Audit tools
These tools let an AI agent review what already happened in a workspace: who did what, which commands ran on which servers, which files moved through WebFTP, and what an AI security analysis found in a recorded session. They back requests like “who restarted nginx on web-01 last week” or “did anything suspicious happen in that Websh session.”
Session analyses are the AI-generated security reviews Alpacon runs against Work Session activity—triggered automatically when a session closes, or manually with work_session_analyze. Each analysis carries a risk score and, in the full detail view, a MITRE ATT&CK mapping, an attack-chain narrative, and recommended actions. Use list_session_analyses to sweep the workspace for risky sessions, then get_session_analysis_detail for the full findings on one.
All tools accept workspace (required) and region (optional, defaults to the configured region). These common parameters are omitted from the tables below.
Summary
| Tool | Description | Access |
|---|---|---|
list_activity_logs | List activity logs for auditing user and system actions | Read-only |
get_activity_log | Get full details of a specific activity log entry | Read-only |
list_server_logs | List server command execution history | Read-only |
list_webftp_logs | List WebFTP file transfer history | Read-only |
list_session_analyses | List AI security analysis results across the workspace | Read-only |
get_session_analysis_detail | Get full AI security analysis detail, including MITRE ATT&CK mapping | Read-only |
Activity logs
list_activity_logs
Lists activity logs for auditing user and system actions across the workspace. Use this for a broad “who did what” sweep; for command-specific or file-transfer-specific history, use list_server_logs or list_webftp_logs instead.
Access: Read-only
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
page | integer | No | Page number for pagination |
page_size | integer | No | Number of items per page |
Example
“What’s happened in this workspace today?”
The agent calls list_activity_logs and summarizes the recorded actions.
get_activity_log
Gets full details of a specific activity log entry by ID. Use after list_activity_logs to drill into one entry.
Access: Read-only
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
log_id | string | Yes | Activity log entry ID |
Example
“Show me the full details of that activity log entry”
The agent calls get_activity_log with the log ID from a prior list_activity_logs result.
History logs
list_server_logs
Lists server command execution history. Filter by server_id to scope the history to one server. Use this to review the command execution audit trail on a server—distinct from list_commands, which returns recent commands with their output for operational follow-up.
Access: Read-only
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
server_id | string | No | Filter results to commands run on this server |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of items per page |
Example
“Show me the command history on db-01”
The agent calls list_server_logs with server_id set to db-01’s UUID.
list_webftp_logs
Lists WebFTP file transfer history. Filter by server_id to scope the history to one server.
Access: Read-only
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
server_id | string | No | Filter results to transfers involving this server |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of items per page |
Example
“What files were transferred to web-01 this week?”
The agent calls list_webftp_logs with server_id set to web-01’s UUID and reviews the transfer history.
Session analyses
list_session_analyses
Lists AI security analysis results for Websh sessions across the workspace, with summaries, risk scores, and analysis timestamps. Filter by server_id, status (pending, processing, completed, failed), or risk_score (low, medium, high, critical). Useful for a security sweep across many sessions before drilling into any one of them.
Access: Read-only
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
server_id | string | No | Filter by server ID |
status | string | No | Filter by analysis status |
risk_score | string | No | Filter by risk score |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of items per page |
Example
“Show me any high or critical risk sessions from the last week”
The agent calls list_session_analyses with risk_score="high" and reviews the results, then calls with risk_score="critical" for the rest.
get_session_analysis_detail
Gets the full AI security analysis for one session analysis record: risk factors, MITRE ATT&CK mapping, attack chain analysis, threat indicators, timeline analysis, and recommended actions.
Access: Read-only
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
analysis_id | string | Yes | Session analysis record ID |
Example
“That session came back high risk—what exactly did the analysis find?”
The agent calls get_session_analysis_detail with the analysis ID and walks through the risk factors, MITRE ATT&CK mapping, and recommended actions.
Related
- Work Session tools:
work_session_analyzetriggers the analyses this page reviews, andwork_session_timelineshows the same session’s raw command and file activity - Events & webhooks tools: server-level event logging and search
- Audit overview: the concept guide to sessions, events, and governance records in the Alpacon web interface