Skip to main content
Team & Access

Audit log

The who-did-what trail of every action taken inside your organization, for owners and admins.

The Audit Log is a full trail of every action taken in your organization by a human — who did what, to which thing, and when. It’s separate from the Activity Log (which shows system events like scans and alert deliveries).

Who can see it

Only owners and admins can access the audit log. Members don’t see it in their navigation; if they navigate directly to the URL they get an access-denied page. This is intentional — the audit log can reveal who removed whom from the team and who changed what, and isn’t meant to be visible to everyone.

What’s recorded

Anything a human does that changes organization state. That includes:

  • Domains — added, updated, deleted, manually scanned, ended discovery window.
  • Endpoints — updated, monitoring toggled, archived, unarchived.
  • Alert rules — enabled, disabled, updated, deleted.
  • Authorized certificate authorities — added, removed.
  • Slack integrations — created, updated, deleted.
  • Settings — updated, with a list of which settings were changed.
  • Team — invitations sent, members joined, roles changed, members removed, members self-removed (account deletion), ownership transferred.
  • Billing — checkout sessions started, customer portal opened.

What’s not recorded

  • Automated system events (scans, CT discoveries, alert deliveries). Those are on the Activity Log page.
  • Reads. Viewing a page, filtering a list, or exporting a CSV doesn’t generate an audit entry.

Filtering

Three filters are available:

  • Resource type — narrow to one category (domains, team, settings, etc.).
  • Action — exact-match on an action name like team.member_invited or domain.deleted.
  • Pagination — page through older entries.

What each row shows

  • Timestamp — when it happened, in your timezone.
  • Actor — the email of the person who did it.
  • Action — a short code like domain.created or team.role_changed.
  • Resource — the type and ID of the thing that was affected.
  • Metadata — human-readable details. For a role change, this includes the previous and new role. For a settings update, it lists which keys changed. For a domain delete, the hostname.

A few things to know

  • The audit log is append-only. Once an entry is written, it can’t be edited or deleted from within CertShield.
  • A member removing their own account shows up as team.member_self_removed with the email of the person who left, so owners can trace a departed teammate’s trail after the fact.
  • Billing actions are logged even though only the owner can take them.

What’s next

← Back to Help Center Contact support