Audit logs are boring until you need them, at which point they're the difference between confidently answering “what happened?” and guessing. Spend ten minutes understanding your own audit log now so you're not learning it during an incident.

What's logged

Authentication events (sign-in, sign-out, MFA challenges).
Configuration changes (scans, integrations, policies).
User management (add/remove/role change).
Exports and sensitive reads (evidence packages, finding details).
API key creation, rotation, revocation.

Three queries every admin should know

Who signed in from a new location? Filter auth events where the IP ASN didn't appear in the last 30 days.
What changed on <date>? Filter configuration events to that day, grouped by user.
Who exported what? Filter export events by user; especially useful post-offboarding.

Retention and export

Logs are retained for 12 months on most plans. If you need longer retention (common for SOC 2 Type II), export to your SIEM or cold storage. A monthly export job beats waiting until audit time and realising last April's logs have rolled off.