Audit Query
audit_queryRead tenant-scoped audit records filtered by action, resource, or time range. Returns paginated results with chain position to verify control-plane changes.
Instructions
Read tenant-scoped control-plane audit records with filters and paging.
Returns the immutable, hash-chained audit log of control-plane actions
(identity, shield, firewall, and policy changes) for one tenant, with
optional filtering by action, resource, and start time. Read-only: it
never mutates enforcement state.
Args:
tenant_id: Tenant scope to read (default control-plane tenant).
action: Optional audit action filter (exact match).
resource: Optional audit resource filter (exact match).
since: Optional ISO-8601 timestamp lower bound.
limit: Maximum audit records to return (1-1000).
offset: Pagination offset.
Returns:
JSON with the matched audit records (actor, action, resource,
timestamp, chain position) and pagination metadata.
Call this to review who changed what in the control plane; pair with
``audit_integrity`` to verify the chain has not been tampered with.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| limit | No | Maximum audit records to return. | |
| since | No | Optional ISO timestamp lower bound. | |
| action | No | Optional audit action filter. | |
| offset | No | Pagination offset. | |
| resource | No | Optional audit resource filter. | |
| tenant_id | No | Tenant scope to read. Defaults to the control-plane default tenant. | default |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |