Audit Trail
  • 30 Nov 2020
  • 6 Minutes To Read
  • Print
  • Share
  • Dark

Audit Trail

  • Print
  • Share
  • Dark

Early Access feature
If you would like to learn more about this feature or want to request early-access, please get in touch with your Mambu Customer Success Manager to discuss your requirements.
  • In order to make use of this feature you must have enabled and set up API consumers.
  • You must provide a User-Agent header with every API request to better identify applications being used to access the system.

Audit trail—Standalone Capability

The purpose of the Audit Trail project is to get a 360-degree view of all user activities that have been performed in the Mambu system. These activities are of two types: User Interface and API calls and offer a great way to understand what the users are doing and how they are using the Mambu application.

Collecting data from the standpoint of a user identity or login is a great way to correlate all kinds of information so that auditors will be able to retrieve the necessary information in a timely and efficient manner to investigate a potential fraud or other specific action (for example, who initiated a certain transaction or journal entry).

Audit records are grouped per tenant and provide information about the action that has been performed, the actual user performing the operation, the resources modified by the operation and the date and time of the operation. These records are also captured as soon as they are generated by the user’s journey or API calls and sent to another system that allows investigators to easily access and interact with the critical data involved via a secured endpoint.

Current features

The current implementation allows an auditor to perform the following:

  • Track what has been done in the Mambu application, by whom and when.
  • Choose who to audit and what type of information to audit.
  • View in real-time what Mambu application users are doing.
  • Prevent users (or others, such as intruders) from inappropriate actions based on the events generated by their journey.
  • Investigate suspicious activity. For example, if a user is generating a big transaction, then an administrator might decide to audit his latest actions in a given interval.
  • Detect actions performed by an unauthorized user. For example, an unauthorized user could change or delete data, or a user has more privileges than expected, which can lead to reassessing user permissions.
  • Monitor and gather data about specific activities. For example, the auditor can gather information about which deposits have been created by a specific user.
  • Address auditing requirements for compliance.

Events interceptor

There are currently two types of intercepted audit events:

  • UI Events:

    • the events generated by users' actions. A handler interceptor is used to capture all GWT actions.
    • authentication events. An HTTP filter is used for intercepting this kind of events.
  • API Events:

    • covers all the API calls regardless of the API version. An HTTP filter is used for intercepting this kind of events.

      New Required Header Parameter for API requests: User-Agent
      In order to be able to identify the applications calling the API, when the Audit Trail feature is enabled, the User-Agent header parameter becomes a required field for all requests.
      Typically, most API clients will automatically supply this with every request, for example PostmanRuntime/7.26.5 or curl/7.54 but it is important to make sure that this is also sent for any integrations you may have built, otherwise requests may be rejected.

All in all, this kind of records will let the auditor build a nuanced view of individual user behavior and activity.


The audit events can be accessed via a secure public API, which offers a fine-grained auditing search criteria, so that an auditor will be able to perform searches at a granular level and also narrow the search for information.

The API endpoint is secured via API Key, stored in another system and the key will be generated through Mambu UI.

The filters are provided via query parameters using LHS brackets with an operator. The general format is:

FIELD_NAMEeg. event_source, request_url, user_agent etc.[OPERATOReg, eq, contains, ne, see full list below]=FIELD_VALUEeg, API, /api/cards/, Postman

There can be more than one filter applied to a request, as seen in the request below where the results will be filtered to only return events where the source was API as well as contained the word amount anywhere in the request payload.

You can sort your results by providing a field to sort on and a direction (asc for ascending or desc for descending) by providing the sort_by and sort_order query parameters.

Request example:


Response example:

    "events": [
            "response_code": 401,
            "occurred_at": "2018-08-30T13:35:05.023Z",
            "resource": "cards",
            "event_source": "API",
            "client_ip": "",
            "request_method": "POST",
            "request_payload": "{\"externalReferenceId\":\"1234\",\"amount\":10,\"currencyCode\":\"EUR\"}",
            "resource_fragment": "/api/cards/rtyrtyrtyrty/authorizationholds/yrtyrtyrty:decrease",
            "request_uri": "/api/cards/rtyrtyrtyrty/authorizationholds/yrtyrtyrty:decrease",
            "user_agent": "userAgentInfo,
            "username": "demo"
    "from": 0,
    "size": 10,
    "totalItemsCount": 1

Parameter description

Operator Description Example
eq Equals - exact match, applies to any type of fields username[eq]
ne Not equals, applies to any type of fields username[ne]
gt Greater than, applies to numeric or date fields occurred_at[gt]=2018-05-01
gte Greater than or equal, applies to numeric or date fields occured_at[gte]=2018-05-01
lt Less than, applies to numeric or date fields occurred_at[lt]=2018-05-01
lte Less than or equal, applies to numeric or date fields occurred_at[lte]=2018-05-01
startsWith Starts with, applies to string fields username[startsWith]=demo
in Element in list (exact match), applies to any type of fields username[in],
contains Will search for all the provided elements in the specified field. Each element (delimited by ‘,’) can consist of multiple terms - but in order for the event document to be matched, the terms must appear in the same order (and not be separated by any additional words) in the event field value. The order of the elements is not relevant. Applies to string fields. request_payload[contains]="provisionedThroughFederation":true, "detailsLevel":"BASIC"
Event fields Description Supported operators
event_source The events that are supposed to be audited fall within the following categories: API, UI eq, ne, in
request_uri Part of the request's URL from the protocol name up to the query string in the first line of the HTTP request eq, ne, startsWith, in, contains
request_method HTTP request method (GET, POST, PUT, etc) eq, ne, in
request_payload The raw request data with sensitive information removed (see details in note below). Parameter may be empty. eq, ne, startsWith, in, contains
user_agent The value of HTTP user agent header eq, ne, startsWith, in, contains
resource For API is obtained from parsing the URL. e.g for /api/clients" the resulting value is "clients"
For UI this is obtained from parsing the URL hash. e.g for "" the resulting value is "admin_reports"
eq, ne, startsWith, in, contains
resource_fragment For API this holds the request URI
For UI this holds the raw URL hash
eq, ne, startsWith, in, contains
username The currently logged in user (might be empty) eq, ne, startsWith, in, contains
client_ip IP address from http request or X_FORWARDED_FOR header if present eq, ne, startsWith, in
response_code HTTP response code eq, ne, in, gt, gte, lt, lte
occurred_at The date the event has been generated (when creating queries on this field the provided values must be in ISO8601 standard) eq, ne, in, gt, gte, lt, lte
response_payload The raw response payload with sensitive information removed (see details in note below). Field may be empty. eq, ne, startsWith, in, contains
Please Note

The following information is removed from request payloads when using Audit Trail:


Ask the Mambu Community

If you have a question about how anything works or have come across something you haven't seen explained here, get in touch with our community of fellow users and Mambuvians where someone will lend a hand.

Ask a question about the Audit Trail

* If you don't already have an account you will be prompted to create one when you first visit the site.

Was This Article Helpful?