> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenoo.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit Logs

> Complete field reference for the Audit Log resource and all 32 event types in the Zenoo CLM API.

# Audit Logs

Audit log entries record every significant action in the platform. They are immutable -- once created, they cannot be edited or deleted. The audit trail is designed for regulatory compliance with FinCEN, OFAC, FCA, FATF, and EU AMLD5 requirements.

## Resource fields

| Field          | Type   | Description                                             |
| -------------- | ------ | ------------------------------------------------------- |
| `id`           | string | Unique audit log identifier                             |
| `event_type`   | string | Event type code. See [event types](#event-types)        |
| `severity`     | string | Severity level: `INFO`, `WARNING`, `ERROR`              |
| `description`  | string | Human-readable description of the event                 |
| `old_value`    | string | Previous value (for status changes, overrides)          |
| `new_value`    | string | New value after the change                              |
| `reason`       | string | Justification or notes for the action                   |
| `case_token`   | string | Related case token                                      |
| `alert_token`  | string | Related alert token                                     |
| `entity_token` | string | Related entity token                                    |
| `check_token`  | string | Related check token                                     |
| `actor`        | object | User who performed the action (see Actor object)        |
| `approved_by`  | object | Approving user for four-eyes actions (see Actor object) |
| `approved_at`  | string | ISO 8601 timestamp of approval                          |
| `metadata`     | object | Additional context data (varies by event type)          |
| `created_at`   | string | ISO 8601 timestamp of the event                         |

## Actor object

| Field   | Type   | Description                                |
| ------- | ------ | ------------------------------------------ |
| `id`    | string | User identifier                            |
| `name`  | string | Display name (denormalized at write time)  |
| `email` | string | Email address (denormalized at write time) |

<Info>
  Actor names and emails are stored at write time so they survive user deactivation. Historical audit records always show the name as it was when the action occurred.
</Info>

## Event types

### Case events (5)

| Event Type           | Severity | Description                 | Key fields                      |
| -------------------- | -------- | --------------------------- | ------------------------------- |
| `CASE_CREATED`       | INFO     | New case created            | `case_token`, type, priority    |
| `CASE_STATUS_CHANGE` | INFO     | Case status transition      | `old_value`, `new_value`        |
| `CASE_ASSIGNMENT`    | INFO     | Case assigned to a user     | `new_value` (assignee)          |
| `CASE_ESCALATION`    | WARNING  | Case escalated to a manager | `reason`, `new_value` (manager) |
| `CASE_CLOSURE`       | INFO     | Case closed                 | `reason` (resolution notes)     |

### Alert events (7)

| Event Type               | Severity | Description                        | Key fields                             |
| ------------------------ | -------- | ---------------------------------- | -------------------------------------- |
| `ALERT_CREATED`          | INFO     | New alert generated                | `alert_token`, category, type          |
| `ALERT_ACKNOWLEDGED`     | INFO     | Alert claimed by analyst           | `actor`                                |
| `ALERT_RESOLVED`         | INFO     | Alert resolved with action         | `new_value` (action), `reason` (notes) |
| `ALERT_FALSE_POSITIVE`   | INFO     | Alert marked as false positive     | `reason` (justification)               |
| `ALERT_ESCALATED`        | WARNING  | Alert escalated to manager         | `reason`, `new_value` (manager)        |
| `ALERT_ASSIGNMENT`       | INFO     | Alert assigned to a user           | `new_value` (assignee)                 |
| `ALERT_AUTO_DISPOSITION` | INFO     | Alert auto-disposed by AI pipeline | `reason` (AI rationale)                |

### Risk events (4)

| Event Type                 | Severity | Description                      | Key fields                            |
| -------------------------- | -------- | -------------------------------- | ------------------------------------- |
| `RISK_ASSESSMENT_CREATED`  | INFO     | New risk assessment initiated    | `case_token`, source                  |
| `RISK_SCORE_CALCULATED`    | INFO     | Risk dimensions scored           | `new_value` (tier), metadata (scores) |
| `RISK_TIER_OVERRIDE`       | WARNING  | Analyst overrode calculated tier | `old_value`, `new_value`, `reason`    |
| `RISK_ASSESSMENT_APPROVED` | INFO     | Assessment approved by reviewer  | `approved_by`, `approved_at`          |

