GH GambleHub

Audit Trail Activity Tracking

1) What is an audit trail and why it is needed

Audit trail is a provable chain of events about operations with systems and data: who, what, where, when and in what way did it, with what result and on the basis of what request/ticket.

Objectives:
  • Evidence for regulators and auditors.
  • Investigations and response (time line of incidents, root cause).
  • Confirmation of policy execution (SoD, retention, deletion/anonymization).
  • Supervision of third parties and sub-processors.

2) Scope (minimum enrollment)

Identities and access (IAM/IGA): login/login, issue/revocation of roles, escalation of privileges, JIT access.
Data and privacy: reading/changing PI fields, uploads, masking, deletion/TTL, Legal Hold.
Finance/transactions: creation/update/cancellation, limits, reversals, anti-fraud actions.
Infrastructure/cloud: configuration changes, secrets, keys, KMS/HSM operations.
SDLC/DevSecOps: builds, deploy, match gates, library pull-up (SCA), secret scan.
Operations/ITSM: Incidents, Changes, Releases, Escalations, DR/BCP Tests.
Webhooks/3rd-party: incoming/outgoing calls, signature, validation results.

3) Event model (canonical format)

Recommended JSON (structured/OTel compatible): 
json
{
"ts": "2025-11-01T11:23:45.678Z",
"env": "prod",
"tenant": "eu-1",
"system": "iam",
"domain": "access",
"actor": {"type":"user","id":"u_123","source":"sso","ip":"0.0.0.0"},
"subject": {"type":"role","id":"finance_approver"},
"action": "grant",
"reason": "ITSM-12345",
"result": "success",
"severity": "info",
"labels": {"jurisdiction":"EEA","pii":"no","sod_check":"passed"},
"trace": {"request_id":"r_abc","trace_id":"t_456","span_id":"s_789"},
"integrity": {"batch":"b_20251101_11","merkle_leaf":"..."}
}

Required fields are 'ts, actor, action, subject, result'.
Recommended: 'reason (ticket/order), trace_id/request_id, tenant, jurisdiction'.

4) Principles of quality and semantics

Strictly structured: JSON/OTel only; a single dictionary of fields and action codes.
Time synchronization: NTP/PTP, store 'ts' and 'received _ at'.
Correlation is' trace _ id '/' request _ id'for end-to-end tracing.
Idempotency of records: deterministic keys of batches, protection against duplicates.
Actor normalization: person/service/bot/vendor with authentication source.

5) Audit trail architecture

1. Producers: applications, platforms, clouds, host agents.
2. Collectors/bus: reliable delivery (TLS/mTLS, retrai, back-pressure, dedup).
3. Enrichment/normalization: uniform schemes, role/jurisdiction mapping.

4. Storage:
  • Hot (search/analytics) - 30-90 days.
  • Cold (object/archive) - 1-7 years, depending on the norms.
  • WORM/Object Lock - evidential immutability.
  • 5. Integrity: signature of batches, chains of hashes, daily anchoring (merkly roots).
  • 6. Access: RBAC/ABAC, case-based access.
  • 7. Analytics/alerts: SIEM/SOAR, correlations, behavioral rules.
  • 8. Event catalog: schema version, activity reference, schema tests in CI.

6) Immutability and legal significance

WORM/Object Lock: prevent deletion/rewriting for the duration of the claim.
Cryptographic fixation: SHA-256 batches, merkly trees, external anchoring (on schedule).
Chain of Custody: log of access to the log (who and when read/exported), hash receipts in reports.
Regular verification: integrity tasks; alert during desynchronization.

7) Privacy and minimization

Minimize PI: log hashes/tokens, mask fields (email/phone/IP).
Context instead of content: capture "actual operation," not full payload.
Jurisdictions and borders: storage by country (data residency), marks for cross-border transfer.
DSAR and depersonalization: labels for quick search, export with masking.

8) Access control (who sees audit trail)

RBAC/ABAC: Analyst sees minimum; export by application/case only.
Case-based access: investigation/audit → temporary access with logging.
Segregation of Duties: prohibiting system admins from editing their own traces.
Monthly certification: re-certification of read/export rights.

9) Retension, Legal Hold and Removal

Storage schedules: by domains and norms (for example, access - 1 year, financial transactions - 5-7 years).
Legal Hold: immediate freeze of relevant events, priority over TTL.
Deletion confirmation: report with hash summary of deleted batches.
End-to-end retention for 3rd-party: contractual storage/access/deletion SLAs.

