Audit Trail

Immutable record of every agent action, approval decision, and policy change. Cryptographically signed, tamper-evident, and searchable for compliance investigations.

What gets logged?

Arx captures a complete trail of:

  • Agent actions — every connector call with full input/output
  • Approvals — who approved, when, why, what changed
  • Denials — rejected actions and reasons
  • Policy changes — updates to rules and guardrails
  • Access events — who viewed agents, logs, and sensitive data
  • System changes — connector credential rotations, user role updates

Immutability

Every audit entry is:

  • Cryptographically signed — using org's private key
  • Timestamped — UTC, traceable to source
  • Append-only — entries can never be deleted or modified
  • Chained — each entry references the previous one, breaking chain if altered

Audit logs are the source of truth for compliance investigations. Your auditors and regulators can verify nothing has been changed since it was written.

Sample audit entries

Here's what a typical approval audit log looks like:

timestamp: 2025-04-19T14:32:10Z event_type: agent.action.request_approval agent_id: triage_crowdstrike_01 action_type: servicenow.change_request.create risk_score: 78 policy_decision: REQUIRE_APPROVAL approver: priya@fortune100bank.com approval_status: approved approval_time: 2025-04-19T14:35:22Z approval_reason: "Duplicate detection, legitimate close" action_executed: true execution_time: 2025-04-19T14:35:23Z prev_hash: 0x9f42c2a8... hash: 0xb1c5e7d9...

Searching audit logs

Find events by:

Agent

Show all actions from triage_crowdstrike_01

Time range

Last 24h, week, or custom range

Approver

Who approved this action?

Outcome

Approved, denied, or error

Connector

Show all ServiceNow changes

Risk score

High-risk actions only

Export & retention

Audit logs can be:

  • Exported — as JSON, CSV, or structured format for analysis
  • Streamed — to SIEM, Splunk, or your data warehouse via webhook
  • Retained — configurable retention (default: 7 years)
  • Archived — to cold storage for long-term compliance holds

Your organization controls retention policy. Export on-demand for audit requests.

Compliance use cases

Audit logs prove:

  • Change control — evidence that high-risk changes were reviewed and approved
  • Least privilege — agents can only call approved connectors
  • Segregation of duties — different people request vs. approve actions
  • Non-repudiation — approver cannot deny they approved the action
  • Incident response — trace root cause of any infrastructure change