### Check events (4)

| Event Type            | Severity | Description               | Key fields               |
| --------------------- | -------- | ------------------------- | ------------------------ |
| `CHECK_STATUS_CHANGE` | INFO     | Check status transition   | `old_value`, `new_value` |
| `CHECK_WAIVED`        | WARNING  | Check waived by analyst   | `reason`, `actor`        |
| `CHECK_REJECTED`      | WARNING  | Check result rejected     | `reason`                 |
| `CHECK_COMPLETED`     | INFO     | Check execution completed | `new_value` (result)     |

### Document events (2)

| Event Type          | Severity | Description                              | Key fields             |
| ------------------- | -------- | ---------------------------------------- | ---------------------- |
| `DOCUMENT_UPLOADED` | INFO     | Document uploaded by client or analyst   | `metadata` (doc type)  |
| `DOCUMENT_REVIEWED` | INFO     | Document reviewed (accepted or declined) | `new_value` (decision) |

### Reviewer events (3)

| Event Type          | Severity | Description                         | Key fields                   |
| ------------------- | -------- | ----------------------------------- | ---------------------------- |
| `REVIEWER_ADDED`    | INFO     | Reviewer assigned to alert or case  | `new_value` (reviewer), role |
| `REVIEWER_REMOVED`  | INFO     | Reviewer removed from alert or case | `old_value` (reviewer)       |
| `REVIEWER_RESPONSE` | INFO     | Reviewer approved or declined       | `new_value` (decision)       |

### Entity events (2)

| Event Type       | Severity | Description                | Key fields           |
| ---------------- | -------- | -------------------------- | -------------------- |
| `ENTITY_ADDED`   | INFO     | Entity added to a case     | `entity_token`, role |
| `ENTITY_REMOVED` | INFO     | Entity removed from a case | `entity_token`       |

### Other events (5)

| Event Type        | Severity | Description                               | Key fields                 |
| ----------------- | -------- | ----------------------------------------- | -------------------------- |
| `COMMENT_ADDED`   | INFO     | Comment added to alert or case            | `metadata` (comment type)  |
| `AUTO_ESCALATION` | WARNING  | System auto-escalated due to SLA breach   | `reason`, `new_value`      |
| `SLA_BREACH`      | ERROR    | SLA deadline passed without resolution    | `case_token`               |
| `BULK_OPERATION`  | INFO     | Bulk action performed on multiple records | `metadata` (count, action) |
| `AI_ANALYSIS`     | INFO     | AI research or analysis completed         | `alert_token`, `metadata`  |

## Example

```json theme={null}
{
  "id": "log_001",
  "event_type": "ALERT_RESOLVED",
  "severity": "INFO",
  "description": "Alert resolved: Approve",
  "old_value": "Open",
  "new_value": "Resolved",
  "reason": "False positive confirmed. Matched entity is unrelated to subject.",
  "case_token": "cas_xyz789",
  "alert_token": "alt_001",
  "entity_token": "ent_ubo789",
  "check_token": null,
  "actor": {
    "id": "user_analyst01",
    "name": "Sarah Johnson",
    "email": "sarah@example.com"
  },
  "approved_by": null,
  "approved_at": null,
  "metadata": {
    "resolution_action": "Approve",
    "ai_confidence": 85,
    "false_positive_probability": 82
  },
  "created_at": "2026-02-16T11:30:00Z"
}
```

## Related endpoints

| Endpoint                                  | Method | Description                  |
| ----------------------------------------- | ------ | ---------------------------- |
| `GET /v1/audit-logs`                      | GET    | List audit logs with filters |
| `GET /v1/cases/{token}/audit-logs`        | GET    | List audit logs for a case   |
| `GET /v1/cases/{token}/audit-logs/export` | GET    | Export audit logs as CSV     |

### Filter parameters

| Parameter    | Type   | Description                                    |
| ------------ | ------ | ---------------------------------------------- |
| `event_type` | string | Filter by event type code                      |
| `severity`   | string | Filter by severity: `INFO`, `WARNING`, `ERROR` |
| `from`       | string | Start date (ISO 8601)                          |
| `to`         | string | End date (ISO 8601)                            |
| `actor_id`   | string | Filter by acting user                          |
| `limit`      | number | Results per page (default 50, max 200)         |
| `cursor`     | string | Pagination cursor                              |

## See also

* [Audit Trail Guide](/guides/audit-trail)
* [Status Enums Reference](/reference/status-enums)
