Walk your auditor through the logs in 30 minutes
Run a structured **live walkthrough** of **Audit Logs** ([View your audit logs](/tutorials/view-your-audit-logs)) for an auditor or enterprise security reviewer: three tabs (Jobs, Threads, Events), a rehearsed filter sequence per tab, a talk-track that fits inside 30 minutes, and Admin-Agent help mid-meeting when the reviewer asks for something you didn't pre-stage.
Plus: three Admin-Agent passes: rehearse a 30-minute filter sequence with talk-track per tab, surface specific Jobs or Events on demand mid-meeting when the reviewer pivots, and draft the post-meeting follow-up doc that converts the reviewer's questions into action items.
| Audience | Admins · Executives |
|---|---|
| Time | ~12 min |
| Prerequisites | Comfortable with the **Audit Logs** surface ([View your audit logs](/tutorials/view-your-audit-logs)): knowing the three tabs (Jobs, Threads, Events) and the filter options on each. Helpful: a prepared **trust packet** ([Bundle a customer trust packet from your audit evidence](/tutorials/bundle-a-customer-trust-packet-from-your-audit-evidence)) the reviewer has already read, the **audit narrative** ([Build an audit narrative from your logs](/tutorials/build-an-audit-narrative-from-your-logs)) as the prose layer behind the logs, and the **quarterly frequency table** ([Track which audit fields each questionnaire asks about](/tutorials/track-which-audit-fields-each-questionnaire-asks-about)) so you know which filters this reviewer's industry typically focuses on. |
| You'll end up with | A **dated walkthrough plan** (meeting agenda with filter sequence per tab, talk-track per filter (90 seconds each), and a rehearsal note covering the three reviewer pivots you're most likely to hit) plus a post-meeting follow-up template you populate during the call and send within 24 hours. |
When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.
Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.
Why this matters
An auditor or enterprise security reviewer asks for “a walkthrough of your audit logs.” The next hour decides whether the relationship gets harder or easier.
Most teams improvise. Someone shares their screen, opens Audit Logs, scrolls through whatever’s on the default view, and answers questions reactively. The reviewer leaves with a vague sense that the company has logs but doesn’t know which questions got answered and which got hand-waved.
A 30-minute walkthrough that lands cleanly looks different. The owner has rehearsed a filter sequence per tab (Jobs, Threads, Events). Each filter on the sequence has a one-line talk-track: what this filter shows, why a reviewer would care, what to highlight in the rows that appear. The owner moves through the sequence at ~90 seconds per filter, leaves a 4-minute buffer for the reviewer to pivot, and walks out with a populated follow-up template.
The walkthrough is also a place where the Admin Agent earns its keep mid-meeting: when the reviewer says “show me the Jobs that touched the customer-data tool last week”, you don’t fumble through filter dropdowns; you ask the Admin Agent in a separate chat tab and paste the filter combination it returns.
The walkthrough is a performance, not a discovery: you rehearse the filter sequence, you decide what each filter shows the reviewer, you populate the follow-up template while the meeting is still live.
Quick start
- Block the agenda. 5 min orient + 8 min Jobs + 8 min Events + 5 min Threads + 4 min reviewer-driven Q&A buffer. Total 30 minutes. Adjust ratios for your industry: fintech reviewers spend more time on Events (configuration changes); healthcare reviewers spend more time on Jobs (data-touch evidence).
- Pick the filter sequence per tab. Admin Agent power move 1: paste your tab plan; get a filter sequence with talk-track per filter. The Jobs tab usually needs 4–5 filter steps (status: Failed → status: Complete → text-search a specific model → filter by date range). Same shape for Events and Threads.
- Rehearse the sequence. Open Audit Logs, work through the filter sequence in order, time yourself. Anything that takes longer than 90 seconds per filter step gets cut or split. Anything that requires explaining what a row means gets a pre-written one-sentence talk-track.
- Mid-meeting helper ready. Open a second tab with Chat → Admin Agent before the meeting starts. When the reviewer pivots (“can you show me X?”), ask the Admin Agent for the filter combination, then apply it in the live view. Power move 2 is the prompt template for this.
- Populate follow-up live. During the call, type the reviewer’s questions into a follow-up doc as they come up. Admin Agent power move 3 turns the raw question list into action items with owner + due date within 30 minutes of the call ending.
Done? One rehearsed walkthrough delivered cleanly, follow-up doc sent within 24 hours, all reviewer questions either answered live or assigned to a named owner with a date.
The agent can do that?
1. Rehearse the filter sequence
Chat → Admin Agent:
I'm walking an auditor through Audit Logs in 30 minutes. Agenda: 5 min orient, 8 min Jobs, 8 min Events, 5 min Threads, 4 min Q&A. Reviewer focus: [SOC 2 Type II / healthcare data flow / fintech configuration change controls]. Produce a filter sequence per tab (4-6 filter steps per tab) with a one-sentence talk-track per step (≤25 words each) covering: what the filter shows, why the reviewer cares, what to highlight in the rows. Output as a markdown table per tab.
