Build an audit narrative from your logs

Turn **Audit Logs** (Jobs, Threads, and Events) into a **story auditors and customers can follow**: who acts, what changed, and how failures surface. Built from filters and exports ([Create a shared Team API Key](/tutorials/create-a-team-api-key), [Back up and export your Auxot data](/tutorials/back-up-and-export-your-auxot-data)), not a pile of screenshots and not invented certifications.

Plus: three Admin-Agent passes: outline a one-page narrative from pasted row summaries only, separate **observed** vs **policy** claims, and draft email scaffolding for customer security reviews. Human-owned sign-off.

Audience	Admins · Executives · Developers
Time	~12 min
Prerequisites	Comfortable reading Audit Logs tabs ([View your audit logs](/tutorials/view-your-audit-logs)). Helpful: API pulls for spreadsheets ([Create a shared Team API Key](/tutorials/create-a-team-api-key)), continuity honesty ([Back up and export your Auxot data](/tutorials/back-up-and-export-your-auxot-data)), privacy framing ([Run a data privacy review before you ship](/tutorials/run-a-data-privacy-review-before-you-ship)).
You'll end up with	A dated narrative doc with sections for activity visibility, configuration changes, failure handling, and retention/export stance, each tied to evidence pointers (time ranges, API job names, and manual links) counsel can correct.

When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.

Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.

Why this matters

Compliance conversations want a clear story, not panic: how do we know who did what, how do we spot breakage, how long do records live? Audit Logs already records what happened (View your audit logs): Jobs for execution, Threads for conversations, and Events for system moves.

The failure mode is forwarding raw screenshots nobody can search, or letting chat dress up facts that legal never approved. The middle path is a short narrative: plain-language paragraphs where each claim ends with where we looked: a filter, an export file, a manual section (Security).

This complements leadership storytelling (Brief leadership on your agent program), narrower and evidence-first, and questionnaire cell work (Answer vendor security questionnaires from your own evidence): same facts, essay shape instead of spreadsheet rows.

Audit Logs doesn’t compile a narrative on its own: you assemble sources, you label uncertainty.

Quick start

Name the audience. Internal audit, enterprise buyer, or regulator-style questionnaire: tone and depth shift; pick one.
Freeze scope window. Last 90 days or fiscal quarter; paste date bounds beside every section header.
Gather three strands. Activity (Jobs + Threads: who used agents, volume ballpark), Control changes (Events: credential edits, role moves if visible), Failures (failed Jobs, error Events: how ops notices).
Anchor retention/export. Two honest paragraphs citing View your audit logs (Retention and export) and your backup stance (Back up and export your Auxot data): no invented capabilities.
Attach evidence index. Bullet list: Claim → Source → Owner; screenshots optional appendix only.

Done? First draft narrative ≤ two pages: ready for security or counsel red ink.

The agent can do that?

1. Outline only from summaries

Chat → Admin Agent:

Audience: [customer security reviewer]. I paste anonymized Audit Logs summaries (Jobs/Events counts by week, no PII). Produce outline: H1/H2 headings + bullet claims, each ending with "Evidence needed:" placeholder. No filler certifications.

Why it’s non-obvious: Forces structure before persuasive language sneaks in: you still paste real aggregates because outline depends on them.

2. Observed vs policy separation

Rewrite this paragraph. Split sentences into **Observed in Auxot** vs **Our org policy says**, markdown columns, flag mixed sentences.

Why it’s non-obvious: Auditors punish blended voice: mechanical split saves review cycles after you paste muddy prose.

3. Customer email stub

Draft 120-word email attaching narrative. Tone confident-not-legal, ends with invitation for follow-up questions, no liability guarantees.

Why it’s non-obvious: Sales forwards drafts missing caveats: template reduces mishandling you still personalize.

Go deeper

API-assisted bundles

Repeatable buyer diligence pairs programmatic pulls (Create a shared Team API Key, Back up and export your Auxot data): narrative stays stable when rows refresh monthly.

Quarterly review hooks

Quarterly reviews (Run a quarterly review of your agents) become reference points: “see Q2 roster review appendix.”

Agent behavior evidence

When narrative must cite refusal or tool policy discipline, cross-link the adversarial tests (Stress-test an agent before you widen access, Red-team your agents against prompt injection): frame as process, not proof of perfect safety.

Deletion stance

Retention and deletion asks belong in one tight subsection (Plan for retention and deletion requests): avoids contradicting questionnaire rows elsewhere.

Drafting paths

If you wire an MCP to assemble the narrative, use the offline-file model: an offline-file Word MCP writes the .docx to a folder on your machine, never touching OneDrive. You open the file, read it, decide whether to share. The file itself is the human-review gate.

Skip the Microsoft Graph paths (live Word documents in OneDrive) for audit narratives. The cloud tools write the live document on the first call, with no draft state in between, which collapses the review step you need.

Owner change and dry runs

This narrative is the artifact that gets handed off when leadership rotates: pair with Hand off the audit narrative when your compliance lead changes so the next person inherits both the document and the reasoning behind each claim. Before an external review, Run an internal pre-audit drill against your own narrative is the dress rehearsal that catches the gaps an auditor would otherwise find first.

Walkthrough

Step 1: Export or note filters

Save the exact tab + filters producing each statistic: future-you reproduces the story.

Step 2: Draft Activity section

Jobs → describe volume trend + notable failures: cite token outliers only if finance cleared sharing (Allocate model spend to teams for internal reporting).

Step 3: Draft Change-management section

Events → configuration edits narrative: who can perform (tie to org roles if documented elsewhere).

Step 4: Draft Visibility section

Explain admin vs member scopes (View your audit logs, scoping aside).

Step 5: Legal pass handoff

Deliver labeled DRAFT with question list: counsel fills statutory language.

What’s next

→ View your audit logs. Canonical UI vocabulary this narrative cites.
→ Answer vendor security questionnaires from your own evidence. When buyers want cells, not prose chapters.
→ Hand off the audit narrative when your compliance lead changes. This narrative is the artifact that gets handed off; the handoff playbook keeps the reasoning behind each claim intact across a role change.
→ Run an internal pre-audit drill against your own narrative. Dress rehearsal against this exact document before an auditor or buyer reads it.
→ Brief leadership on your agent program. Exec storyline, less granular than auditor packs.
→ Back up and export your Auxot data. Backup and export honesty repeats in every diligence cycle.
→ Run a quarterly review of your agents. Recurring governance cadence to cite inside the narrative.
→ Use two-person rules for high-impact actions. Maker/checker separation belongs in the same evidence bundle when boards ask who can commit what.

Reference

Manual: Security, API overview
Pages in Auxot: Audit Logs (Jobs, Threads, Events)
See also: Route intent to the right specialist agent, Run a data privacy review before you ship, Create a shared Team API Key, Plan for retention and deletion requests