Audit Logging

Every Action Logged. Immutably. Forever.

100% of infrastructure actions logged to append-only S3 with Object Lock. Hash-chained entries prevent tampering. 2-7 year retention. Generates HIPAA §164.312(b), SOC 2 CC6.1, and PCI-DSS Requirement 10 evidence automatically. Export filtered logs in JSON, CSV, or PDF.

Start Free (3 Nodes)See Log Structure →

100%Actions loggedZero exceptions, complete trail

S3 + Object LockStorage methodWrite Once, Read Many (WORM)

Hash-chainedTamper detectionAny modification breaks chain

2-7 yearsRetention periodConfigurable per compliance need

Complete Chain of Custody for Every Action

Every audit log entry captures six dimensions: who performed the action, what was done, when it happened, where it targeted, why it was triggered, and what the outcome was. Log entry size: 2-10 KB typical (5 KB average).

Core Fields (Always Present)

Actor identity, role, IP address

Field: Who

{
  "actor": {
    "type": "autonomous",
    "user_email": "bob.chen@company.com",
    "playbook": "disk_cleanup_prod_db",
    "role": "Remediation Authority",
    "ip_address": "203.0.113.42",
    "user_agent": "Mozilla/5.0..."
  }
}

Example Complete Log Entry

Full Audit Log Entry (All Fields Combined)

{
  "log_id": "log_20260210_143743_a8f3b2c1",
  "incident_id": "inc_2026_02_10_1435",
  "timestamp": {
    "start": "2026-02-10T14:35:43.124Z",
    "end": "2026-02-10T14:37:09.891Z",
    "duration_seconds": 86.767
  },
  "actor": {
    "type": "autonomous",
    "playbook": "disk_cleanup_prod_db",
    "triggered_by_anomaly": true,
    "approval": { "required": false, "confidence": 0.94 }
  },
  "action": {
    "type": "playbook_execution",
    "playbook_name": "disk_cleanup_prod_db",
    "playbook_version": "1.4.2",
    "steps_executed": 3,
    "commands": [
      {
        "step": 1, "name": "clear_temp_files",
        "command": "find /tmp -type f -mtime +7 -delete",
        "exit_code": 0, "duration_seconds": 3.8,
        "timestamp": "2026-02-10T14:35:43.891Z"
      },
      {
        "step": 2, "name": "rotate_logs",
        "command": "logrotate -f /etc/logrotate.conf",
        "exit_code": 0, "duration_seconds": 1.9,
        "timestamp": "2026-02-10T14:35:47.712Z"
      },
      {
        "step": 3, "name": "verify_space_freed",
        "command": "df -h / | awk 'NR==2 {print $5}' | sed 's/%//'",
        "exit_code": 0, "stdout": "72", "duration_seconds": 0.2,
        "timestamp": "2026-02-10T14:35:49.623Z"
      }
    ]
  },
  "target": {
    "host": "prod-db-03.us-east-1.company.internal",
    "ip_address": "10.0.1.42",
    "environment": "production",
    "service": "postgresql",
    "region": "us-east-1",
    "cloud_provider": "aws",
    "tags": { "team": "platform", "compliance": "hipaa" }
  },
  "trigger": {
    "type": "anomaly_detected",
    "metric": "disk_usage",
    "baseline": 68.2,
    "current_value": 91.4,
    "deviation": 11.0,
    "severity": "critical"
  },
  "result": {
    "status": "success",
    "verification": {
      "metric": "disk_usage",
      "pre_execution": 91.4,
      "post_execution": 72.1,
      "threshold": "< 80%",
      "passed": true,
      "attempts": 1
    },
    "changes": {
      "files_deleted": 1247,
      "space_freed_gb": 11.4,
      "disk_usage_before": 91.4,
      "disk_usage_after": 72.1
    }
  },
  "hash": {
    "current": "sha256:d4f6a9b2c8e1f3a5b7c9d0e2...",
    "previous": "sha256:b2c4d6e8f0a2b4c6d8e0f2a4..."
  },
  "storage": {
    "s3_bucket": "sentienguard-audit-logs-prod",
    "s3_key": "2026/02/10/14/log_20260210_143743_a8f3b2c1.json",
    "object_lock": {
      "enabled": true,
      "mode": "COMPLIANCE",
      "retain_until": "2028-02-10T14:37:09Z"
    }
  }
}

S3 Object Lock Prevents Tampering

Immutable = Write Once, Read Many (WORM). Once a log entry is written to S3 with Object Lock, it cannot be modified or deleted until the retention period expires. Even the AWS root account cannot override COMPLIANCE mode.

