Activity Feed & Audit Log

Complete audit trail of all domain changes, user actions, and system events. Essential for compliance, security audits, and change tracking.

Overview
Event Types
How to Use
Filtering & Search
Compliance & Auditing
Best Practices

Overview

The Activity Feed provides a timestamped record of every action taken on your domains. This includes automated scans, manual refreshes, configuration changes, alert triggers, and user actions. Essential for:

Compliance: SOC 2, GDPR, HIPAA audit requirements
Security: Detect unauthorized changes or access attempts
Debugging: Understand when and why domain data changed
Accountability: Track which team member made changes
Reporting: Generate activity reports for stakeholders

Event Types

The activity log captures 15+ event types across 4 categories:

1. Domain Data Changes

Event	Description	Example
`whois.changed`	WHOIS data updated	Registrar changed from GoDaddy to Cloudflare
`dns.changed`	DNS records modified	A record changed from 1.2.3.4 to 5.6.7.8
`ssl.renewed`	SSL certificate renewed	New cert issued, expiry now 2027-03-15
`ssl.expired`	SSL certificate expired	Certificate expired on 2026-02-10
`uptime.down`	Domain went offline	HTTP 503 error detected
`uptime.restored`	Domain back online	HTTP 200 OK after 15 minutes downtime

2. User Actions

Event	Description
`domain.added`	User added a new domain to tracking
`domain.deleted`	User removed domain from tracking
`domain.refreshed`	User manually triggered refresh
`domain.updated`	User changed notes, tags, or folder

3. Alert & Monitoring

alert.triggered — Alert rule condition met
alert.resolved — Alert condition no longer true
report.generated — Scheduled report sent
scan.completed — Full domain scan finished

4. Security Events

security.blacklisted — Domain found on blocklist
security.malware — Malware detected on domain
security.phishing — Phishing warning from Google Safe Browsing

How to Use the Activity Feed

Step 1: Access the Activity Feed

Go to Domain Tracker → Activity
Or click the 🕒 Activity tab in the top navigation

Step 2: View Recent Events

The default view shows the last 100 events across all your domains, sorted newest-first. Each entry displays:

Timestamp: Exact date/time (with timezone)
Event Type: Color-coded badge (blue=info, yellow=warning, red=error)
Domain: Which domain the event relates to
Actor: User who triggered the action (or "System" for automated)
Description: Human-readable summary
Details: Click to expand full JSON data

Step 3: Filter Events

Use the filter bar to narrow down results:

Date Range: Last 24 hours | Last 7 days | Last 30 days | Custom
Event Type: Select from dropdown (e.g., show only SSL events)
Domain: Filter to specific domain
Actor: Show events by specific user
Severity: Info | Warning | Error

Step 4: Export for Audits

Click "Export CSV" to download filtered activities. Useful for:

Compliance audits (provide to auditors)
Creating monthly reports for management
Analyzing patterns (e.g., how often DNS changes)

Advanced Filtering & Search

Text Search

Use the search box to find events containing specific keywords. Searches across:

Domain names
Event descriptions
Actor usernames
JSON details (if "Search deep" is enabled)

Example: Search "Cloudflare" to find all events mentioning Cloudflare.

Combining Filters

Stack multiple filters for precise queries:

Query: Show all SSL events for example.com in January 2026 that resulted in errors

Date Range: 2026-01-01 to 2026-01-31
Event Type: ssl.*
Domain: example.com
Severity: Error

Saved Filters

Click "Save Filter" to bookmark common queries. Examples:

"All Security Events" (event_type IN [security.*])
"Production Domain Changes" (domain IN [...] AND actor != "System")
"Failed Scans" (event_type = "scan.failed")

Compliance & Auditing Use Cases

📋 SOC 2 Type II Compliance

Requirement: Demonstrate that changes to production systems are tracked and auditable.

Solution: Export activity log for production domains. Show auditors:

Who made changes (actor = user email)
When changes occurred (timestamp)
What changed (before/after values in JSON details)
Retention: We retain logs for 2 years (configurable)

🔒 Security Incident Response

Scenario: You suspect unauthorized DNS changes to your domain.

Investigation: Filter activity log:

Event Type: dns.changed
Date Range: Last 30 days
Review each change: Was the actor authorized? Does the timestamp match expected maintenance windows?

If you find unauthorized changes, escalate to security team and check for compromised credentials.

📊 Executive Reporting

Goal: Monthly report to CTO showing domain health and changes.

Process:

Filter to last month
Group by event type (use CSV export + pivot table)
Highlight: SSL renewals, DNS changes, security events, downtime incidents
Attach CSV to report

Best Practices

✅ DO:

Review activity log weekly for unexpected changes
Set up alerts for critical events (use Alert Rules to notify on security.* events)
Export logs monthly for compliance archives
Include activity log screenshots in post-mortem reports
Train team members to check activity before making changes (avoid conflicts)

❌ DON'T:

Ignore security events in the log (always investigate)
Delete domains without exporting their activity history first
Share raw activity exports externally (may contain sensitive data)
Assume "System" actor means it's safe (automated changes can still be errors)

⚠️ Log Retention Policy

Activity logs are retained for 2 years by default (365 days on Free plan, 2 years on Pro+). After this period, old logs are automatically archived. For compliance needs requiring longer retention, export logs monthly and store in your own secure backup system.

Integrations

Send activity log events to external systems:

Webhook: POST events to your SIEM (Splunk, Datadog, Sumo Logic)
Email Digest: Daily summary of critical events
Slack: Real-time notifications for security events

Configure integrations in Alert Rules settings.

View Your Activity Feed Now

Track every change and action across your domain portfolio.

Open Activity Feed →