Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.summand.com/llms.txt

Use this file to discover all available pages before exploring further.

Summand’s audit trail covers two surfaces:
SurfaceWhere it livesWhat it covers
Identity eventsWorkOS Admin Portal + Log StreamsSign-ins, MFA challenges, SSO connection changes, SCIM provisioning, role changes, session events
Application eventsSummand AWS CloudWatchDataset creation, sharing changes, view and experiment edits, analysis runs, PDF exports
Both are retained for 6+ years to meet HIPAA requirements, and both are queryable.

Viewing identity audit logs

From Settings → Organization → Audit Logs → Configure in Summand. The link opens a one-time WorkOS Admin Portal session pointed at the audit log viewer. Every event has:
  • Timestamp (UTC)
  • Actor (user ID, email, IP address, user agent)
  • Event type (user.signed_in, connection.activated, sso.session_created, etc.)
  • Result (success / failure)
  • Context (which org, which connection, which target)
You can filter by date range, event type, actor, and result.

Streaming to your SIEM

For real-time monitoring and longer retention, forward events to your SIEM via Log Streams:
1

Open Log Streams

Settings → Organization → Log Streams → Configure.
2

Pick a destination

Datadog, Splunk, AWS S3, or generic HTTPS webhook are supported.
3

Configure the destination

Provide the API key / endpoint URL the destination requires. The portal validates the connection before saving.
4

Verify events arrive

Sign in or trigger a test event; you should see it in your SIEM within 30 seconds.
A common pattern: route events to S3 for long-term archive and to Datadog for real-time alerting. Multiple log streams can run in parallel.

What to alert on

Suggested alerting rules:
  • Spike in failed logins (user.signed_in_failed) from a single IP
  • Multiple SSO connection changes (connection.activated, connection.deactivated) outside change windows
  • Unexpected role escalations (organization_membership.role_changed to admin or owner)
  • MFA factor deletions (authentication_factor.deleted)
  • SCIM provisioning failures (directory.sync_failed)

Application-level audit (Summand-side)

In addition to identity events, Summand logs application events to CloudWatch:
EventWhat’s logged
Connector created / updated / deletedActor, kind, connector ID
Dataset created / updated / deletedActor, dataset ID, source connector
View created / updated / deletedActor, view ID, name
Experiment created / updated / deletedActor, experiment ID, components, schedule
Experiment run started / completed / failedActor, experiment ID, run ID, status
Share grant added / changed / revokedActor, target user, role
Visibility changeActor, dataset ID, before / after
Analysis run started / completed / failedActor, dataset ID, version
PDF exportActor, dataset ID, version
Enterprise customers can request these forwarded to their SIEM via the same Log Streams plumbing — contact support to enable.

Retention

SurfaceRetention
Identity audit logs (WorkOS)6 years
Application audit logs (CloudWatch)6 years (Enterprise), 1 year (other tiers)
User sign-in sessionsManaged by WorkOS; configurable per-org for Enterprise
Six-year retention satisfies HIPAA’s audit requirement. ISO 27001 and SOC 2 audits accept the same retention period. For litigation hold or regulatory retrieval requests:
  • The WorkOS audit log can be exported via the portal in CSV or JSON.
  • CloudWatch logs can be exported via your AWS account if Enterprise log forwarding is set up; otherwise, contact Summand support and we’ll export for you within 5 business days.