Why it’s non-obvious: Auditor walkthroughs go badly when the host narrates what the screen shows (“you can see we have logs”). The talk-track forces you to lead with why this filter answers the reviewer’s underlying question: the difference between a tour and a defense.
2. Mid-meeting filter helper
Open in a second tab during the meeting:
Auditor just asked: "[paste their exact question]". Which Audit Logs tab, which filter values, which search text would surface that? Bullet response: tab name, filter dropdown values, any text-search input. No commentary, I'm applying live.
Why it’s non-obvious: Fumbling through dropdowns mid-meeting reads as unfamiliarity with your own controls. A 10-second Admin-Agent lookup keeps the pace. You apply the filter in the live view; the agent never touches the production session.
3. Post-meeting follow-up
Auditor questions and my live notes from today's walkthrough pasted below: [paste]. Turn this into a markdown follow-up table with columns: Question, Status (answered live / needs follow-up / out-of-scope), Owner, Due date, Source-of-answer (which Audit Logs filter or which other artifact). Output a table I can drop into our shared doc. Don't invent owners; mark unknown owners as [ASSIGN].
Why it’s non-obvious: Follow-up docs sent within 24 hours land twice as well as ones sent next week. The agent does the structuring; you fill the [ASSIGN] rows and send it.
Go deeper
Industry-specific filter focus
Use your quarterly frequency table (Track which audit fields each questionnaire asks about) to bias the filter sequence toward the reviewer’s industry: healthcare reviewers want retention + customer-data evidence; fintech reviewers want configuration-change evidence + privileged-action separation; sales-org enterprise reviewers want general visibility + agent-action accountability.
The three pivots you’ll hit every time
Almost every reviewer eventually asks one of: (1) “show me a real incident trace end-to-end” (pair with Trace a failing job end to end), (2) “show me what happens when something tries to misuse a tool” (point to your red-team note + Red-team your agents against prompt injection), (3) “who can change this configuration” (Events tab filter on configuration-change types). Rehearse one talk-track for each.
What never to click on
During a live screen-share, do not navigate into Settings → Agents (job-description prose can contain internal opinions you don’t want a reviewer reading), do not open Chat threads that may contain customer identifiers, do not paste your Team API Key anywhere visible. Audit Logs themselves are safe; they show metadata, not message body content beyond what filters expose.
Solo rehearsal is enough
You don’t need a colleague to play auditor in rehearsal. Run the filter sequence yourself, narrate each step out loud, time it. If a step doesn’t fit in 90 seconds, the talk-track is too long or the filter is too broad; fix one and re-run.
Owner change and dry runs
The 30-minute walkthrough sits inside a triad of compliance artifacts: Hand off the audit narrative when your compliance lead changes keeps the filter sequence and per-filter talk-track intact when the walkthrough owner rotates, and Run an internal pre-audit drill against your own narrative is the upstream rehearsal of the audit narrative that this walkthrough demonstrates live. Walk, drill, handoff: same source material, three different framings.
Walkthrough
Step 1: Draft the agenda
5/8/8/5/4 default split. Adjust ratios based on industry; Admin Agent power move 1 generates the filter sequence per your chosen ratios.
Step 2: Build the talk-track table
Markdown table per tab: Filter step | What it shows | Why reviewer cares | What to highlight. Owner reviews; counsel reviews if the walkthrough is for a regulated industry.
Step 3: Rehearse solo
Apply each filter step in Audit Logs, narrate aloud, stopwatch each step. Cut or split anything over 90 seconds.
Step 4: Pre-meeting setup
Two tabs: live Audit Logs + Admin Agent chat. Follow-up doc open in a third tab. Microphone tested.
Step 5: Send follow-up within 24 hours
Power move 3 generates the follow-up table during the call. Populate [ASSIGN] rows, get one teammate to review the wording, send.
What’s next
- → View your audit logs. Foundational tutorial: the three tabs and all filter options the walkthrough uses.
- → Build an audit narrative from your logs. The prose layer the reviewer probably read before the meeting; the walkthrough is the live evidence behind that narrative.
- → Bundle a customer trust packet from your audit evidence. If the walkthrough goes well, the trust packet is what they take back to their team.
- → Track which audit fields each questionnaire asks about. Tells you which filters this reviewer’s industry will focus on, so your sequence matches their priors.
- → Trace a failing job end to end. The “show me a real incident” pivot: pre-stage one example trace before the meeting.
- → Answer vendor security questionnaires from your own evidence. The cell-by-cell sister artifact for reviewers who prefer questionnaires to live walkthroughs.
- → Hand off the audit narrative when your compliance lead changes. When the walkthrough owner rotates, the filter sequence and per-filter talk-track have to survive; the handoff playbook keeps the reasoning intact.
- → Run an internal pre-audit drill against your own narrative. Upstream rehearsal: the drill rehearses the documented narrative; this walkthrough demonstrates it live against the real Audit Logs.
Reference
- Pages in Auxot: Audit Logs (Jobs, Threads, Events), Chat
- See also: Use two-person rules for high-impact actions, Red-team your agents against prompt injection, Plan for retention and deletion requests, Run a quarterly review of your agents