Policy Configuration Activity

The Configuration Activity tab shows changes made to your policy configuration.

Each logged event contains:

• Time - Date and time of the event
• Actor - User who performed the action
• Action - Description of the action performed
• Target - ID of the affected policy
• Message - Short summary of the event
• Old - Previous value of the resource
• New - Updated value of the resource

The changed values in the Old and New fields are highlighted in yellow.

You can filter activity logs by date range and attributes. The search bar helps you refine results with:

• Completion suggestions for available attributes and their values
• Filter dialog (funnel icon)
• Date range control

Click the gear icon in the top right to choose which columns are visible in the log table.

You can sort the table by clicking column headers.

Example policy change event log

{
  "source": "ppi_f7lrnyvjyy67qwhfaedt6e75c34bdctm",
  "target": "aidr_app_protected_input_policy",
  "action": "update",
  "user": "konstantin.lapine@crowdstrike.com",
  "message": "AIDR policy \"App/Agent Protected Input\" updated by konstantin.lapine@crowdstrike.com",
  "old": {
    "access_rules": [
      ...
    ],
    "description": "Enforces guardrails on raw user input at the app/agent boundary. Blocks prompt injection, PII, and secrets.",
    "detectors": [
      {
        "detector_name": "prompt_injection",
        "settings": {
          "action": "block"
        },
        "state": "disabled"
      },
      {
        "detector_name": "pii_entity",
        "settings": {
          "rules": [
            ...
          ]
        },
        "state": "disabled"
      }
    ],
    "name": "App/Agent Protected Input",
    "version": "v1.1"
  },
  "new": {
    "access_rules": [
      ...
    ],
    "description": "Enforces guardrails on raw user input at the app/agent boundary. Blocks prompt injection, PII, and secrets.",
    "detectors": [
      {
        "detector_name": "prompt_injection",
        "settings": {
          "action": "block"
        },
        "state": "enabled"
      },
      {
        "detector_name": "pii_entity",
        "settings": {
          "rules": [
            ...
          ]
        },
        "state": "enabled"
      }
    ],
    "name": "App/Agent Protected Input",
    "version": "v1.1"
  }
}

Search bar

By default, the log viewer displays events from the past two hours.

To customize your search:

• Click the funnel icon to open the filter dialog, enter your criteria, and click Search. The search syntax appears in the search bar, and matching results display in the table.
• Place your cursor in the search bar to view a dropdown of available search parameters. Start typing to filter the list and use autocompletion to build your query.
• Enter your query manually. Learn more about the search syntax in the Secure Audit Log documentation.

Date range

All searches must include a time range, with the default set to the most recent two hours.

The date range selector next to the search button provides several options:

• Quick selections - Choose a relative range of 1, 7, or 30 days.
• Relative - Define a custom relative date range.
• Between - Search for log events between two specific dates.
• Before - Search for events that occurred before a specific date.
• After - Search for events that occurred after a specific date.

You can apply a time range filter directly from the log table. Hover over a timestamp in a result row or in the expanded details view, then click the ⨁ icon next to it to filter by that exact date or set it as the upper or lower limit of your range.

Event details

To view all fields for an event, click its row in the search results. The row expands to show every event field, including those not currently visible in the table.

If a field (such as Old or New) contains JSON data, it displays as an interactive JSON tree.

Tamperproof information

Icons in the log viewer indicate tamperproof status for each record. Learn more about Tamperproofing in the Secure Audit Log documentation.

• Lock icon

  The lock icon shows that the membership proof for the log event is verified. Click the icon to open a pop-up with details for independently verifying the event:

  • Status - Possible statuses are Verified, Unverified, or Failed.

    • Unverified - Indicates cached records that are not yet committed.
    • Failed - Shows with a red lock icon.

  • Verification artifacts - Includes the message hash, membership proof, consistency proof, root hash, and a link to the published root hash.

  • Verification command - Provides a command you can run with Python SDK to verify the record's tamperproof status.

• Green line

  A vertical green line between lock icons indicates that the consistency proof for the two adjacent log events is verified.

Tamperproof icons appear asynchronously after search results return, as verification is performed.