[object Object]

A rep deletes 2,000 leads. A departing employee exports the customer list. A misconfigured Zapier flow scrambles deal stages. The audit log has the answer — if you know how to ask.

What’s Actually Logged

Zoho’s audit log captures:

  • Record creates, updates, deletes (per field).
  • Mass operations (bulk update, bulk delete, mass email).
  • Permission changes (profile, role, sharing rule edits).
  • Login events (success and failure, with IP).
  • API calls (with the OAuth client ID).

What’s not captured by default: report exports, view-only access patterns, file downloads. Plan supplementary monitoring if those matter.

Retention: Pull Before You Lose It

Default audit log retention is 6 months in most editions, longer in Enterprise. Critical incidents may surface after that. Set up a weekly export to long-term storage:

Saturday 02:00 UTC -> export last 7 days of audit log
                   -> push to S3 / GCS bucket with retention >= 3 years
                   -> tag bucket with legal-hold capability

The first time you need 18-month-old audit data, you’ll be glad.

Three Pre-Built Queries to Have Ready

Build saved filters in the audit log UI for:

  1. “Deletes by user in last 24h” — for accidental bulk deletes.
  2. “Permission changes in last 7d” — for privilege escalation review.
  3. “Failed logins by IP, last 24h” — for brute force detection.

Bookmark each. In a real incident you don’t have time to build the filter while the executive is on the phone.

API Activity Has Its Own Lens

Setup -> Channels -> API tracks calls per OAuth client. A spike from a single client at unusual hours is your earliest signal of a compromised integration. Wire this into your monitoring; don’t wait for the audit log to catch up.

Mass Operations Need a Cool-Down

Most accidental mass-data incidents come from a rep using the bulk-update UI. Configure mass operation thresholds (Setup -> Users) to require a second-admin approval above 500 records. The friction is the point.

Exporting Without Tipping Off the Bad Actor

When you suspect a compromised user, don’t change their password first — they’ll know. Pull the audit log and email log first, identify the scope, then revoke. Order matters during an active incident.

What to Do This Week

  1. Confirm your edition’s audit log retention. Set up weekly export.
  2. Build the three saved queries.
  3. Add mass-operation thresholds requiring secondary approval.
  4. Document the runbook so the on-call admin can find it without you.
[object Object]
Share