User Activity Monitoring
Track user actions, audit security events, and maintain compliance with comprehensive activity logs.
Why Monitor User Activity?
User activity monitoring provides visibility into how your team interacts with CastellanAI, helping you maintain security, ensure compliance, and investigate incidents.
| Purpose | Description |
|---|---|
| Security | Detect unauthorized access and suspicious behavior patterns |
| Compliance | Meet audit requirements for SOC 2, HIPAA, and PCI DSS |
| Investigation | Reconstruct incident timelines and root cause analysis |
What Gets Logged?
CastellanAI automatically logs all significant user actions and system events:
Authentication Events
- Successful and failed login attempts
- MFA setup, modifications, and authentication events
- Password changes and resets
- Session creation and termination
- Account lockouts and unlocks
User Management
- User account creation and deletion
- Role and permission changes
- Profile updates (email, name, preferences)
- Team invitations sent and accepted
- Access control policy modifications
Security Operations
- Security event investigations and comments
- Response action executions (block IP, isolate host, etc.)
- Detection rule creation and modifications
- Incident workflow status changes
- Threat remediation actions
Configuration Changes
- System settings modifications
- Notification preferences and integrations
- Alert thresholds and correlation rules
- Agent configuration updates
- API key generation and revocation
Data Access & Export
- Security event views and searches
- Report generation and downloads
- Data exports (CSV, JSON, PDF)
- API access and queries
- Dashboard views and filter usage
Viewing Activity Logs
Step 1: Access the Activity Log
Navigate to the Activity Log page to view all user actions and system events.
Navigation Path: Profile → Activity Log
Or: Settings → Security → Audit Log (Administrator only)
Step 2: Filter by Activity Type
Use filters to narrow down to specific activity categories or time ranges.
Activity Types:
- Authentication
- User Management
- Security Operations
- Configuration
- Data Access
Time Ranges:
- Last 24 hours
- Last 7 days
- Last 30 days
- Custom date range
Step 3: Search for Specific Events
Use the search bar to find specific users, actions, or resources.
Example Searches:
user:john@example.com- All actions by useraction:login- All login attemptsresource:detection-rule-123- Changes to specific rulestatus:failed- Failed actions only
Step 4: View Event Details
Click any log entry to see comprehensive details about the activity.
Each entry includes:
- Timestamp (UTC and local)
- User identity and email
- Action performed
- Resource affected
- IP address and location
- User agent (browser/device)
- Success or failure status
- Before/after values (if applicable)
Exporting Activity Logs
Export activity logs for compliance, reporting, or external analysis.
CSV Export
Export filtered activity logs to CSV format for spreadsheet analysis or import into other systems.
Activity Log → Export → CSV
JSON Export
Export in JSON format for programmatic processing or integration with SIEM systems.
Activity Log → Export → JSON
PDF Report
Generate formatted PDF reports for audit documentation and compliance evidence.
Activity Log → Export → PDF Report
API Access
Query activity logs programmatically using the CastellanAI API.
GET /api/v1/activity-logs?start_date=2025-01-01&end_date=2025-01-31
Activity Log Retention
Activity logs are retained based on your subscription tier and compliance requirements:
| Subscription Tier | Retention Period | Export Available |
|---|---|---|
| Small Business | 90 days | Yes |
| Medium Business | 1 year | Yes |
| Enterprise | 7 years (configurable) | Yes + API |
Compliance Tip: Regularly export and archive activity logs to meet long-term compliance requirements (e.g., SOX, GDPR, HIPAA).
Activity-Based Alerts
Configure alerts to notify you of suspicious or important user activities:
Failed Login Attempts
Alert after 5 failed login attempts within 15 minutes from the same user or IP address.
Privilege Escalation
Alert when user roles or permissions are changed, especially to Administrator role.
After-Hours Access
Alert when users access the system outside of defined business hours.
Unusual Data Export
Alert on large data exports or downloads exceeding defined thresholds.
Configuration Changes
Alert when critical system settings or detection rules are modified or deleted.
Best Practices
- Regular Review Schedule - Review activity logs weekly (Administrator) or daily (Security Analyst) to identify patterns and anomalies.
- Automate Compliance Reporting - Schedule automatic exports to meet audit requirements and reduce manual reporting burden.
- Configure Activity-Based Alerts - Set up alerts for critical activities to enable rapid response to security incidents.
- Correlate with Security Events - Cross-reference user activity logs with security event data for comprehensive incident investigation.
- Archive for Long-Term Storage - Export and archive logs before they expire to meet regulatory retention requirements.
What's Next?
- Access Control Policies - Configure access control policies and IP restrictions
- Multi-Factor Authentication - Enhance security with MFA setup and management