Term · 5. Audit & Monitoring
Audit Trail
An audit trail is a chronological, tamper-evident record of who did what, when and to which resource across a system. In identity and access management it captures logins, permission changes, approvals and administrative actions, providing the evidence needed for incident investigation, access certification and compliance with frameworks like SOX, ISO 27001 and GDPR. Effective audit trails are complete, time-stamped, immutable and retained for a defined period.
Definition
Chronological record of identity events — authentication, authorization decisions, provisioning actions, configuration changes, certification responses. Tamper-evident storage (append-only logs, cryptographic chaining). Required by PCI DSS Req 10, HIPAA Audit Controls, SOX, ISO 27001 A.12.4.
- Application
- MidPoint: Audit trail is a record of essential information, meant to be used as an evidence in audit reviews.
- Standards & regulations
-
- ISO/TS 27789:2013 «audit trail: chronological record of system activities that permits reconstruction and examination of the sequence of events and/or changes in an event»
- NIST SP 800-53 Rev. 5 «Audit records contain sufficient information to establish what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the ide»
- NIST SP 800-205 «An audit trail providing approval of changes to attributes and values for later reviews and rollback [...] ensures that changes to attributes are authorized and traceable.»
- Sources
-
- NIST SP 800-92 Guide to Computer Security Log Management primary source
Related terms
-
Audit
Independent examination of identity controls, processes, and records to verify compliance with policy and regulatory req …
-
Privileged Session Management (PSM)
PAM capability that records, monitors, and analyzes sessions involving privileged credentials — SSH sessions to servers, …
-
Remediation (Rem)
Action taken to correct an identified identity risk or policy violation — disable orphan account, revoke excessive entit …
-
Risk Assessment (RA)
Systematic process to identify, analyze, and evaluate identity-related risks. Outputs: risk register with likelihood × i …
-
Compliance
Adherence to applicable laws, regulations, standards, and internal policies governing identity and access management. Co …
-
Access Control (AC)
Mechanism that determines whether a principal is permitted to perform a specific action on a specific resource. Includes …
Frequently asked questions
Why are audit trails important in IAM?
They answer the auditor's and investigator's core question — who had access and what did they do. Without a reliable trail you cannot prove least privilege, detect misuse, or reconstruct an incident.
What makes an audit trail trustworthy?
Completeness with no silent gaps, accurate timestamps, integrity protection so entries cannot be altered or deleted, and clear retention. Forwarding logs to a separate write-once store (SIEM) helps ensure they survive an attacker.
How long should audit logs be kept?
Retention is driven by regulation and risk — often one year minimum, longer for financial or regulated data. Define it in policy and enforce it consistently.