In addition to deep insight into when events occurred, A good audit log should record, to the extent possible, the geographic source of a request. The Replicated Audit Log has first class support for request origin via the
source_ip event field.
If configured, the Audit Log can use recorded IPs to determine the geographic location from which an audit event originated. This is especially useful for detecting activity anomalies and identifying potential bad actors or compromised user accounts.
Defense in depth
Because the Audit Log optimizes for exportability in end customer environments, IP and geographic information can be fed into other systems like Splunk or an enterprise SEIM to power flexible monitoring and alerting across the security stack.