The Scenario
A suspected security incident. Someone flagged unusual access behavior in Roam on a specific date — logins from an unexpected IP range, possible lateral movement. Your security engineer needs the audit log for that date pulled into an Excel workbook before the incident response call in two hours.
The date is known. The Roam audit log has the events. Nothing is in the workbook yet.
The bad version:
- You locate the Roam audit log API, authenticate, and run a query filtered to the incident date. The response comes back as a paginated JSON array with nested user objects and action metadata.
- You extract the relevant fields — timestamp, user email, event type, IP address — into a CSV manually, open it in Excel, and realize the timestamp column is unsorted and the compliance team needs it in chronological order.
- You sort it, notice that event types are encoded as numeric codes rather than human-readable labels, go back to the docs to find the mapping table, and add a lookup column. The call starts in 20 minutes.
The data should have been in the workbook before you opened the API docs.
The Easy Way: One Prompt in SheetXAI
SheetXAI is an AI agent that lives inside your Excel workbook. It reads the date from a cell, calls Roam's audit log API, and writes the events into the workbook — sorted, labeled, and ready for review.
Pull the Roam audit log for 2025-05-01 into my Excel 'Security Review' sheet — columns for event time, user ID, action type, and resource accessed
What You Get
- One row per audit event for the specified date
- Event time in column A (sorted chronologically), user ID in column B, action type label in column C, resource accessed in column D
- Human-readable action type labels where available, not raw numeric codes
- All pages retrieved automatically if the event count exceeds one page
What If the Data Is Not Quite Ready
You want to filter to a specific user within the date's log
Pull the Roam audit log for the date in cell A1 of the Excel 'Security Review' worksheet. Only write rows where the user email matches the value in cell A2. Columns: event time (A), user email (B), action type (C), IP address (D), resource accessed (E).
You need a 3-day window instead of a single date
Pull the Roam audit log for the three days starting from the date in cell A1 of the Excel 'Security Review' worksheet. Write each event's timestamp (A), user email (B), action type (C), and IP address (D), sorted by timestamp ascending.
You want to highlight rows where the IP address is outside an expected range
Pull the Roam audit log for the date in cell A1 of the Excel 'Security Review' worksheet. Write event time (A), user email (B), action type (C), IP address (D). Highlight any row in yellow where the IP address does not start with the prefix in cell A2.
Full incident package: pull the log, flag anomalies, and count events by type
Pull the Roam audit log for the date in cell A1 of the Excel 'Security Review' worksheet. Write each event into columns A through D — event time, user email, action type, IP address. Highlight in red any row where the IP doesn't start with the prefix in cell A2. Then in cells F1 and down, write each unique action type and its count for the day.
One prompt gives the incident responder the raw timeline and the frequency summary at the same time.
Try It
Get the 7-day free trial of SheetXAI and open an Excel workbook set up for security incident documentation, then ask it to pull the Roam audit log for the date in question. The recording inventory export is a natural complement if your review spans both access events and recorded sessions.
