Audit And Device Logs
Audit Logs and Device Logs answer different operational questions. Audit Logs explain which portal or API activity occurred for a tenant. Device Logs explain which security events protected apps have reported from deployed devices.
Use them during release reviews, control tuning, incident response, and compliance evidence collection.
Audit Logs (Enterprise)
Audit Logs record tenant activity in the AppTego Portal and Management API. They are useful when you need to confirm which user or integration changed configuration, promoted an environment, created or deleted a token, updated SAML settings, managed certificates, or worked with builds.
View Audit Logs
- Open Audit Logs in the sidebar.
- Set a date and time range.
- Enter a structured query if you need to narrow the result set.
- Select Search.
- Scroll to load more matching entries.
The Audit Logs table shows these fields:
| Field | Description |
|---|---|
| User ID | The user or integration recorded for the action. |
| API Call | The portal/API operation, such as config_update, promote_config, create_api_token, or saml_settings. |
| Creation Time | When the event was recorded. |
| Success | Whether the operation succeeded. |
| Raw Logs | Full JSON details for the event. |
Audit Query Syntax
Use the search query field for SQL-like filtering. Date and time are normally set with the From and To controls, so most queries should filter on the event fields rather than embedding a time condition.
Valid audit query columns are:
| Column | Type | Notes |
|---|---|---|
event | integer | Internal event ID. Results are ordered newest first. |
user_id | string | User email, username, or integration identity. |
api_call | string | Operation name recorded by the portal/API. |
creation_time | integer | Epoch timestamp. Prefer the date/time controls for normal searches. |
successful | boolean | true or false. |
raw_data | string | Raw event payload. |
Examples:
user_id = 'admin@example.com'
api_call = 'config_update'
successful = false AND api_call LIKE '%config%'
api_call IN ('push_live_config', 'promote_config', 'config_update')
(user_id CONTAINS 'admin' OR api_call = 'delete_tenant') AND successful = falseSupported operators are =, !=, >, <, >=, <=, LIKE, NOT LIKE, CONTAINS, IN, IS NULL, IS NOT NULL, AND, OR, NOT, and parentheses.
Device Logs (Enterprise)
Device Logs show security events reported by protected apps. They are most useful after enabling a detection in Log mode, because they provide the detail needed to decide whether stricter enforcement is appropriate.
View Device Logs
- Open Device Logs in the sidebar.
- Set a date and time range.
- Optionally filter by event type or device ID.
- Enter a structured query or plain keyword if needed.
- Select Search.
- Scroll to load more matching entries.
The Device Logs table shows these fields:
| Field | Description |
|---|---|
| Device ID | Unique device identifier reported by the protected app. |
| Event Type | Security event value, such as root_detection. |
| Country | ISO country code when location storage is enabled; otherwise NA. |
| Timestamp | When the event was recorded. |
| Raw Data | Full JSON event data, including event_id, event_data, and any stored IP address. |
Event Types
Known device log event type values include:
| Event Type | Typical Meaning |
|---|---|
root_detection | Rooted Android device detected. |
jailbreak_detection | Jailbroken iOS device detected. |
emulator_detection | Emulator or simulator-like environment detected. |
debuggable_detection | App debuggable posture detected. |
debugger_detection | Debugger attachment detected. |
hook_detection | Android runtime hook or instrumentation detected. |
hooking_detection | iOS runtime hook or instrumentation detected. |
overlay | Android overlay/tapjacking risk detected. |
screen_capture_detection | Screen capture event detected. |
screen_recording_detection | Screen recording detected. |
screen_mirroring_detection | Screen mirroring or casting detected. |
developer_options_detection | Developer options detected. |
vpn_detection | VPN use detected. |
proxy_usage_detection | Proxy use detected. |
device_lock_detection | Device lock posture detected. |
time_tampering_detection | Device time tampering detected. |
location_spoofing_detection | Mock or spoofed location detected. |
virtual_app_detection | Virtual app/container environment detected. |
app_cloning_detection | Cloned app instance detected. |
memory_tamper_detection | Runtime memory tampering detected. |
unknown_sources_detection | Unknown-source install posture detected. |
accessibility_service_detection | Accessibility service posture detected. |
third_party_keyboard_detection | Third-party keyboard posture detected. |
integrity_failed | App integrity verification failed. |
attestation_failed | Device attestation failed. |
Device Query Syntax
Device Logs support both structured queries and plain keyword search. Plain keywords search across common text fields. Structured queries use these columns:
| Column | Type | Notes |
|---|---|---|
event_id | string | Unique event UUID. |
device_id | string | Device identifier. |
event_type | string | Snake_case event type value. |
event_data | JSON/text | Searchable with CONTAINS. |
ip_address | string | Source IP when IP storage is enabled. |
country | string | ISO country code or NA. |
created_at | timestamp | Prefer the date/time controls for normal searches. |
Examples:
event_type = 'root_detection'
device_id CONTAINS 'pixel'
country = 'US' AND event_type = 'emulator_detection'
event_type IN ('root_detection', 'emulator_detection', 'hook_detection')
(country = 'US' OR country = 'GB') AND event_type CONTAINS 'detection'Supported operators are =, !=, >, <, >=, <=, LIKE, NOT LIKE, CONTAINS, IN, IS NULL, IS NOT NULL, AND, OR, NOT, and parentheses.
Loading More Results
Audit Logs and Device Logs load up to 50 entries at a time. The portal uses cursor-based loading as you scroll, so there are no page numbers. Narrow large searches with date ranges, event type filters, device ID filters, or structured query syntax.
AI Search (Beta)
Audit Logs and Device Logs include AI Search. Enter a plain-English description, review the generated structured query and time range, then apply it to the search form.
AI Search is a helper, not an enforcement decision. Review the generated query before running it, especially for compliance reporting or incident investigations.
Privacy Controls
Tenant configuration controls what device telemetry is stored. These settings apply to future device log and device information writes.
| Setting | When Enabled | When Disabled |
|---|---|---|
| Store IP Addresses | Stores the source IP address seen by AppTego. | Stores NULL for the IP address. |
| Store Approximate Location | Stores approximate location context derived from the IP address, such as country. | Stores NA for country/location context. |
| Store Device Information | Stores basic OS/app environment details where reported. | Stores unknown for OS/version fields in device information records. |
Store Approximate Location depends on Store IP Addresses. If IP address storage is turned off, location storage is also removed because location is derived from the IP address.
Data Retention
Device telemetry is retained for approximately 60 days. Retrieve data before it ages out if your organization needs longer-term evidence for compliance, release review, or incident response.
Tenant audit logs are retained for approximately 12 months. Audit log expiry is partition-based, so availability can extend until the monthly partition ages out.
Programmatic Access
Use the portal for interactive investigation and the Management API for programmatic log retrieval where your plan and permissions allow. See Monitoring And Logs API for API access.