What “Immutable” Means

Can read the log

Cannot modify the log

Cannot delete the log (until retention expires)

Cannot overwrite the log

Can create new logs (append-only)

Even AWS root account cannot modify/delete locked objects.

S3 Object Lock Configuration

# Create S3 bucket with Object Lock enabled
aws s3api create-bucket \
  --bucket sentienguard-audit-logs-prod \
  --region us-east-1 \
  --object-lock-enabled-for-bucket

# Set default retention policy (2 years)
aws s3api put-object-lock-configuration \
  --bucket sentienguard-audit-logs-prod \
  --object-lock-configuration '{
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "COMPLIANCE",
        "Years": 2
      }
    }
  }'

Recommended

COMPLIANCE Mode

Characteristics:
  - Object CANNOT be deleted until retention expires
  - Object CANNOT be modified
  - Retention period CANNOT be shortened
  - Even root user cannot override

Use case: Regulatory compliance (HIPAA, SOC 2, PCI-DSS)
Trade-off: Strict (no escape hatch), but maximally secure

Alternative

GOVERNANCE Mode

Characteristics:
  - Object protected by default
  - Users with special permission can override
  - Root user can delete if needed

Use case: Internal policies, less strict compliance
Trade-off: Flexible, but auditor may question "can admin delete logs?"

Per-Object Retention (Write Call)

# When writing log to S3
s3.put_object(
    Bucket='sentienguard-audit-logs-prod',
    Key='2026/02/10/14/log_20260210_143743_a8f3b2c1.json',
    Body=json.dumps(log_entry),
    ObjectLockMode='COMPLIANCE',
    ObjectLockRetainUntilDate=datetime.utcnow() + timedelta(days=730)
)

Retention Behavior

Object uploaded: 2026-02-10T14:37:09Z
Retain until:    2028-02-10T14:37:09Z (2 years later)

During retention period (2026-2028):
  - Read: Allowed
  - Modify: Denied (403 Forbidden)
  - Delete: Denied (403 Forbidden)

After retention period (2028+):
  - Read: Allowed
  - Modify: Still denied (immutable by design)
  - Delete: Allowed (if organization chooses)

Configurable Retention by Compliance Framework

Framework	Required Retention	SentienGuard Default	Configurable Range
HIPAA	6 years	6 years	2-7 years
SOC 2	1 year	2 years	2-7 years
PCI-DSS	1 year	2 years	2-7 years
ISO 27001	1 year	2 years	2-7 years
GDPR	Varies	2 years	2-7 years

Per-Host Retention Override

# Organization settings
audit_logs:
  retention:
    default: 2_years
    hipaa_systems: 6_years   # Override for HIPAA-tagged hosts
    financial_systems: 7_years  # Override for financial data

Retention Resolution Example

Host: prod-db-03 (tagged: compliance=hipaa)
Retention: 6 years (HIPAA override)

Host: staging-web-01 (tagged: compliance=none)
Retention: 2 years (default)

After Retention Expires

Recommended

Option 1: Keep Forever

After expiration:
  - Log still exists in S3
  - Object Lock released (no longer protected)
  - Organization policy: Never delete audit logs

Result: Logs retained indefinitely
Storage cost: ~$0.50/month per 100 GB

Cost Optimized

Option 2: Move to Glacier

After expiration:
  - Log transitioned to S3 Glacier Deep Archive
  - Storage cost: $0.99/TB/month (vs $23/TB for S3 Standard)
  - Retrieval: 12-48 hours (infrequent access acceptable)

Result: 95% storage cost reduction, logs still accessible

SentienGuard recommendation: Keep forever, move to Glacier after 2 years.

Cryptographic Tamper Detection

S3 Object Lock prevents deletion and modification. But what if an attacker compromises credentials before Object Lock applies? Hash chaining adds a second layer: each log entry contains the hash of the previous entry, forming a cryptographic chain. Any modification, deletion, or insertion breaks the chain.

