Docs / Security & PQC / Incident Transparency and Audit References

Incident Transparency and Audit References

Published · Last updated: May 2026 · 2 min read

Who this is for

Anyone investigating an unexpected change or incident in their organization, or compliance teams that need to demonstrate accountability for infrastructure actions.

What you will complete

Understand how to use the audit trail to investigate an incident, what information is available, and how to document findings.

The audit trail as your primary reference

CloudAIPilot's audit trail (accessible under Settings → Audit Log) is the authoritative source for what happened, when, and who was responsible. It records:

  • Every user action (provision, deploy, backup, delete, role change, setting change)
  • Every AI Pilot action (proposed, approved, executed, denied)
  • Every system event (agent health change, backup completion, alert firing)

The trail is immutable — entries cannot be modified or deleted.

Investigating a specific incident

Step 1: Define the incident window

Determine the approximate time the unexpected change occurred. Use monitoring charts, user reports, or notification history to narrow down the window.

Step 2: Filter the audit log

  1. Go to Settings → Audit Log.
  2. Set the date range to cover the incident window with some buffer before and after.
  3. Filter by the affected resource (server name, site name, or resource type).
  4. Review all entries in the window.

Step 3: Identify the actor and action

Each log entry shows:

  • Actor — who initiated the action (user email or "AI Pilot")
  • Approver — who approved the action (for AI actions)
  • Action — what was done
  • Target — which resource was affected
  • Result — Completed or Failed
  • Timestamp — exact time in UTC

Step 4: Build the incident timeline

List the relevant entries in chronological order. This gives you a clear picture of what happened and in what sequence.

Step 5: Determine root cause

Common patterns:

  • A user manually deleted or modified a resource → the actor's email appears in the log.
  • An AI Pilot action went wrong → "AI Pilot" appears as actor, with an approver email.
  • A third-party integration changed something → check webhook and API token activity.
  • A scheduled operation (backup, SSL renewal) failed → system events in the log show the failure.

For compliance documentation

The audit log provides the evidence needed for:

  • Internal incident reports (who did what, when, why)
  • Change management records
  • Access control audits (who has what access, when was it changed)
  • Security incident investigation

To document findings:

  1. Export or copy the relevant audit log entries.
  2. Note the actor, action, target, result, and timestamp for each entry.
  3. Cross-reference with monitoring charts and alert history for the same time window.

Related articles