Audit Log
The Audit Log provides a complete history of all Safety Gateway decisions. Every outbound communication that passes through the gateway is logged, whether it was allowed, held, or denied.
Accessing the Audit Log
- Navigate to Build > Governance > Safety Gateway
- Click on the Audit Log tab
Overview Dashboard
The top of the page displays summary statistics for the selected date range:
Key Metrics
| Metric | Description |
|---|---|
| Total Scanned | Number of messages processed |
| Allowed | Messages sent without review |
| Held for Review | Messages queued for human review |
| Denied | Messages blocked |
| Dry Run | Would have been held/denied (observation mode) |
Analytics Dashboard
Click Show Analytics to reveal interactive charts that help you understand gateway activity patterns. The dashboard includes four visualizations:
Decisions Over Time
A line chart showing the distribution of decisions (Allow, Hold, Deny) over the selected time period. Use this to:
- Identify trends in gateway activity
- Spot spikes in held or denied messages
- Compare decision patterns across different periods
Each decision type is color-coded:
- Green: Allow
- Blue: Allow (Dry Run)
- Purple: Allow (Override)
- Yellow: Hold
- Red: Deny
- Teal: Executed After Approval
Top Flags
A horizontal bar chart displaying the most frequently triggered risk flags. Common flags include:
pii_detected- PII found in messageexternal_recipient- Message to external partysensitive_content- LLM detected sensitive contentunusual_request- Atypical message pattern
Use this chart to identify which risk categories are most common in your organization.
Decisions by Classification
A pie chart showing the breakdown of decisions by recipient classification:
- Internal - Recipients within your organization
- External - Recipients outside your organization
- Mixed - Both internal and external recipients
This helps you understand if most flagged items involve external communications.
Decision Distribution
A bar chart showing the total count of each decision type. Provides a quick overview of your gateway's overall behavior:
- High "Allow" counts indicate smooth operations
- High "Hold" counts may indicate overly conservative thresholds
- High "Deny" counts warrant investigation of agent behavior
Collapsing Analytics
Click Hide Analytics to collapse the dashboard and focus on the log entries. Your preference is remembered during the session.
Log Entries
Entry Information
Each log entry displays:
| Field | Description |
|---|---|
| Timestamp | When the scan occurred |
| Decision | Allow, Hold, Deny, or Dry Run |
| Danger Score | 0.0 - 1.0 risk score |
| Classification | Internal, External, or Mixed |
| Channel | Email, SMS, Meeting, etc. |
| Tool | Which tool was intercepted |
| Agent | Agent that generated the message |
| Recipient Count | Number of recipients |
| Flags | Risk indicators detected |
| Processing Time | How long analysis took (ms) |
Decision Colors
- Green (Allow) - Message was sent
- Blue (Allow - Dry Run) - Would have been allowed (observation mode)
- Yellow (Hold) - Queued for review
- Orange (Hold - Dry Run) - Would have been held (observation mode)
- Red (Deny) - Message was blocked
- Purple (Deny - Dry Run) - Would have been denied (observation mode)
Filtering
Date Range
Select the time period to view:
- Last 24 hours
- Last 7 days
- Last 30 days
- Last 90 days
- Custom range
The statistics and analytics dashboard automatically adjust to the selected date range (configurable from 1-90 days).
Filters
| Filter | Options |
|---|---|
| Decision | Allow, Hold, Deny, All |
| Channel | Email, SMS, Meeting, Notification |
| Classification | Internal, External, Mixed |
| Min Danger Score | Show only items above threshold |
| Agent | Filter by specific agent |
| Mailbox | Filter by source mailbox |
| Has PII | Show only items with PII detected |
Search
Free-text search across:
- Recipient addresses
- Agent names
- Flags
- Review notes
Entry Details
Click any entry to view full details:
Analysis Tab
- Danger Score - Final risk score with breakdown
- Classification - How recipients were classified
- LLM Analysis - Full reasoning from AI analysis
- Flags - All risk indicators with explanations
Content Tab
- Tool Name - Which tool was intercepted
- Recipient List - All recipients with domains
- PII Detected - Types of PII found (values masked)
- Message Preview - Sanitized preview (if enabled)
Note: Original message content is not stored in the audit log by default for privacy. Only analysis metadata is retained.
