Skip to content
← Docs

Tamper-evident audit

Every action is written to an activity log. With an audit key configured, Subnomic cryptographically chains those rows so any edit, deletion or reordering is detectable — and can stream each sealed event to a webhook, Slack or your SIEM.

How the chain works

A background sealer links each activity row into a per-tenant HMAC hash-chain: every row carries a sequence number, the previous row's hash, and its own hash over its immutable fields. Because each hash depends on the one before it, tampering with — or removing — any row breaks the chain from that point on, which verification detects.

Tamper-evident sealing is switched on by your operator. Until it's enabled the chain is inert and Verify reports "disabled".

Verify integrity

On the Activity page, Verify re-walks the whole chain and reports how many rows are sealed and intact — or, if a row was altered or deleted, the first broken sequence and why. Newly written rows show as "pending" until the sealer links them (a few seconds).

Stream to a sink

Under Audit sinks, add destinations that receive each sealed event as it's written:

  • Webhook — an HTTPS endpoint (your SIEM, a log pipeline). Each delivery is HMAC-signed with the sink's secret and a timestamp, so you can verify it's genuine and not replayed.
  • Slack — a channel webhook for human-visible alerting.
Outbound delivery is SSRF-protected (the resolved IP is checked, defeating DNS rebinding) and retried with backoff. Use Test when adding a sink to confirm it receives a sample event. Streaming, like sealing, is inert without the audit key.

Permissions

audit.read audit.manage

audit.read verifies the chain and views sinks; audit.manage creates, edits, tests and deletes streaming sinks.