# Integrity and event reference

Audit logs are tamper-evident. Each entry includes a content hash and the previous entry hash.

<figure><img src="https://3820804400-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfW6XSzJSKsNyZnOkSJPt%2Fuploads%2FKq0xInt4zly0EgUIev4Y%2FCleanShot%202026-02-09%20at%2013.06.32%402x.png?alt=media&#x26;token=ce63a00d-bea1-4877-8052-d5eceb06a394" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Any change to history breaks the chain.
{% endhint %}

### What we log

Events are grouped into these categories:

* **Authentication**: logins, logouts, password changes, 2FA, session actions
* **Authorization**: access denied attempts
* **Data access**: recording views, downloads, exports
* **Data changes**: create, edit, delete recordings, captures, folders, labels
* **Admin actions**: SSO/SCIM changes, integrations, automation and triage rules
* **Security**: suspicious activity, rate limiting, invalid tokens

### Event reference (examples)

<details>

<summary>Authentication</summary>

* `user.login` (Low)
* `user.login_failed` (Medium)
* `user.password_changed` (Medium)
* `user.two_factor_enabled` (Medium)
* `user.two_factor_disabled` (High)
* `user.saml_login` (Low)
* `user.api_token_created` (Medium)
* `user.api_token_deleted` (Medium)
* `user.mcp_token_created` (Medium)
* `user.mcp_token_deleted` (Medium)

</details>

<details>

<summary>Data</summary>

* `recording.created` (Low)
* `recording.updated` (Low)
* `recording.deleted` (Medium)
* `recording.bulk_deleted` (High)
* `capture.created` (Low)
* `capture.updated` (Low)
* `capture.deleted` (Medium)
* `capture.bulk_deleted` (High)
* `folder.created` (Low)
* `folder.updated` (Low)
* `folder.deleted` (Medium)
* `label.created` (Low)
* `label.updated` (Low)
* `label.deleted` (Low)

</details>

<details>

<summary>Authorization</summary>

* `access.denied` (Medium)

</details>