Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ultra.security/llms.txt

Use this file to discover all available pages before exploring further.

The Admin Log captures security-relevant events across your organization. It provides an audit trail for compliance and incident investigation.
The Admin Log is restricted to users with Admin or Owner roles. See Roles & Permissions for details.

Events Tracked

The Admin Log captures the following categories of events:

Member Management

  • Member invited to organization
  • Member accepted invitation
  • Member invitation revoked
  • Member removed from organization
  • Member role changed

Authentication

  • Successful login attempts
  • Failed login attempts
  • Account lockout events

Organization & Structure

  • Organization settings changed
  • Team created, updated, or deleted
  • Workspace created, updated, or deleted

Gateway Lifecycle

  • Gateway registered
  • Gateway linked to workspace
  • Gateway unlinked from workspace
  • Gateway archived
  • Diagnostics report uploaded (manual ultra doctor --report only)

Guardrail Configuration

  • Guardrail created (custom guardrails)
  • Guardrail updated (enforcement mode or configuration changed)
  • Guardrail deleted (custom guardrails)
  • Guardrail enabled
  • Guardrail disabled
Creating, deleting, or disabling a security control is logged at warning severity to ensure visibility when protection is removed. Enabling or updating a guardrail is logged at info severity. Each guardrail event includes metadata describing what changed:
FieldDescription
Guardrail slugHuman-readable identifier (e.g., credential-protection)
Categorybuiltin or custom
Enforcement modeThe post-change mode (block, alert, monitor, or redact)
Previous enforcement modeThe pre-change mode, included only when the mode changed
ScopeThe level at which the guardrail is configured (org, workspace, or gateway)

Event Details

Each event in the Admin Log records:
FieldDescription
ActorThe user who performed the action (name and email)
TargetThe entity affected by the action (user, team, workspace, or gateway)
ActionWhat was done (e.g., “member.invited”, “role.changed”)
TimestampWhen the event occurred (UTC)
IP AddressThe IP address of the actor

Viewing the Admin Log

The Admin Log is accessible from the Hub web interface:
  1. Navigate to your organization in Hub
  2. Select Admin Log from the sidebar
  3. Browse events chronologically (newest first)
Events can be filtered by action type, actor, target, and time range.