Audit tools

These tools let an AI agent review what already happened in a workspace: who did what, which commands ran on which servers, which files moved through WebFTP, and what an AI security analysis found in a recorded session. They back requests like “who restarted nginx on web-01 last week” or “did anything suspicious happen in that Websh session.”

Session analyses are the AI-generated security reviews Alpacon runs against Work Session activity—triggered automatically when a session closes, or manually with work_session_analyze. Each analysis carries a risk score and, in the full detail view, a MITRE ATT&CK mapping, an attack-chain narrative, and recommended actions. Use list_session_analyses to sweep the workspace for risky sessions, then get_session_analysis_detail for the full findings on one.

All tools accept workspace (required) and region (optional, defaults to the configured region). These common parameters are omitted from the tables below.

Summary

ToolDescriptionAccess
list_activity_logsList activity logs for auditing user and system actionsRead-only
get_activity_logGet full details of a specific activity log entryRead-only
list_server_logsList server command execution historyRead-only
list_webftp_logsList WebFTP file transfer historyRead-only
list_session_analysesList AI security analysis results across the workspaceRead-only
get_session_analysis_detailGet full AI security analysis detail, including MITRE ATT&CK mappingRead-only

Activity logs

list_activity_logs

Lists activity logs for auditing user and system actions across the workspace. Use this for a broad “who did what” sweep; for command-specific or file-transfer-specific history, use list_server_logs or list_webftp_logs instead.

Access: Read-only

Parameters

ParameterTypeRequiredDescription
pageintegerNoPage number for pagination
page_sizeintegerNoNumber of items per page

Example

“What’s happened in this workspace today?”

The agent calls list_activity_logs and summarizes the recorded actions.

get_activity_log

Gets full details of a specific activity log entry by ID. Use after list_activity_logs to drill into one entry.

Access: Read-only

Parameters

ParameterTypeRequiredDescription
log_idstringYesActivity log entry ID

Example

“Show me the full details of that activity log entry”

The agent calls get_activity_log with the log ID from a prior list_activity_logs result.

History logs

list_server_logs

Lists server command execution history. Filter by server_id to scope the history to one server. Use this to review the command execution audit trail on a server—distinct from list_commands, which returns recent commands with their output for operational follow-up.

Access: Read-only

Parameters

ParameterTypeRequiredDescription
server_idstringNoFilter results to commands run on this server
pageintegerNoPage number for pagination
page_sizeintegerNoNumber of items per page

Example

“Show me the command history on db-01”

The agent calls list_server_logs with server_id set to db-01’s UUID.

list_webftp_logs

Lists WebFTP file transfer history. Filter by server_id to scope the history to one server.

Access: Read-only

Parameters

ParameterTypeRequiredDescription
server_idstringNoFilter results to transfers involving this server
pageintegerNoPage number for pagination
page_sizeintegerNoNumber of items per page

Example

“What files were transferred to web-01 this week?”

The agent calls list_webftp_logs with server_id set to web-01’s UUID and reviews the transfer history.

Session analyses

list_session_analyses

Lists AI security analysis results for Websh sessions across the workspace, with summaries, risk scores, and analysis timestamps. Filter by server_id, status (pending, processing, completed, failed), or risk_score (low, medium, high, critical). Useful for a security sweep across many sessions before drilling into any one of them.

Access: Read-only

Parameters

ParameterTypeRequiredDescription
server_idstringNoFilter by server ID
statusstringNoFilter by analysis status
risk_scorestringNoFilter by risk score
pageintegerNoPage number for pagination
page_sizeintegerNoNumber of items per page

Example

“Show me any high or critical risk sessions from the last week”

The agent calls list_session_analyses with risk_score="high" and reviews the results, then calls with risk_score="critical" for the rest.

get_session_analysis_detail

Gets the full AI security analysis for one session analysis record: risk factors, MITRE ATT&CK mapping, attack chain analysis, threat indicators, timeline analysis, and recommended actions.

Access: Read-only

Parameters

ParameterTypeRequiredDescription
analysis_idstringYesSession analysis record ID

Example

“That session came back high risk—what exactly did the analysis find?”

The agent calls get_session_analysis_detail with the analysis ID and walks through the risk factors, MITRE ATT&CK mapping, and recommended actions.

  • Work Session tools: work_session_analyze triggers the analyses this page reviews, and work_session_timeline shows the same session’s raw command and file activity
  • Events & webhooks tools: server-level event logging and search
  • Audit overview: the concept guide to sessions, events, and governance records in the Alpacon web interface
Last updated: