> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Analysis logs

> Query, filter, and export every analyzer decision Agnes has made for your tenant.

Every call to `POST /api/v1/analyze/` produces a structured **analysis
log** record: the policy that ran, every analyzer's output, the
decision, the request ID, and the wall-clock metrics. The log is the
ground truth for observability, post-incident review, threat-intel
ingestion, and tuning policies.

## Where to read the log

* **In the dashboard** at
  [`agnes.lasscyber.com/threat-intelligence/analysis-log`](https://agnes.lasscyber.com/threat-intelligence/analysis-log)
  — paginated table, filters, drill-downs into individual events.
* **Via the API** under `GET/POST /api/v1/analyzer-logs/…`. See the
  auto-generated [API reference](/api-reference/overview) for the
  shape and parameters.
* **Via the Workbench** at
  [`agnes.lasscyber.com/workbench`](https://agnes.lasscyber.com/workbench)
  — turns flagged events into reusable threat-intel embeddings (see
  the [Semantic Threat Intelligence analyzer](/analyzers/semantic-threat-intelligence)).

## What gets logged

Every record contains:

| Field                       | Description                                                           |
| --------------------------- | --------------------------------------------------------------------- |
| `request_id`                | Quote this when filing a support ticket.                              |
| `tenant_id`                 | Always your tenant.                                                   |
| `policy_id` / `policy_slug` | Which combined policy ran.                                            |
| `overall_status`            | `OK`, `TERMINATED_EARLY`, or `ERROR`.                                 |
| `analyzer_results`          | Per-analyzer output, metrics, and status.                             |
| `aggregated_metrics`        | Summed wall-clock and (when telemetry is on) cost.                    |
| `created_at`                | Timestamp of the request.                                             |
| `is_test_mode`              | `true` for sandbox keys; excludes the record from billing dashboards. |

We **do not** persist the raw prompt by default. The log captures
*what fired*, not *what you sent*. Customers who need raw payload
retention should ingest specific events into the Workbench, which
stores the prompt under the tenant's `prompt_injections` table for
threat-intel use.

## Searching and filtering

The dashboard search supports the most common filters out of the box:

* **Time range** — last 1h / 24h / 7d / 30d, or custom.
* **Decision** — `terminated_early` (blocked) vs `OK` (passed).
* **Analyzer** — events where a given analyzer fired or terminated.
* **Severity** — high / medium / low (driven by the threat-intel
  analyzer).
* **Free-text** — searches the analyzer outputs.

Behind the scenes, the dashboard talks to
`POST /api/v1/analyzer-logs/search` (Elasticsearch-backed when
configured) and `GET /api/v1/analyzer-logs/events_summary` for
aggregate counts.

## Programmatic access

Both SDKs expose the log API. Example (Python, paginated iteration
over flagged events in the last 24 hours):

```python theme={null}
from agnes import Agnes

agnes = Agnes()

flagged = agnes.raw.get(
    "/api/v1/analyzer-logs/events_summary",
    params={"time_gte": "now-24h", "size": 100, "terminated_only": True},
)

for event in flagged["events"]:
    print(event["request_id"], event["overall_status"], event["policy_slug"])
```

The `agnes.raw` escape hatch gives you the auto-generated low-level
client for any endpoint not yet wrapped by the ergonomic surface. The
TypeScript SDK has `agnes.raw.request(...)` for the same purpose.

## Threat summaries and dashboard charts

`GET /api/v1/analyzer-logs/threat_summary` returns rollups suitable
for charting:

* Per-analyzer block / flag counts over time.
* Top-N rules / categories / threat types fired.
* Severity distribution.

The dashboard's threat-intelligence page renders these directly. If
you want to ship the same view in your own ops dashboard, hit this
endpoint and chart whatever subset is relevant.

## Retention

* **Hot retention** (queryable from the dashboard / API):
  **30 days** by default for paid tiers, **7 days** for sandbox.
* **Cold retention** is plan-dependent; ask
  [`sales@lasscyber.com`](mailto:sales@lasscyber.com) if your
  compliance requirement exceeds the hot window.

## Exporting

The dashboard has a **Download CSV** action on the analysis log table
that exports the current filter view. For larger exports use the
API and stream pages with `skip` / `limit`.

## Privacy reminders

* Sandbox traffic carries `X-Agnes-Test-Mode: true` and is flagged in
  the log. Exclude sandbox events from billing or threat-trend
  dashboards.
* Logs are tenant-scoped end to end; an admin in tenant A cannot read
  tenant B's logs even with elevated platform access.
* The dashboard never displays your API key value; quoting an
  `request_id` to support staff is safe.

## Next

* [Interpreting results](/threat-analysis/interpreting-results) —
  field-by-field walkthrough of the decision body returned by
  `analyze`.
* [Combined analyzer](/concepts/combined-analyzer) — execution plan
  and termination rules.
* [API reference](/api-reference/overview) — auto-rendered analyzer
  log endpoints with an interactive playground.