Processing Tab
- Gateway Mode - Mode at time of scan
- Thresholds Applied - Internal/external thresholds used
- LLM Provider - Which LLM performed analysis
- LLM Model - Specific model used
- Processing Time - Total analysis duration
- LLM Latency - Time spent on LLM call
Review Tab (for held items)
- Review Status - Approved, Denied, or Pending
- Reviewed By - Who made the decision
- Reviewed At - When decision was made
- Reviewer Notes - Comments from reviewer
- Final Decision - How item was resolved
Export
Export Formats
The audit log supports two export formats:
CSV Export
Export filtered results to CSV for:
- Compliance reporting
- Spreadsheet analysis
- External auditing tools
JSON Export
Export filtered results to JSON for:
- Programmatic processing
- Integration with other systems
- API-style data consumption
Select the format using the dropdown next to the Export button.
Exported Fields
Both formats include:
- Timestamp
- Decision
- Danger Score
- Classification
- Channel
- Tool Name
- Agent ID
- Mailbox
- Recipient Count
- Flags
- Processing Time (ms)
- LLM Latency (ms)
- LLM Skipped (boolean)
- Simulated Decision (for dry-run entries)
- Reviewer (if applicable)
Date Range
Export is limited to the currently selected date range. For large exports, consider narrowing the range or using filters.
Use Cases
Compliance Auditing
Generate reports showing:
- All external communications
- Communications flagged for PII
- Denied messages with reasons
- Review queue response times
Threshold Tuning
Analyze patterns to optimize settings:
- Filter to "Dry Run" decisions
- Review what would have been held/denied
- Check for false positives
- Adjust thresholds accordingly
Agent Improvement
Identify problematic agents:
- Sort by danger score (high to low)
- Group by agent
- Review common issues per agent
- Update agent instructions
Incident Investigation
When investigating a specific issue:
- Filter by date/time of incident
- Search for relevant recipients or content
- Review full analysis details
- Export for documentation
Retention
Tier-Based Retention
Audit log retention varies by subscription tier:
| Tier | Retention Period |
|---|---|
| Basic | 30 days |
| Professional | 90 days |
| Pro Plus | 365 days |
| Enterprise | Unlimited |
Logs are automatically removed after the retention period expires. Export important data before expiration if you need to keep it longer.
Bring Your Own Storage (BYOS)
If your subscription tier's retention period does not meet your compliance or business requirements, you can redirect all audit logs to your own Azure Storage account using the Bring Your Own Storage feature. When BYOS is enabled:
- All audit logs are written to your storage account instead of Outermind's
- You control the retention policy for your storage account
- Outermind does not set expiration dates or delete logs in customer-owned storage
- You can configure Azure Blob Lifecycle Management policies, immutability policies, or any other retention strategy that fits your needs
To set up BYOS, navigate to Manage > Storage Settings.
Note: BYOS is available on Pro Plus and Enterprise tiers.
Best Practices
Regular Review
- Check audit log weekly for patterns
- Review denied messages for false positives
- Monitor dry run decisions before enforcement
- Track average danger scores over time
Compliance
- Export monthly reports for compliance records
- Document any emergency overrides
- Retain export files per your retention policy
- Include audit data in security reviews
Troubleshooting
- Use audit log to understand gateway behavior
- Compare dry run vs enforced decisions
- Check processing times for performance issues
- Review LLM analysis for scoring insights
Troubleshooting
Missing Entries
- Verify gateway mode isn't "Disabled"
- Check date range filter
- Confirm the tool is in the intercepted list
- Verify agent is using monitored mailbox
Slow Loading
- Narrow date range
- Add filters to reduce result set
- Export large datasets instead of viewing
- Check Azure Table Storage status
Inconsistent Scores
- Review threshold changes in settings
- Check if LLM model was changed
- Verify LLM provider availability
- Look for patterns in inconsistency
Related Topics
- Safety Gateway Overview - Understand how the gateway works
- Safety Settings - Configure thresholds
- Review Queue - Handle held messages