Knogin
[Developers]

Security Access Logs

Picture a financial regulator trying to establish whether a specific analyst accessed a confidential merger dossier at 2 a.m. the night before a market-moving announcement. Without a complete, tamper-proof access log, th

Back to All Modules
Category: ManagementLast Updated: Feb 5, 2026
managementreal-timecomplianceblockchain

Overview#

Picture a financial regulator trying to establish whether a specific analyst accessed a confidential merger dossier at 2 a.m. the night before a market-moving announcement. Without a complete, tamper-proof access log, that investigation stalls immediately. Argus eliminates that problem entirely. Every authentication attempt, authorization decision, and data access operation across your platform is captured with microsecond precision, stored in write-once immutable storage, and made searchable within seconds.

Security teams at government agencies, law enforcement bodies, and critical infrastructure operators use these logs to detect live threats, reconstruct attack timelines, and satisfy auditors from frameworks as varied as SOC 2 and FedRAMP, all from a single interface.

Key Features#

  • Comprehensive Event Capture: Every authentication attempt, authorization decision, data access operation, administrative change, and security event is recorded with full context, including actor identity, resource details, and network information.

  • Real-Time Suspicious Activity Detection: Automated pattern detection identifies threats such as brute force attacks, credential stuffing, privilege escalation, data exfiltration, and insider threats as they occur, with high accuracy and low false positive rates.

  • Forensic Search and Analysis: High-performance search across your entire access log history lets security analysts investigate incidents quickly, pivot by entity, reconstruct timelines, and export evidence packages with chain-of-custody tracking.

  • Automated Compliance Reporting: Generate audit-ready reports for multiple compliance frameworks in a single action, including executive summaries, access statistics, high-risk activity highlights, and remediation recommendations.

  • Immutable Audit Trail: Write-once storage with cryptographic integrity verification ensures access logs cannot be tampered with, providing a trustworthy evidence chain for compliance audits and legal proceedings.

  • Tiered Storage Management: Automatic lifecycle management moves logs from high-performance storage to cost-optimised archival storage based on age and access patterns, maintaining long-term retention at reduced cost.

How It Works#

When any user, service account, or API key interacts with the Argus platform, the access logging system captures the event with microsecond precision. Each event records the actor's identity and authentication context, the resource being accessed, the action performed, the authorization decision, and relevant security context including risk scoring.

Events flow through the real-time detection engine, which evaluates them against configurable detection rules and behavioural baselines. The system recognises patterns across multiple event types: detecting impossible travel by correlating login locations with time gaps, or identifying data exfiltration by monitoring for unusual download volumes.

Security teams search and analyse logs through the forensic search interface. Investigations can pivot across entities, trace event causation chains, reconstruct attack timelines, and export evidence packages with chain-of-custody tracking. No sensitive data appears in INFO-level logs; search terms and profile names are written at DEBUG level only, keeping production log streams clean for compliance review.

Suspicious Activity Detection#

The detection engine monitors for the following categories of threats:

  • Authentication Abuse: Brute force attacks, credential stuffing, password spraying, impossible travel, session hijacking, and concurrent session anomalies
  • Authorization Abuse: Privilege escalation, horizontal privilege violations, permission enumeration, policy violations, after-hours access, and dormant account activity
  • Data Exfiltration: Volume anomalies, bulk exports, sequential scanning, off-hours downloads, external transfers, and sensitive data access spikes
  • Insider Threats: Pre-resignation activity, policy circumvention, unusual interest patterns, access pattern changes, and concurrent external activity
  • System Abuse: Excessive API usage, resource enumeration, unauthorised configuration changes, backdoor creation, audit tampering, and lateral movement

Access Event Types#

The system captures five categories of events:

  1. Authentication Events: Login attempts, multi-factor challenges, password resets, SSO federation, session lifecycle, and device trust decisions
  2. Authorization Events: Permission checks, RBAC evaluations, ABAC policy enforcement, privilege escalation attempts, delegation events, and policy violations
  3. Data Access Events: Read and write operations, bulk operations, search queries, report generation, and API calls
  4. Administrative Events: Configuration changes, user management, permission modifications, system settings, integration management, and audit configuration changes
  5. Security Events: Suspicious activity detections, anomaly alerts, security policy violations, compliance violations, failed authorisations, and rate limit violations

Open Standards#

  • ArcSight Common Event Format (CEF): Access log events are exported in CEF (version 0), with correctly escaped header fields and extension key-value pairs, enabling direct ingestion into Splunk, Elastic, Microsoft Sentinel, and IBM QRadar.
  • IBM Log Event Extended Format (LEEF): LEEF is supported as a source format alongside CEF, providing native compatibility with QRadar deployments that prefer LEEF over CEF for event normalisation.
  • Syslog (RFC 5424 / RFC 3164): Syslog transport is a supported delivery mechanism for streaming access log events to external log management and SIEM platforms.
  • MITRE ATT&CK: Detected attack patterns are tagged with MITRE ATT&CK tactic and technique identifiers (e.g. lateral movement, credential access, exfiltration), surfaced through the SIEM connector and forensic search interface.
  • OAuth 2.0 (RFC 6749): SIEM connector integrations, including Microsoft Sentinel via Azure AD service principals, authenticate using OAuth 2.0 client-credentials flow.
  • NIST SP 800-92 (Guide to Computer Security Log Management): Retention tiers, log completeness requirements, and tiered storage lifecycle policies align with NIST SP 800-92 guidance on log collection, protection, and retention periods.
  • ISO 8601: All event timestamps are recorded and serialised in ISO 8601 UTC format, ensuring unambiguous chronological ordering for forensic timelines and compliance exports.

Compliance#

Access logging supports compliance with the following frameworks:

FrameworkKey Requirements AddressedRetention Support
SOXFinancial data access tracking, privileged user monitoring7 years
HIPAAPHI access logging, BAA compliance, breach notification6 years
PCI-DSSCardholder data access, administrative activity logging1-3 years
GDPRPersonal data processing records, right to erasureConfigurable
SOC 2Security control effectiveness, access log completenessPer policy
FedRAMPGovernment system access monitoring1-3 years

Integrations#

Access logs integrate with leading security platforms including SIEM solutions, log management tools, compliance and GRC platforms, and forensic investigation tools. Export options include CSV, JSON, and PDF report formats.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Core access logging included; advanced forensic search and compliance reporting available as add-on

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.