Audit Logs
Audit log entries record every significant action in the platform. They are immutable — once created, they cannot be edited or deleted. The audit trail is designed for regulatory compliance with FinCEN, OFAC, FCA, FATF, and EU AMLD5 requirements.
Resource fields
| Field | Type | Description |
|---|
id | string | Unique audit log identifier |
event_type | string | Event type code. See event types |
severity | string | Severity level: INFO, WARNING, ERROR |
description | string | Human-readable description of the event |
old_value | string | Previous value (for status changes, overrides) |
new_value | string | New value after the change |
reason | string | Justification or notes for the action |
case_token | string | Related case token |
alert_token | string | Related alert token |
entity_token | string | Related entity token |
check_token | string | Related check token |
actor | object | User who performed the action (see Actor object) |
approved_by | object | Approving user for four-eyes actions (see Actor object) |
approved_at | string | ISO 8601 timestamp of approval |
metadata | object | Additional context data (varies by event type) |
created_at | string | ISO 8601 timestamp of the event |
Actor object
| Field | Type | Description |
|---|
id | string | User identifier |
name | string | Display name (denormalized at write time) |
email | string | Email address (denormalized at write time) |
Actor names and emails are stored at write time so they survive user deactivation. Historical audit records always show the name as it was when the action occurred.
Event types
Case events (5)
| Event Type | Severity | Description | Key fields |
|---|
CASE_CREATED | INFO | New case created | case_token, type, priority |
CASE_STATUS_CHANGE | INFO | Case status transition | old_value, new_value |
CASE_ASSIGNMENT | INFO | Case assigned to a user | new_value (assignee) |
CASE_ESCALATION | WARNING | Case escalated to a manager | reason, new_value (manager) |
CASE_CLOSURE | INFO | Case closed | reason (resolution notes) |
Alert events (7)
| Event Type | Severity | Description | Key fields |
|---|
ALERT_CREATED | INFO | New alert generated | alert_token, category, type |
ALERT_ACKNOWLEDGED | INFO | Alert claimed by analyst | actor |
ALERT_RESOLVED | INFO | Alert resolved with action | new_value (action), reason (notes) |
ALERT_FALSE_POSITIVE | INFO | Alert marked as false positive | reason (justification) |
ALERT_ESCALATED | WARNING | Alert escalated to manager | reason, new_value (manager) |
ALERT_ASSIGNMENT | INFO | Alert assigned to a user | new_value (assignee) |
ALERT_AUTO_DISPOSITION | INFO | Alert auto-disposed by AI pipeline | reason (AI rationale) |
Risk events (4)
| Event Type | Severity | Description | Key fields |
|---|
RISK_ASSESSMENT_CREATED | INFO | New risk assessment initiated | case_token, source |
RISK_SCORE_CALCULATED | INFO | Risk dimensions scored | new_value (tier), metadata (scores) |
RISK_TIER_OVERRIDE | WARNING | Analyst overrode calculated tier | old_value, new_value, reason |
RISK_ASSESSMENT_APPROVED | INFO | Assessment approved by reviewer | approved_by, approved_at |
Check events (4)
| Event Type | Severity | Description | Key fields |
|---|
CHECK_STATUS_CHANGE | INFO | Check status transition | old_value, new_value |
CHECK_WAIVED | WARNING | Check waived by analyst | reason, actor |
CHECK_REJECTED | WARNING | Check result rejected | reason |
CHECK_COMPLETED | INFO | Check execution completed | new_value (result) |
Document events (2)
| Event Type | Severity | Description | Key fields |
|---|
DOCUMENT_UPLOADED | INFO | Document uploaded by client or analyst | metadata (doc type) |
DOCUMENT_REVIEWED | INFO | Document reviewed (accepted or declined) | new_value (decision) |
Reviewer events (3)
| Event Type | Severity | Description | Key fields |
|---|
REVIEWER_ADDED | INFO | Reviewer assigned to alert or case | new_value (reviewer), role |
REVIEWER_REMOVED | INFO | Reviewer removed from alert or case | old_value (reviewer) |
REVIEWER_RESPONSE | INFO | Reviewer approved or declined | new_value (decision) |
Entity events (2)
| Event Type | Severity | Description | Key fields |
|---|
ENTITY_ADDED | INFO | Entity added to a case | entity_token, role |
ENTITY_REMOVED | INFO | Entity removed from a case | entity_token |
Other events (5)
| Event Type | Severity | Description | Key fields |
|---|
COMMENT_ADDED | INFO | Comment added to alert or case | metadata (comment type) |
AUTO_ESCALATION | WARNING | System auto-escalated due to SLA breach | reason, new_value |
SLA_BREACH | ERROR | SLA deadline passed without resolution | case_token |
BULK_OPERATION | INFO | Bulk action performed on multiple records | metadata (count, action) |
AI_ANALYSIS | INFO | AI research or analysis completed | alert_token, metadata |
Example
{
"id": "log_001",
"event_type": "ALERT_RESOLVED",
"severity": "INFO",
"description": "Alert resolved: Approve",
"old_value": "Open",
"new_value": "Resolved",
"reason": "False positive confirmed. Matched entity is unrelated to subject.",
"case_token": "cas_xyz789",
"alert_token": "alt_001",
"entity_token": "ent_ubo789",
"check_token": null,
"actor": {
"id": "user_analyst01",
"name": "Sarah Johnson",
"email": "sarah@example.com"
},
"approved_by": null,
"approved_at": null,
"metadata": {
"resolution_action": "Approve",
"ai_confidence": 85,
"false_positive_probability": 82
},
"created_at": "2026-02-16T11:30:00Z"
}
| Endpoint | Method | Description |
|---|
GET /v1/audit-logs | GET | List audit logs with filters |
GET /v1/cases/{token}/audit-logs | GET | List audit logs for a case |
GET /v1/cases/{token}/audit-logs/export | GET | Export audit logs as CSV |
Filter parameters
| Parameter | Type | Description |
|---|
event_type | string | Filter by event type code |
severity | string | Filter by severity: INFO, WARNING, ERROR |
from | string | Start date (ISO 8601) |
to | string | End date (ISO 8601) |
actor_id | string | Filter by acting user |
limit | number | Results per page (default 50, max 200) |
cursor | string | Pagination cursor |
See also
