Skip to content

Logging System

Three distinct logging systems are provided within the Escape platform, each designed to serve specific monitoring and compliance requirements: Audit Logs for platform-wide user actions, Activity Logs for resource-specific changes, and Scan Logs for detailed execution traces.

Audit Logs

Overview

Audit Logs are provided as an Enterprise feature to maintain comprehensive records of all user actions performed within the Escape platform. These logs are essential for security compliance, accountability, and forensic analysis at the organizational level.

Audit Logs are accessed through the Organization section of the platform.

Tracked Events

The following categories of user actions are logged:

Authentication Events

  • User login and logout activities
  • Session creation and termination
  • Authentication method changes
  • Multi-factor authentication events

Platform Configuration Changes

  • Application Profile modifications
  • Security policy updates
  • Integration configurations
  • Organization settings adjustments
  • User role and permission assignments

Resource Management

  • Project creation and deletion
  • Application Profile management
  • Scan Profile configurations
  • Private Location deployments

Access Control Events

  • Permission grants and revocations
  • Role assignments and modifications
  • API key generation and rotation
  • Team membership changes

Log Structure

Each Audit Log entry contains the following information:

  • Timestamp: The exact date and time when the action was performed
  • User: The authenticated user who performed the action
  • Action Type: The category and specific action executed
  • Resource: The target resource affected by the action
  • Outcome: Success or failure status of the action
  • IP Address: The source IP address of the request
  • User Agent: The client application or browser used

Example entry:

[2024-11-10 14:32:18 UTC] User 'alice@example.com' updated Application Profile 'Production API' (ID: app_abc123). Source IP: 203.0.113.42. Status: SUCCESS

Search and Filtering

Audit Logs can be filtered and searched using multiple criteria:

  • Date Range: Events within a specific time period
  • User: Actions performed by specific users
  • Action Type: Events belonging to specific categories
  • Resource: Changes affecting particular resources
  • Outcome: Success or failure status

Data Export

Audit Log data can be exported in the following formats:

  • CSV: For spreadsheet analysis and reporting
  • JSON: For programmatic processing and integration
  • PDF: For compliance documentation and archival

Retention and Compliance

Audit Log retention periods are configured at the organization level and can be adjusted to meet:

  • Regulatory compliance requirements (GDPR, SOC 2, ISO 27001)
  • Industry-specific standards (PCI-DSS, HIPAA)
  • Internal governance policies
  • Legal hold requirements

Default retention period: 365 days (configurable based on Enterprise plan)

Activity Logs

Overview

Activity Logs are maintained for individual Assets and Issues within the platform. These logs provide a chronological record of all changes and interactions specific to each resource, enabling teams to track progress, understand decision history, and maintain context.

Activity Logs are displayed directly on the Asset detail page and Issue detail page.

Asset Activity Logs

For each Asset discovered during scanning, the following activities are recorded:

Status Changes

  • Asset status transitions (Active, Archived, Ignored)
  • Ownership assignments
  • Risk classification updates
  • Tag additions and removals

Metadata Updates

  • Asset name modifications
  • Description changes
  • Custom field updates
  • Integration mappings

Security Events

  • New vulnerabilities discovered on the Asset
  • Vulnerability status changes
  • Remediation progress tracking
  • Retest results

Example:

[2024-11-10 09:15:22] Asset status changed from "Active" to "Under Review" by john.doe@example.com
[2024-11-10 09:16:45] Tag "critical-infrastructure" added by john.doe@example.com
[2024-11-10 10:32:11] Comment added: "Scheduling maintenance window for remediation"

Issue Activity Logs

For each security Issue identified during scanning, the following activities are tracked:

Status Transitions

  • Issue status changes (Open, In Progress, Resolved, False Positive, Accepted Risk)
  • Priority adjustments (Critical, High, Medium, Low, Info)
  • Assignment to team members
  • Due date modifications

Workflow Actions

  • Comments and discussions
  • File attachments
  • External ticket linking (Jira, ServiceNow, Linear)
  • Remediation evidence uploads

Resolution Tracking

  • Fix verification requests
  • Retest scheduling and results
  • Closure reasons and justifications
  • Reopening events and rationale

Example:

[2024-11-10 11:20:33] Issue status changed from "Open" to "In Progress" by security-team@example.com
[2024-11-10 11:22:15] Comment added: "Patch scheduled for deployment on 2024-11-15"
[2024-11-10 14:45:00] File attached: remediation-plan.pdf
[2024-11-10 16:30:22] Linked to Jira ticket: SEC-1234

Collaboration Features

Activity Logs support team collaboration by:

  • Displaying all user interactions chronologically
  • Preserving comment threads and discussions
  • Tracking ownership and responsibility
  • Maintaining audit trail for compliance

Scan Logs

Overview

Scan Logs provide comprehensive, verbose execution traces for each security scan performed by Escape. These logs capture all technical details of the scanning process, including requests sent, actions taken, penetration testing attempts, and system-level events.

Scan Logs are accessed from the Scan detail page within each Application Profile.