10) Dashboards and reports

Coverage: which systems/jurisdictions are covered; spaces.
Integrity/WORM - status of anchoring and integrity checks.
Access to Audit Trail: Who's Watching/What's Exporting; anomalies.
Change & Admin Activity: sensitive actions (privileges, keys, secrets).
Privacy Lens: Events over PI, DSAR/deletions, Legal Hold.
Compliance View: readiness "by button" for audits/requests.

11) Metrics and SLO

Ingestion Lag p95 ≤ 60 sec

Drop Rate = 0 (alert> 0. 001%).
Schema Compliance ≥ 99. 5%.
Integrity Pass = 100% of checks.
Coverage Critical Systems ≥ 98%.
Access Review SLA: 100% monthly entitlement assessments.
PII Leak Rate: 0 critical in audit trail.

12) SOP (standard procedures)

SOP-1: Source Connection

1. Source and criticality registration → 2) selection of the/OTel → 3) TLS/mTLS scheme, keys → 4) dry-run (validation of schemes/masks) → 5) release to production → 6) inclusion in directories and dashboards.

SOP-2: Response to Regulatory Request/Audit

Open the case → filter events by object/period → export with a hash receipt → legal review → send via the official channel → archive to WORM.

SOP-3: Incident (DFIR)

Freeze (Legal Hold) → trace_id timeline → extract artifacts (key actions) → report with evidence → CAPA and update detections.

SOP-4: TTL Deletion

Identify batches ready for deletion → check for missing Legal Hold → delete → generate a deletion report with a hash summary.

13) Rule/Query Examples

Searching for critical escalation of privileges (SQL pseudo)

sql
SELECT ts, actor.id, subject.id
FROM audit_events
WHERE domain='access' AND action='grant'
AND subject.id IN ('admin','db_root','kms_manager')
AND reason NOT LIKE 'ITSM-%'
AND ts BETWEEN @from AND @to;

SoD rule (pseudo-Rego)

rego deny_if_sod_conflict {
input.domain == "access"
input.action == "grant"
input.subject.id == "payment_approver"
has_role(input.actor.id, "payment_creator")
}

Filter on DSAR (JSONPath)


$.events[?(@.domain=='privacy' && @.action in ['dsar_open','dsar_close','delete'])]

14) Mapping to ratios (benchmarks)

GDPR (Art. 5, 30, 32, 33, 34): minimization, action accounts, processing security, incident-notifications; DSAR/deletion/Legal Hold.
ISO/IEC 27001/27701: A.12/A. 18 - journaling, evidence management, privacy.
SOC 2 (CC6/CC7/CC8): access control, monitoring, incident handling, log integrity.
PCI DSS (10. x): traceability of actions on map data and systems, daily review, log integrity.

15) Integration with other functions

Compliance-as-Code/CCM: policy tests are executed and logged; alerts - for deviations.
RBA (risk audit): samples and reperforms according to audit trail data.
Vendor Risk: audit and export rights in contracts; mirror retention with contractors.
Policy Lifecycle - changes to requirements → auto-generation of new rules and schema fields.

16) Antipatterns

"Free text" without schemas and semantics.
Inability to associate an event with a ticket/reason.
Access "for all" without case and read logging.
Lack of WORM/signature - disputed evidence.
Mixing time zones and out of sync 'ts '/' received _ at'.
Logging "full" PI/secrets instead of hashes/masks.

17) Maturity model (M0-M4)

M0 Manual: scattered logs, incomplete coverage, no retention.
M1 Centralized collection: basic search, partially unified format.
M2 Managed: event directory, schemas as code, retention/Legal Hold, RBAC.
M3 Assured: WORM+анкеринг, case-based access, KPI/SLO, auto-evidence.

M4 Continuous Assurance: trace, predictive detection, "audit-ready by button."

18) Related wiki articles

Logging and Logging

Continuous Compliance Monitoring (CCM)

KPIs and compliance metrics

Legal Hold and Data Freeze

Policies and Procedures Lifecycle

Communication of compliance solutions

Compliance Policy Change Management

Due Diligence and Outsourcing Risks

Result

A strong audit trail is structured, unchangeable and contextual events with clear access "by case," end-to-end tracing and controlled retention. Such a system speeds up investigations, makes inspections predictable and turns compliance into a reproducible, measurable process.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.