Log Entry Hash Structure

{
  "log_id": "log_20260210_143743_a8f3b2c1",
  "data": { ... },
  "hash": {
    "algorithm": "sha256",
    "current": "sha256:d4f6a9b2c8e1f3a5...",
    "previous": "sha256:b2c4d6e8f0a2b4c6..."
  }
}

Hash Calculation

# Hash of current entry
current_hash = sha256(
    log_entry['log_id'] +
    json.dumps(log_entry['data']) +
    log_entry['timestamp'] +
    log_entry['hash']['previous']
)

Chain Structure

Log 1:
  previous_hash: "genesis" (first entry, no previous)
  current_hash:  sha256("log_1_data" + "genesis")
                = "a1b2c3d4..."

Log 2:
  previous_hash: "a1b2c3d4..." (hash of Log 1)
  current_hash:  sha256("log_2_data" + "a1b2c3d4...")
                = "e5f6a7b8..."

Log 3:
  previous_hash: "e5f6a7b8..." (hash of Log 2)
  current_hash:  sha256("log_3_data" + "e5f6a7b8...")
                = "c9d0e1f2..."

Chain: genesis → a1b2c3d4 → e5f6a7b8 → c9d0e1f2 → ...

Tamper Detection Scenarios

Scenario 1: Modify Log

Original chain:
  Log 1: prev=genesis,   curr=a1b2c3d4
  Log 2: prev=a1b2c3d4,  curr=e5f6a7b8  ← Attacker modifies
  Log 3: prev=e5f6a7b8,  curr=c9d0e1f2

Attacker changes Log 2 data:
  Log 2: prev=a1b2c3d4,  curr=MODIFIED_HASH

Verification:
  - Recalculate Log 2 hash
  - Expected: e5f6a7b8
  - Actual: MODIFIED_HASH
  - Result: HASH MISMATCH → Tampering detected!

  - Check Log 3's previous_hash
  - Expected: e5f6a7b8
  - Log 3 points to: MODIFIED_HASH
  - Result: CHAIN BROKEN → Tampering detected!

Scenario 2: Delete Log

Original chain:
  Log 1: prev=genesis,   curr=a1b2c3d4
  Log 2: prev=a1b2c3d4,  curr=e5f6a7b8  ← Attacker deletes
  Log 3: prev=e5f6a7b8,  curr=c9d0e1f2

After deletion:
  Log 1: prev=genesis,   curr=a1b2c3d4
  Log 3: prev=e5f6a7b8,  curr=c9d0e1f2

Verification:
  - Log 3 references prev=e5f6a7b8
  - Search for log with curr=e5f6a7b8
  - Result: NOT FOUND (Log 2 deleted)
  - Result: MISSING LINK → Tampering detected!

Scenario 3: Insert Fake Log

Original chain:
  Log 1: prev=genesis,   curr=a1b2c3d4
  Log 2: prev=a1b2c3d4,  curr=e5f6a7b8

Attacker inserts fake Log 1.5:
  Log 1:   prev=genesis,   curr=a1b2c3d4
  Log 1.5: prev=a1b2c3d4,  curr=FAKE_HASH
  Log 2:   prev=a1b2c3d4,  curr=e5f6a7b8

Verification:
  - Two logs reference same previous_hash (a1b2c3d4)
  - Log 1.5: prev=a1b2c3d4
  - Log 2:   prev=a1b2c3d4
  - Result: CHAIN FORK → Tampering detected!

Hash Verification

Automated Daily Verification

Background Verification Job

def verify_audit_log_chain():
    logs = fetch_all_logs(order='timestamp_asc')

    previous_hash = "genesis"

    for log in logs:
        # Verify previous hash matches
        if log['hash']['previous'] != previous_hash:
            raise IntegrityError(f"Chain broken at {log['log_id']}")

        # Recalculate current hash
        expected_hash = calculate_hash(log)
        if log['hash']['current'] != expected_hash:
            raise IntegrityError(f"Hash mismatch at {log['log_id']}")

        # Update for next iteration
        previous_hash = log['hash']['current']

    return "Chain integrity verified"

# Run daily as background job

Verification Result

Daily verification at 2:00 AM:
  - Scanned 147,234 log entries
  - Verified hash chain from genesis to latest
  - Result: Chain integrity verified
  - Duration: 3.2 minutes

Independent Auditor Verification Script

Auditor Runs Independently

#!/usr/bin/env python3
import json
import hashlib

def verify_logs(log_file):
    with open(log_file) as f:
        logs = json.load(f)

    prev_hash = "genesis"

    for log in logs:
        # Check previous hash
        if log['hash']['previous'] != prev_hash:
            print(f"Chain broken at {log['log_id']}")
            return False

