> For the complete documentation index, see [llms.txt](https://docs.arnica.io/arnica-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.arnica.io/arnica-documentation/platform-operations/security/audit-events.md).

# Audit Events

The Audit Events tab gives you a full log of administrative actions taken within your Arnica org. Use it to track who changed what and when — across policies, integrations, user access, and more.

## Reading the Table

Each row represents a single event and shows:

* **Timestamp** — when the event occurred.
* **Event Action** — the type of action taken (see below).
* **Event Domain** — the area of the product the action affected.
* **User** — the display name and email of the person who performed the action, or the API token name if the action was taken via API.
* **Resource Type** — the type of resource that was affected.
* **Description** — a human-readable summary of the event.

<figure><img src="/files/dCeJ3EpaZkEzgobOyp1J" alt="Audit Events table showing timestamp, event action, event domain, user, resource type and description columns"><figcaption><p>The Audit Events table lists all administrative actions taken within your org</p></figcaption></figure>

## Event Actions

Actions are color-coded for quick scanning:

| Action | Color  | Meaning                           |
| ------ | ------ | --------------------------------- |
| CREATE | Green  | A new resource was created        |
| UPDATE | Orange | An existing resource was modified |
| DELETE | Red    | A resource was deleted            |

## Event Domains

Events are grouped into the following domains:

* **Authentication** — sign-in and sign-out activity.
* **Authorization** — permission and access control changes.
* **Policy** — policy creation and updates.
* **Product** — product configuration changes.
* **Integration** — integration setup and changes.
* **API** — API key operations.
* **AI** — AI configuration interactions.

## Known Behaviors

### Deleting a policy rule appears as UPDATE

When you remove a rule from a policy, the event is recorded as **UPDATE** rather than **DELETE**. This is because Arnica stores each policy as a single object — removing a rule modifies that object rather than deleting a standalone resource. To see exactly which rule was removed, expand the event row and check the before/after diff.

## Viewing Changes

Click any row to expand it and see a side-by-side before/after diff of the affected resource. Modified fields are highlighted and unmodified sections are collapsed.

<figure><img src="/files/L9mN7dMLTxnMBZTK5Fpt" alt="Expanded audit event row showing a side-by-side diff of the before and after state of a policy change"><figcaption><p>Expanding a row reveals the exact fields that changed</p></figcaption></figure>

{% hint style="info" %}
Sensitive fields are automatically redacted before events are stored, so credentials and secrets will never appear in the diff view.
{% endhint %}

## Filtering

Use the filter icon on each column header to narrow down results:

* **Timestamp** — filter by date range, with quick presets for the last 7, 30, or 90 days.
* **Event Action** — filter by action type (CREATE, UPDATE, DELETE).
* **Event Domain** — filter by domain.
* **User** — search by email or display name.

## Exporting

Click the export icon in the top right of the table to download the audit log as a CSV. Exports include all event data including the full before/after change values. Up to 50,000 rows can be exported at once.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.arnica.io/arnica-documentation/platform-operations/security/audit-events.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.