What is a proper approach to auditing in a CDX solution?

Auditing in a CDX solution should provide continuous, verifiable visibility into who did what with data and configurations. The best approach is to capture user actions, data access, and changes in immutable logs that are stored securely and protected against tampering. Logs should be detailed and include who performed the action, what was done, when it happened, where it originated, and the outcome, with appropriate fields like identity, operation, resource, timestamp, success/failure, and source. Use append-only or tamper-evident storage, apply integrity checks, and enforce proper retention and protection to prevent deletion or alteration. Pair this with regular reviews and anomaly detection: automated analysis and dashboards, real-time or near-real-time alerts for unusual activity (such as mass data exports, unexpected privilege changes, or access from unfamiliar locations), and periodic audits to verify compliance and security controls. This approach supports accountability, incident response, forensic investigations, and regulatory requirements. Limiting logs to password changes, treating logs as optional, or auditing only during annual reviews would leave gaps that attackers can exploit and would fail to provide timely visibility into security and compliance posture.