit Logs view provides a detailed trail of all user actions within your ShadowMap organization. Every significant action is recorded with who performed it, what they did, from which IP address, and when.
Overview
The page displays audit events in a table with four columns. Events are paginated with Prev/Next navigation showing the current page number and total pages. An action type filter in the header lets you narrow the view to specific event categories.
Table Columns
| Column | Description |
|---|---|
| Member | The user who performed the action, shown with their avatar, name, and a note describing what they did |
| Action | The event type badge (e.g., "login", "status_change", "settings_update") |
| IP Address | The IP address from which the action was performed. Useful for identifying unusual access patterns or unauthorized locations. |
| Time | When the action occurred, shown as both a formatted date and a relative time (e.g., "2 hours ago") |
Action Types Logged
ShadowMap logs the following categories of events:
| Category | Example Actions |
|---|---|
| Authentication | User login, logout, failed login attempts, 2FA verification |
| Finding management | Status changes (open, investigating, resolved, false positive), assignment changes |
| Configuration | Settings updates, integration changes, SLA policy modifications |
| Team management | Team creation, member added/removed, team renamed or deleted |
| Member management | User invited, role changed, account deactivated, 2FA reset |
| Reports | Report generation, report downloads |
| Exports | Data exports from any module |
| Takedowns | Takedown requests submitted, status updates |
Filtering
Use the Action dropdown filter in the page header to narrow the log to a specific event type. The dropdown lists all distinct action types that have been recorded, allowing you to focus on:
- Login activity only (security review)
- Configuration changes (change tracking)
- Finding status updates (workflow audit)
- Any other specific event type
Select "Any Action" to reset the filter and show all events.
Use Cases
- Security incident investigation -- Trace which users accessed the system, from which IPs, and what actions they took during a specific time period
- Compliance auditing -- Demonstrate to auditors that all configuration changes and data access are logged and attributable
- Change tracking -- Review who modified settings, policies, or integrations and when
- User activity monitoring -- Verify that deactivated accounts have no post-deactivation activity
- Anomaly detection -- Identify logins from unusual IP addresses or unexpected geographic locations
Retention
Audit logs are retained according to your organization's data retention policy. Contact your ShadowMap administrator if you need logs beyond the displayed retention period.