OneAnalytics docs

Audit log

OneAnalytics writes an audit event for every security-relevant action — logins, sharing grants, dataset refreshes, permission changes, AI queries, SSO / SCIM events. The log is append-only, cryptographically chained, and queryable for 7 years (configurable).

Event schema

{
  "id":         "evt_01H...",
  "ts":         "2026-04-16T09:42:11.134Z",
  "tenant_id":  "...",
  "actor": {
    "type":  "user",
    "id":    "usr_...",
    "email": "ada@example.com",
    "ip":    "203.0.113.42"
  },
  "action":     "sharing.grant.create",
  "resource": {
    "type": "report",
    "id":   "rpt_..."
  },
  "detail": {
    "grant_id":       "grt_...",
    "principal_type": "link",
    "actions":        ["view", "download"]
  },
  "trace_id":   "4f8a..."
}

Every event's hash is the SHA-256 of prev_hash || event_json. Breaking the chain requires rewriting every event after the tampered one, which is detectable by the daily integrity check.

Action taxonomy

  • auth.login.success, auth.login.failure, auth.logout, auth.mfa.enroll
  • user.create, user.update, user.deactivate, user.role.change
  • workspace.create, workspace.delete, workspace.member.add
  • dataset.create, dataset.refresh.success, dataset.refresh.failure
  • report.create, report.update, report.delete, report.view
  • sharing.grant.create, sharing.grant.revoke
  • export.start, export.succeed, export.download
  • ai.query, ai.tool_call
  • sso.saml.login, scim.user.provision
  • admin.setting.change, admin.token.create, admin.token.revoke

Retention

Default 7 years (Scale plan), 1 year (Growth), 90 days (Starter). Raise the ceiling in Settings → Audit → Retention.

Query & export

  • UI: Settings → Audit → filter by actor, action, date range, resource
  • API: GET /v1/audit/events?actor_id=...&action=...&since=...&until=...
  • Export: daily NDJSON file signed with the workspace's audit key, dropped to your configured S3 bucket (or kept on our side for download)

Compliance integrations

  • SIEM: Splunk HEC, Datadog Logs, Elastic — we push events in near real time via webhook.
  • SOC 2 / ISO 27001: The chain + monthly integrity attestation satisfy "logs protected from modification".

AI-query transparency

Every LLM call generates an ai.query event with the question, the chosen dataset, the tool calls Claude made, and the final answer hash. Regulators can verify the AI never saw row data — the events show only schema + aggregates passed to the tool calls.