WORM Audit Logging

Enterprise

Write Once, Read Many (WORM) audit logging provides an immutable, tamper-proof record of every action in EntraGuard.

What is WORM?

WORM (Write Once, Read Many) storage ensures that once a log entry is written, it cannot be modified or deleted — not even by administrators. This guarantees the integrity of audit records for forensic investigations, compliance audits and legal proceedings.

What gets logged

Audit operations

Scan starts, completions and failures. Collection progress per collector. Analysis results and score calculations. Report generation events.

User actions

Logins and logouts. Configuration changes (tenant settings, LDAP config, notification channels). API key creation and revocation. Report downloads and exports.

Risk acceptance

Finding acknowledgments and risk acceptances with justification, approver and expiration date. Cannot be silently removed from the log.

System events

License validation, webhook subscription changes, Celery task failures, database migrations, realtime monitoring events.

Implementation

  • Append-only table — PostgreSQL triggers block any UPDATE or DELETE on the audit log table. The application user has no write permission beyond INSERT.
  • Entry hash (SHA-256) — Each entry receives an entry_hash computed as a SHA-256 over the canonical JSON of the entry's business fields (sorted keys). This allows offline integrity verification without database access.
  • Timestamp — Entries are timestamped with the database server time (not client time) and include a monotonic sequence number.
  • Retention — 1-year default. Extended retention is configurable via the audit_extended_retention feature flag (Enterprise). Entries are never deleted by the application.

API

Audit log entries are accessible via the REST API (feature-gated audit_export, Enterprise):

GET /api/audit-logs/list

Query params: since, until, action — returns up to 1 000 entries per call.

Each entry includes user_id, timestamp, action, target, source_ip and entry_hash.

Configuration

WORM audit logging is enabled by default on Enterprise plans. Navigate to Settings → Audit Log to:

  • View and search the audit log
  • Export entries as JSON via the API
  • Configure SIEM forwarding (Splunk, Sentinel, Elastic, QRadar)
  • Set extended retention period

Compliance

WORM audit logging helps satisfy requirements in:

SOC 2 Type II
ISO 27001:2022
NIS2
NIST 800-53
HIPAA
PCI DSS 4.0

Need help with audit logging? Contact [email protected]. For Enterprise licensing, reach out to [email protected].