Retain user information in logs after they are removed from an organization

Feature name

Retain user information in event log even after a user is removed from organization

Feature function

  • Currently when a user is removed from an organization, all events in the logs that user performed switch to UNKNOWN user. After this you are unable to track what a removed user may have done.
  • This would retain user information in the event log to determine what actions or passwords a user accessed, even after removing that user from the organization.
  • Multiple security guidelines require retention of these records. If an employee accesses multiple accounts, and then the employee is terminated and removed from the organization before running an event log dump, the logs are lost, as the user is not retained in the event log after being removed.

Related topics + references

For our need we need to look for older email address of employees which are not more working for us.

Thanks for the feedback! In the meantime, some users pipe event logs out into external systems to retain historical context: SIEM and external systems integrations