--- title: "Audit - Workshop Docs" description: "Audit - Enterprise control plane for Santa. Manage rules, approvals, telemetry, and policies across your macOS fleet." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/docs/workshop/audit" --- # Audit Every change made to Workshop, whether by UI or API, is recorded in the audit logging system. This provides a complete record of all actions taken in your Workshop deployment for security, compliance, and debugging purposes. ## Event Types Audit events are categorized by the type of resource or action being performed. Each event includes: - **ID**: A unique identifier for the event - **Transaction ID**: Links related events together (e.g., a vote that triggers rule creation) - **Timestamp**: When the event occurred - **Actor**: Who initiated the action (user, API key, host, or system) - **Event Type**: The specific action performed - **Resource**: The identifier of the affected resource - **Outcome**: Whether the action succeeded, failed, or was rejected - **Details**: Additional context about the event (often includes JSON data) - **Previous Value**: For update operations, the state before the change ### Example Event Types Here are some common audit events tracked by Workshop: **API Keys** - `APIKEY_CREATE`: A new API key was created - `APIKEY_DELETE`: An API key was deleted **Rules** - `RULE_UPSERT`: A rule was created or updated - `RULE_DELETE`: A rule was removed **Hosts** - `HOST_CREATE`: A new host registered with Workshop - `HOST_UPDATE`: Host information was modified - `HOST_SYNC`: Host synchronized with Workshop - `HOST_CLEAN_SYNC`: Host performed a clean sync (full rule refresh) - `HOST_MANUAL_PUSH`: Rules were manually pushed to a host **Tags** - `TAG_CREATE`: A new tag was created - `TAG_DELETE`: A tag was removed - `TAG_SET_ORDER`: Tag resolution order was changed **Settings** - `SETTINGS_UPDATE_SYNC_SETTINGS`: Santa sync settings were updated - `SETTINGS_TELEMETRY_CLOUD_BUCKET_UPDATE`: Telemetry export bucket configured - `APPROVAL_WORKFLOW_SETTINGS_UPDATE`: Approval workflow settings changed **Approval Workflows** - `SELF_SERVICE_RULE_CREATION`: User created a rule via self-service - `DESIGNATED_APPROVER_REQUEST`: Approval request was submitted - `DESIGNATED_APPROVER_REQUEST_APPROVE`: Request was approved - `DESIGNATED_APPROVER_REQUEST_REJECT`: Request was rejected - `VOTE_CAST`: A vote was cast on a blockable **Risk Engine** - `RISK_ENGINE_EXCEPTION_CREATE`: A risk engine exception was created - `BLOCKABLE_FLAG_MALICIOUS`: A blockable was flagged as malicious ## Viewing Audit Events ### Accessing the Audit Log Navigate to the Audit page in the Workshop UI to view all audit events. The audit table provides: - **Filtering**: Search and filter by event type, actor, resource, outcome, and date range - **Sorting**: Sort by timestamp, event type, or outcome - **Expandable Rows**: Click any row to see full event details including JSON diffs for updates - **Transaction Linking**: Click a transaction ID to view all related events ### Querying Examples **Filter by event type:** Use the event type filter to show only specific types of events, such as all rule changes or host syncs. **Filter by actor:** Find all actions performed by a specific user, API key, or host by filtering on the actor field. **Filter by date range:** Select a date range to view events within a specific time period. **View related events:** Click on a transaction ID to see all events that are part of the same transaction. This is useful for tracking complex operations like approval workflows that generate multiple audit events. ### Event Details When you expand an audit event row, you’ll see: - Complete event metadata (ID, transaction ID, timestamp, actor) - The full resource identifier - Detailed information about what changed - For update operations, a side-by-side diff showing before and after values ## Audit Log Export Workshop can automatically export audit logs to cloud storage for long-term retention, compliance requirements, or integration with external SIEM systems. See the [Event Export documentation](./event-export) for detailed information on configuring audit event export, including cloud storage setup and export behavior. ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)