Security

Audit Log

Track all user and system activity with Keva's comprehensive audit trail

The audit log provides a complete record of all actions in your Keva workspace. Essential for security monitoring, compliance, and incident investigation.

Overview

Keva logs:

  • All user actions (CRUD operations)
  • Authentication events
  • API access
  • System events
  • Security incidents

Accessing the Audit Log

Navigate to Settings > Security > Audit Log. Requires audit.view permission.

Event Structure

Each audit event includes:

FieldDescription
TimestampWhen the event occurred (UTC)
ActorUser or system that performed the action
ActionWhat was done (e.g., ticket.created)
ResourceType and ID of affected resource
SeverityEvent severity (low, medium, high, critical)
IP AddressSource IP of the request
User AgentBrowser/client information
MetadataAdditional context

Event Categories

Ticket Events

EventDescription
ticket.createdNew ticket created
ticket.updatedTicket properties changed
ticket.deletedTicket deleted
ticket.assignedTicket assigned to agent
ticket.status_changedStatus updated

Authentication Events

EventDescription
auth.login_successSuccessful login
auth.login_failureFailed login attempt
auth.logoutUser logged out
auth.session_expiredSession timed out
auth.mfa_enabledMFA activated
auth.mfa_disabledMFA deactivated

Team Events

EventDescription
team.member_invitedInvitation sent
team.member_removedMember removed
team.role_changedRole assignment changed

Connector Events

EventDescription
connector.createdNew connector added
connector.credentials_accessedCredentials retrieved
connector.credentials_updatedCredentials changed
connector.deletedConnector removed

Security Events

EventDescription
security.suspicious_activityAnomalous behavior detected
security.rate_limit_exceededRate limit triggered
security.ssrf_blockedSSRF attempt blocked
security.authorization_failedPermission denied

API Events

EventDescription
api_key.createdNew API key generated
api_key.deletedAPI key revoked
api_key.usedAPI request (sampled)

Filtering the Log

By Date Range

Select a date range to view events:

  • Last 24 hours
  • Last 7 days
  • Last 30 days
  • Custom range

By Actor

Filter by user:

  • Specific user email
  • System actions
  • API key identifier

By Event Type

Filter by action prefix:

  • ticket.* - Ticket events
  • auth.* - Authentication
  • security.* - Security events

By Severity

Filter by severity level:

  • Low - Normal operations
  • Medium - Notable actions
  • High - Sensitive operations
  • Critical - Security alerts

Event Severity

Automatic Classification

Events are automatically classified:

SeverityExamples
LowTicket viewed, search performed
MediumTicket created, settings changed
HighCredentials accessed, bulk operations
CriticalSecurity events, data exports

High-Risk Events

These events trigger alerts:

  • connector.credentials_accessed
  • api_key.created
  • api_key.deleted
  • team.member_removed
  • security.*
  • Bulk data exports

Exporting Audit Data

Export for Analysis

  1. Apply filters to narrow results
  2. Click Export
  3. Select format (CSV or JSON)
  4. Download file

Exports are logged as audit_logs.exported.

Export for Compliance

For SOC 2 evidence:

  1. Go to Security > Compliance
  2. Click Generate Evidence Report
  3. Select report type
  4. Download signed report

Retention Policy

Default Retention

  • Standard plans: 90 days
  • Enterprise plans: Customizable

Archival

For SOC 2 compliance, logs are archived:

  • Daily archival to encrypted S3 bucket
  • HMAC-SHA256 signed for integrity
  • 7-year retention for compliance

Real-Time Alerting

Slack Integration

High-risk events trigger Slack notifications:

  1. Configure webhook in Settings > Security
  2. Select alert types
  3. Receive instant notifications

Alert Contents

[SECURITY ALERT] connector.credentials_accessed
Tenant: your-workspace
Actor: user@example.com
Resource: platform_connector/abc123
IP: 203.0.113.45
Time: 2026-03-24T10:15:00Z

Permission Requirements

ActionRequired Permission
View audit logsaudit.view
Export audit dataaudit.export

Best Practices

Regular Review

  • Check high-severity events daily
  • Review authentication failures weekly
  • Investigate anomalies promptly

Compliance

  • Export monthly for records
  • Archive before retention expires
  • Document review procedures