        # Recalculate hash
        data = log['log_id'] + json.dumps(log['data']) + prev_hash
        calc_hash = hashlib.sha256(data.encode()).hexdigest()

        if log['hash']['current'] != calc_hash:
            print(f"Hash mismatch at {log['log_id']}")
            return False

        prev_hash = log['hash']['current']

    print(f"All {len(logs)} logs verified")
    return True

# Usage:
# python verify_logs.py audit_logs_2026_q4.json

Auditor Outcome

$ python verify_logs.py audit_logs_2026_q4.json
Verifying 147,234 log entries...
All 147,234 logs verified
Chain integrity: PASS

How Audit Logs Address Compliance Requirements

SentienGuard’s audit logs provide evidence that helps organizations meet their own compliance requirements. Four framework mappings show exactly what evidence is generated and how to export it for assessors.

Note: SentienGuard is not SOC 2 certified, HIPAA certified, or PCI-DSS certified. Audit logs provide evidence that helps organizations meet their own compliance requirements.

Requirement (Exact Text)

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

§164.312(b)(1) — Audit Controls (Required)

Record: 100% of infrastructure actions logged
Examine: Dashboard shows all access to ePHI systems
Contain/Use: Logs filter by systems tagged "hipaa" or "ephi"

Tag ePHI Hosts

# Tag hosts containing ePHI
hosts:
  - hostname: prod-db-ehr
    tags:
      - compliance: hipaa
      - data_class: ephi

  - hostname: prod-db-billing
    tags:
      - compliance: hipaa
      - data_class: ephi

# Audit logs automatically tagged
{
  "target": {
    "host": "prod-db-ehr",
    "tags": {
      "compliance": "hipaa",
      "data_class": "ephi"
    }
  }
}

HIPAA Evidence Export

Dashboard → Reports → HIPAA Audit Evidence
Filters:
  - Date range: 2025-01-01 to 2025-12-31
  - Tags: compliance=hipaa
  - Include: All infrastructure actions
Format: PDF (for assessor), CSV (for analysis)
Click: Generate Report
Output:
  - hipaa_audit_evidence_2025.pdf (187 pages)
  - hipaa_audit_evidence_2025.csv (23,445 entries)

Auditor review time:
  Traditional manual approach: 80-120 hours
  With SentienGuard: 2 hours (reviewing exported report)

Generate Audit Evidence in Minutes, Not Weeks

Three export formats cover every use case: JSON for programmatic analysis, CSV for spreadsheet review, PDF for auditor-ready reports. Custom filters narrow down to exactly the evidence needed.

JSON

Machine-readable. SIEM integration, custom tooling, programmatic analysis.

CSV

Spreadsheet analysis. Excel filtering, sorting, pivot tables, auditor review.

PDF

Auditor-ready report. Executive summaries, compliance assessments, archival.

Format 1: JSON Export

[
  {
    "log_id": "log_20260210_143743_a8f3b2c1",
    "timestamp": "2026-02-10T14:35:43.124Z",
    "actor": { ... },
    "action": { ... },
    "target": { ... }
  },
  {
    "log_id": "log_20260210_150132_b9c0d1e2",
    "timestamp": "2026-02-10T15:01:32.891Z",
    ...
  }
]

JSON Export Command

# Via CLI
sentienguard logs export \
  --start-date 2025-01-01 \
  --end-date 2025-12-31 \
  --tags compliance=hipaa \
  --format json \
  --output hipaa_audit_2025.json

# Via Dashboard
Dashboard → Audit Logs → Export → JSON

Format 2: CSV Export

timestamp,actor_type,user_email,playbook,target_host,environment,action_type,result,duration_seconds
2026-02-10T14:35:43.124Z,autonomous,,disk_cleanup_prod_db,prod-db-03,production,playbook_execution,success,86.767
2026-02-10T15:01:32.891Z,user,bob.chen@company.com,postgres_restart,prod-db-03,production,manual_trigger,success,23.145

CSV Analysis Examples

Excel Pivot Table:
  Group by: environment, actor_type, result
  Count: action_type
  Result:
    Production:
      - Autonomous: 1,247 (98% success)
      - User: 32 (100% success)
    Staging:
      - Autonomous: 342 (94% success)
      - User: 67 (100% success)

Filter Failed Actions:
  CSV filter: result = "failed"
  Result: 24 failed actions out of 1,712 total (1.4% failure rate)
  Review:
    - 18 failures: Network timeout (transient)
    - 4 failures: Verification failed (escalated to human)
    - 2 failures: Playbook execution error (playbook bug fixed)

Format 3: PDF Executive Summary

HIPAA Audit Evidence Report
Period: January 1, 2025 - December 31, 2025
Generated: February 10, 2026
Organization: Company, Inc.