Log Categories

Scan Logs are organized into multiple stages, each representing a distinct phase of the security assessment:

Initialization Stage

  • Scan configuration loading
  • Authentication setup and validation
  • Target endpoint discovery
  • Environment preparation

Discovery Stage

  • Asset enumeration
  • API endpoint detection
  • Schema parsing and analysis
  • Technology fingerprinting

Crawling Stage

  • Page navigation events
  • Form detection and interaction
  • JavaScript execution traces
  • Network traffic interception

Authentication Stage

  • Login flow execution
  • Token extraction and validation
  • Session management
  • Multi-user authentication setup

Fuzzing Stage

  • Payload generation and injection
  • Request mutation attempts
  • Response analysis
  • Vulnerability detection logic

Exploitation Stage

  • Proof-of-concept execution
  • Privilege escalation attempts
  • Business logic testing
  • Chain attack exploration

Agentic Reasoning Stage

  • LLM-driven decision making
  • Automated penetration testing logic
  • Tool call execution and results
  • Adaptive testing strategies

Log Levels

Logs are categorized by severity level for efficient troubleshooting:

  • Debug: Detailed technical information for development and troubleshooting
  • Info: General informational messages about scan progress
  • Warning: Non-critical issues that may require attention
  • Error: Critical failures affecting scan execution
  • Success: Successful completion of significant operations

Log Format

Each Scan Log entry follows a standard format similar to traditional software logging:

[2024-11-10 12:45:32.123] [INFO] [Crawling] Navigating to https://api.example.com/v1/users
[2024-11-10 12:45:32.456] [DEBUG] [Crawling] Request headers: {"Authorization": "[REDACTED]", "Content-Type": "application/json"}
[2024-11-10 12:45:32.789] [INFO] [Crawling] Response received: 200 OK (142ms)
[2024-11-10 12:45:33.012] [DEBUG] [Fuzzing] Generating payloads for parameter "userId"
[2024-11-10 12:45:33.234] [WARNING] [Fuzzing] Rate limit detected, implementing backoff strategy
[2024-11-10 12:45:34.567] [ERROR] [Exploitation] Authentication bypass attempt failed: Invalid token format
[2024-11-10 12:45:35.890] [INFO] [Agentic Reasoning] LLM Decision: Attempting alternative injection vector

Scan Logs can be filtered using multiple dimensions:

By Log Level

  • Filter to show only errors and warnings for troubleshooting
  • Enable Debug level for detailed technical analysis
  • View Info level for high-level scan progress

By Stage

  • Focus on specific scanning phases
  • Isolate Authentication issues
  • Review Agentic Reasoning decisions
  • Examine Exploitation attempts

By Keyword

  • Search for specific endpoints or parameters
  • Locate error messages or exceptions
  • Find payload patterns or attack vectors

By Timestamp

  • Navigate to specific time ranges
  • Correlate events across stages
  • Identify performance bottlenecks

Technical Details Captured

The following technical information is logged during scan execution:

HTTP Traffic

  • Request and response headers
  • Request bodies and payloads (with sensitive data redacted)
  • Response status codes and timing
  • TLS/SSL handshake details

Browser Actions (for WebApp DAST)

  • Page navigation events
  • Element interactions (clicks, form submissions)
  • JavaScript console messages
  • Network waterfall timing

Security Testing

  • Vulnerability detection logic and reasoning
  • Payload variations attempted
  • False positive filtering decisions
  • Attack chain construction

Agentic Operations

  • LLM prompts and responses (when enabled)
  • Tool call executions
  • Decision-making rationale
  • Adaptive strategy adjustments

Performance Metrics

Scan Logs include performance data for optimization:

  • Request/response timing
  • Stage duration measurements
  • Rate limiting and backoff events
  • Resource utilization statistics

Troubleshooting

Scan Logs are essential for diagnosing issues:

  • Authentication failures and misconfigurations
  • Network connectivity problems
  • Rate limiting and blocking detection
  • Unexpected application behavior
  • False positive analysis

Log Level Selection

For routine monitoring, Info level provides sufficient visibility. Debug level should be enabled when troubleshooting specific issues or working with Escape support to diagnose problems.

Sensitive Data

Authentication credentials, API keys, and other sensitive values are automatically redacted in Scan Logs. However, response bodies may contain sensitive information depending on the application being tested.

Best Practices

Audit Logs

  1. Regular Review: Audit Logs should be reviewed periodically to identify suspicious activities or policy violations
  2. Access Control: Access to Audit Logs should be restricted to authorized security and compliance personnel
  3. Retention Policies: Retention periods should be configured according to regulatory requirements and organizational policies
  4. Alert Configuration: Automated alerts should be established for critical security events

Activity Logs

  1. Documentation: Team members should document their actions and decisions in Activity Log comments
  2. Status Updates: Issue and Asset statuses should be kept current to maintain accurate Activity Log records
  3. Context Preservation: Historical context should be preserved through Activity Logs for knowledge transfer and auditing

Scan Logs

  1. Troubleshooting: Debug-level Scan Logs should be enabled when investigating authentication issues or unexpected scan behavior
  2. Performance Analysis: Scan Logs should be reviewed to identify performance bottlenecks and optimization opportunities
  3. False Positive Investigation: Detailed Scan Logs should be examined when validating potential false positives
  4. Support Collaboration: Scan Logs should be exported and provided to Escape support when requesting assistance

Enterprise Support

Contact the Escape support team for guidance on log configuration, retention policies, and compliance requirements specific to your organization.