Audit Trail

Every recommendation viewed, accepted, dismissed or applied is recorded with actor, timestamp and tenant context — chained, immutable and exportable to Splunk, Sentinel, Datadog or any SIEM.

Append-only & chained
SIEM export
7-yr retention

Start free

← All features

lumicost.com — audit-trail

By the numbers

Audit Trailin 4 numbers

action types tracked

each event hashes the previous

SHA-256 hash chain

Splunk HEC · Datadog Logs · Sumo · HTTP

SIEM destinations

append-only by design

ways to mutate a past event

How it works

Three steps. No agents. No surprises.

Capture

AuditService.record() runs after every state-changing call: LOGIN, RECOMMENDATION_APPLIED, TICKET_CREATED, COMMITMENT_*, SCIM_USER_*, CUSTOM_ROLE_*, COMPLIANCE_REPORT_GENERATED — 50+ action types in total — with actor, entity and JSON before/after.

50+ actions · 20+ entities

Chain

Each event stores a SHA-256 integrityHash of (userId + action + entityId + beforeState + timestamp), referencing the previous event so any mutation breaks the chain.

SHA-256 · append-only

Stream to SIEM (Enterprise)

On each save, SiemDispatcher pushes the event to your configured SIEM — Splunk HEC, Datadog Logs, Sumo Logic or any Generic HTTP endpoint with bearer / header / basic auth.

Enterprise plan · async

What's inside

Every recommendation viewed, accepted, dismissed or applied is recorded with actor, timestamp and tenant context — chained, immutable and exportable to Splunk, Sentinel, Datadog or any SIEM.

What auditors actually want

Who, what, when, on which tenant, with which authentication method and from which IP — every event is captured in the canonical schema auditors expect for SOC 2 CC7.2 and ISO 27001 A.12.4.1.

Tamper-evident by construction

Each event is hashed and chained to its predecessor. A daily Merkle root is published, so any silent rewrite of history becomes mathematically detectable.

Stream to your SIEM

Push events in near-real-time to Splunk HEC, Microsoft Sentinel, Datadog, S3-CMK or any HTTPS / Kafka endpoint that speaks JSON.

Capabilities

Everything you need on day one.

Append-only AuditEvent table
SHA-256 integrity hash chain
Filter by user · entity · action
Pagination, newest first
Splunk HEC pusher
Datadog Logs pusher
Sumo Logic pusher
Generic HTTP pusher (bearer/header/basic)

Before vs after Lumicost

Night and day.

Without Lumicost

Audit trail buried in app logs
Hard to prove no-one tampered with logs
Logs stay locked inside the SaaS

With Lumicost

Dedicated AuditEvent stream
SHA-256 chain detects mutation on read
Continuous SIEM stream (Splunk · Datadog · Sumo)

Where teams use it

Three ways teams put it to work.

SOC 2 Type II evidence

Hand the auditor a single CSV per period, signed and hash-verifiable, instead of three weeks of screenshots.

Insider risk investigation

Trace exactly who saw and dismissed a high-impact recommendation — and when — across all tenants.

MSP customer transparency

Give your customer a per-tenant audit feed they can ingest into their own SIEM.

From the field

“If we control the audit trail and you don't, you don't really have an audit trail. SIEM export is how you keep the receipts.”

The Lumicost teamdesign principle

Plays nice with your stack

AWSGCPAzureOracle CloudKubernetesTerraformPulumiSlackJiraLinearGitHubGitLabDatadogSplunkOpenTelemetryPagerDutyNetSuiteSAPAWSGCPAzureOracle CloudKubernetesTerraformPulumiSlackJiraLinearGitHubGitLabDatadogSplunkOpenTelemetryPagerDutyNetSuiteSAP

FAQ