Summary:
  - Total infrastructure actions: 23,445
  - Systems with ePHI: 12 hosts
  - Autonomous resolutions: 20,398 (87%)
  - Manual interventions: 3,047 (13%)
  - Failed actions: 124 (0.5%)
  - Average MTTR: 92 seconds

Compliance:
  - HIPAA §164.312(b): SATISFIED
  - Retention period: 6 years (exceeds requirement)
  - Log integrity: VERIFIED (hash chain intact)
  - Immutability: VERIFIED (S3 Object Lock enabled)

PDF Verification Statement

Audit Log Integrity Verification

Hash Chain: VERIFIED
  - First entry: log_20250103_081542_genesis
  - Last entry: log_20251231_235945_final
  - Total entries: 23,445
  - Chain breaks: 0
  - Verification date: 2026-02-10

S3 Object Lock: VERIFIED
  - Bucket: sentienguard-audit-logs-prod
  - Mode: COMPLIANCE
  - Retention: 6 years (until 2031)
  - Objects locked: 23,445/23,445 (100%)

Cryptographic Signature:
  SHA256: a8f3b2c1d9e4f5a6b7c8d0e1f2a3b4c5...

Custom Filters

Filter Examples

Filter by Date Range:
  Start: 2025-Q3 (July 1)  |  End: 2025-Q3 (September 30)
  Result: 5,832 log entries

Filter by Environment:
  Environment: production
  Result: 18,234 entries (vs 5,211 staging, 3,047 dev)

Filter by Actor Type:
  Actor: autonomous → 20,398 entries (87%)
  Actor: user → 3,047 entries (13%)

Filter by Result:
  Result: failed → 124 entries (0.5% failure rate)

Filter by Host Pattern:
  Host pattern: *.db.* → 12,445 entries (database servers only)

Filter by Compliance Tag:
  Tag: compliance=hipaa → 8,234 entries (ePHI systems)
  Tag: compliance=pci-dss → 4,123 entries (cardholder data)

Combine Multiple Filters:
  Date: 2025-Q4 + Environment: production + Tag: hipaa + Result: success
  Result: 4,832 successful actions on production ePHI systems in Q4

Predictable, Affordable Long-Term Storage

Audit log storage costs are negligible. 10 years of logs for 1,000 hosts costs approximately $0.07 total. Automatic tiering moves old logs to Glacier for 95% cost reduction.

Assumptions (1,000-Host Deployment)

Hosts: 1,000
Incidents per day: 50 (50 autonomous resolutions/day)
Log entry size: 5 KB average
Daily log volume: 50 x 5 KB = 250 KB/day
Annual log volume: 250 KB x 365 = 91 MB/year

S3 Standard (Hot Storage)

S3 Standard Storage (Hot, 0-2 Years):
  Cost: $0.023 per GB per month
  Annual volume: 91 MB = 0.091 GB
  Annual cost: 0.091 GB x $0.023 x 12 months = $0.025/year
  Negligible cost (<$1/year per 1,000 hosts)

Glacier Deep Archive (Cold)

S3 Glacier Deep Archive (Cold, 2+ Years):
  Cost: $0.00099 per GB per month (23x cheaper)
  Volume after 2 years: 182 MB = 0.182 GB
  Annual cost: 0.182 GB x $0.00099 x 12 months = $0.002/year
  Essentially free (<$1/year for 10 years)

Age	Storage Tier	Monthly Cost (per GB)	Retrieval Time
0-2 years	S3 Standard	$0.023	Immediate
2+ years	Glacier Deep Archive	$0.00099	12-48 hours

Automatic Tiering (Lifecycle Policy)

# S3 lifecycle policy
lifecycle_rules:
  - name: audit_log_tiering
    transitions:
      - days: 730  # 2 years
        storage_class: GLACIER_DEEP_ARCHIVE

    # Never expire (keep forever)
    expiration: null

10-Year Cost Summary

Year 1-2: Logs in S3 Standard (frequent access)
Year 3+:  Logs in Glacier (infrequent access, archival)

Total 10-year storage cost for 1,000 hosts:
  - Years 1-2 (S3): $0.025 x 2 = $0.05
  - Years 3-10 (Glacier): $0.002 x 8 = $0.016
  - Total: $0.066 (~$0.07 for 10 years)

Storage is NOT a cost concern (rounding error in platform cost).

