Python SDKSlack

Arize Audit Log

Audit Logs are currently an opt-in feature. If you are interested in enabling this capability for your account, please reach out to support@arize.com.

Logoarize_audit_log_tutorial.ipynbGoogle Docs

Overview

Audit Logs provide a comprehensive record of user activities within your Arize account. They are valuable for:

  • Security monitoring and compliance

  • Tracking login attempts

  • Monitoring data access

  • Ensuring adherence to internal policies

  • Investigating suspicious activities

Types of Audit Logs

Arize provides three types of audit logs, each capturing different aspects of user interaction with the platform:

1. Unauthenticated Audit Logs

These logs capture user login attempts, whether successful or unsuccessful. They include:

  • Email address

  • IP address

  • Success/failure status

  • Timestamp of the login attempt

Example Query

query GetUnauthenticatedAuditLogs(
  $num: Int!,
  $startTime: DateTime,
  $endTime: DateTime,
  $cursor: String
) {
  account {
    unauthenticatedAuditLogs(
      first: $num,
      startTime: $startTime,
      endTime: $endTime,
      after: $cursor
    ) {
      pageInfo {
        hasNextPage
        endCursor
      }
      edges {
        node {
          id
          user {
            email
          }
          ip
          success
          mutationName
          loggedAt
        }
      }
    }
  }
}

2. Authenticated Audit Logs

These logs record mutations (operations) performed by users after they have successfully logged in. They include:

  • Email address of the user

  • Operation name

  • Operation text (the GraphQL query)

  • Variables passed to the operation

  • Timestamp of the operation

Note: The operationName field is client-supplied. When using the Arize UI, these will be consistent, but be aware that this field can be manipulated by clients and should not be solely relied upon for security-critical decisions.

Example Query

query GetAuthenticatedAuditLogs(
  $num: Int!,
  $startTime: DateTime,
  $endTime: DateTime,
  $cursor: String
) {
  account {
    authenticatedAuditLogs(
      first: $num,
      startTime: $startTime,
      endTime: $endTime,
      after: $cursor
    ) {
      pageInfo {
        hasNextPage
        endCursor
      }
      edges {
        node {
          id
          user {
            email
          }
          operationName
          operationText
          variables
          loggedAt
        }
      }
    }
  }
}

3. Exporter Audit Logs

These logs track when data is exported from your Arize account, helping you monitor who is downloading data and from which models. They include:

  • Email address of the user

  • Model name from which data was exported

  • Timestamp of the export

Note: Exporter logs are only created when data is actually returned. Export requests that return zero rows will not be logged. Additionally, export requests for demo models are not logged.

Example Query

query GetExporterAuditLogs(
  $num: Int!,
  $startTime: DateTime,
  $endTime: DateTime,
  $cursor: String
) {
  account {
    exporterAuditLogs(
      first: $num,
      after: $cursor,
      startTime: $startTime,
      endTime: $endTime
    ) {
      pageInfo {
        hasNextPage
        endCursor
      }
      edges {
        node {
          id
          user {
            email
          }
          model {
            name
          }
          loggedAt
        }
      }
    }
  }
}

Query Parameters

All audit log queries accept the following parameters:

  • num (required): Number of records to retrieve per page

  • startTime (optional): Start of the time range to query (ISO format). If not provided, defaults to last 30 days.

  • endTime (optional): End of the time range to query (ISO format). If not provided, defaults to now.

  • cursor (optional): Pagination cursor for retrieving additional pages of results

Pagination

Pagination is encouraged when working with large volumes of audit logs. Each query response includes a pageInfo object with:

  • hasNextPage: Boolean indicating if more records are available

  • endCursor: Cursor to use for fetching the next page of results

Here's an example implementation of pagination for retrieving authenticated audit logs:

# Initialize variables
authenticated_logs = []
params = {
    "num": 100,
    "startTime": "2025-01-01T00:00:00Z"
}

# Loop through all pages
while True:
    paged_response = client.execute(authenticated_audit_logs_query, params)
    # Append the logs to your list
    authenticated_logs.extend(paged_response["account"]["authenticatedAuditLogs"]["edges"])
    # If there is another page of information, point the cursor to the next page and fetch more
    end_cursor = paged_response["account"]["authenticatedAuditLogs"]["pageInfo"]["endCursor"]
    print("pageInfo end_cursor %s" % (end_cursor))
    if end_cursor:
        print("There is another page of logs. Loading more.")
        params["cursor"] = end_cursor
    else:
        # No more logs to pull. The list is complete!
        break

Last updated

Was this helpful?