WORM Audit Logging

Enterprise

Write Once, Read Many (WORM) audit logging provides an immutable, tamper-proof record of every action in EntraGuard.

What is WORM?

WORM (Write Once, Read Many) storage ensures that once a log entry is written, it cannot be modified or deleted — not even by administrators. This guarantees the integrity of audit records for forensic investigations, compliance audits and legal proceedings.

What gets logged

Audit operations

Scan starts, completions and failures. Collection progress per collector. Analysis results and score calculations. Report generation events.

User actions

Logins and logouts. Configuration changes (tenant settings, LDAP config, notification channels). API key creation and revocation. Report downloads and exports.

Risk acceptance

Finding acknowledgments and risk acceptances with justification, approver and expiration date. Cannot be silently removed from the log.

System events

License validation, webhook subscription changes, Celery task failures, database migrations, realtime monitoring events.

Implementation

  • Append-only table — Audit records are stored in a PostgreSQL table with no UPDATE or DELETE permissions granted to the application user
  • Hash chain — Each entry includes a SHA-256 hash of the previous entry, forming a verifiable chain. Tampering with any entry breaks the chain
  • Timestamp — Entries are timestamped with the database server time (not client time) and include a monotonic sequence number
  • Retention — Configurable retention period (default: 2 years). Expired entries are archived, not deleted, unless explicitly purged by a database administrator

Configuration

WORM audit logging is enabled by default on Enterprise plans. Navigate to Settings → Audit Log to:

  • View and search the audit log
  • Export entries as JSON or CSV
  • Configure SIEM forwarding (Splunk, Sentinel, Elastic, QRadar)
  • Set retention period
  • Verify chain integrity

Compliance

WORM audit logging helps satisfy requirements in:

SOC 2 Type II
ISO 27001:2022
NIS2
NIST 800-53
HIPAA
PCI DSS 4.0

Need help with audit logging? Contact [email protected]. For Enterprise licensing, reach out to [email protected].