Retrieval from Glacier

Dashboard → Audit Logs → Request Glacier Retrieval
Date range: 2021-01-01 to 2021-12-31
Retrieval tier: Standard (12-48 hours)
Click: Request Retrieval
Status: Retrieval initiated
ETA: 24-36 hours
Cost: $0.03 per GB retrieved

After 24 hours:
  Status: Retrieval complete
  Download: audit_logs_2021.zip (183 MB)

Retrieval cost:
  Volume: 0.183 GB
  Total: $0.0055 (~$0.01)
  Also negligible cost

SentienGuard vs. Manual Archival

Manual Approach

Problems with Manual Archival

Manual Approach:
  Engineer exports logs quarterly
  Stores in company file server
  Retention: Depends on manual process (often incomplete)
  Search: Manual (grep, Excel filtering)
  Integrity: No verification (files can be modified)
  Compliance: Auditor questions reliability
  Problems:
    - Forgotten exports (gaps in evidence)
    - No immutability (files editable)
    - No automation (human toil)
    - Difficult to search/filter

SentienGuard

Automated Immutable Logging

SentienGuard Approach:
  Automatic logging to S3 (no manual export)
  Immutable (Object Lock prevents modification)
  Retention: 2-7 years automatic (configurable)
  Search: Dashboard filters (instant results)
  Integrity: Hash chain + Object Lock verification
  Compliance: Auditor-ready exports (PDF, CSV, JSON)
  Benefits:
    - Zero gaps (100% automated)
    - Provable integrity (cryptographic)
    - Zero toil (automatic archival)
    - Fast search/filter (seconds)

Common Questions

No. Once written to S3 with Object Lock (COMPLIANCE mode), logs cannot be deleted until the retention period expires. This is by design—immutability requires no exceptions. If you need flexibility, use GOVERNANCE mode (allows authorized deletion), but auditors may question integrity.

Attacker cannot modify/delete existing logs (Object Lock prevents this, even with root credentials). Attacker could upload fake logs, but hash chain would detect tampering (new logs wouldn’t chain correctly). Defense: Rotate credentials immediately, run hash verification to confirm integrity.

Three methods: (1) Show S3 Object Lock configuration (screenshot of bucket policy), (2) Demonstrate hash chain verification (run script, show results), (3) Provide S3 access logs showing no delete/modify operations (AWS CloudTrail). Combination of technical controls + audit trail proves immutability.

Yes. Dashboard has full-text search across all log fields. Search "root" returns all logs containing "root" in any field (user, command, host). Export to CSV for advanced Excel filtering. For complex queries, use JSON export + jq/Python analysis.

Logs are stored in YOUR S3 bucket (not SentienGuard’s). You retain full ownership. Even if SentienGuard ceases operations, logs remain in your AWS account indefinitely. You can export at any time, continue using for compliance, switch to different audit solution without data loss.

No. Secrets are automatically redacted. SSH keys, API tokens, database passwords never logged. Commands logged, but secret values masked (e.g., aws secretsmanager get-secret-value --secret-id ***REDACTED***). PII also redacted if configured. Configurable per organization policy.

Start Logging Today

Deploy agents, watch automatic logging begin, trigger test playbook, review audit log, export evidence.

First Log Entry

30 seconds after agent installation:
  - First heartbeat logged
  - Agent registration logged
  - Baseline learning started (logged)

First autonomous resolution (~8 minutes after install):
  - Anomaly detected (logged)
  - Playbook selected (logged)
  - Execution steps (logged)
  - Health verification (logged)
  - Incident closed (logged)

Complete audit trail from Day 1

Start Free (3 Nodes)View Sample Audit Log →

Free tier: 3 nodes, unlimited audit logs, 2-year retention, JSON/CSV/PDF export, no credit card.