Products
Overview
The Event Maturity Matrix (EMM) is a comprehensive framework that provides clarity regarding the capabilities and nuances of SaaS audit logging. It is a valuable resource for security practitioners who want to obtain visibility into the different types of user activities that are logged, see real-world examples of SaaS audit logs, and use these insights to guide security monitoring and operational objectives.
Matrix Overview
The SaaS Event Maturity Matrix (EMM) was developed with the defensive security practitioner in mind. As such, the matrix’s overarching theme is to provide context regarding the depth of visibility as it pertains to security monitoring use cases. The Matrix consists of the following concepts:
- Products: represent the different SaaS platforms
- Event Sources: represent the different audit log files / sources that can be queried and collected
- Event Categories: represent the primary, top level categories of SaaS audit logging
- Event Types: represent the different types of activity that is audited, organized by categories
- Event Attributes: represent the individual fields or keys from different event types
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Identity Service Provider Context
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Failure Context
-
Credential Context
Success
{
"action_at": "2023-06-22T19:06:47.149965+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_google",
"log_id": "ad9ddec3-8542-4d5a-b710-67928321abdc",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Failure
{
"action_at": "2023-06-14T21:57:50.583325+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "pmcandrew+test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_failed",
"log_id": "6cbd2dc5-c125-40d1-8dcf-9936abda6c5f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": null
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
User Agent Name
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:48:41.714659+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "bob@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_logout",
"log_id": "49fc4cd2-653e-4261-bb59-25dc6ee7a1c0",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Verification Method
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Verification Flagged
-
Activity Performed
Challenge
{
"action_at": "2023-06-23T20:11:06.106260+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_totp_challenge",
"log_id": "76812b0e-d9b0-4730-b5a1-5d4169743e2e",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-20T14:20:30.626150+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 13148,
"target_user_username": "pmcandrew_test11",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_created",
"log_id": "188fdcf3-143a-49e9-ba80-452b48f42e4f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-15T02:02:19.147946+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.3",
"user_username": "john@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_disabled",
"log_id": "7f75c117-f8f8-4739-bfcf-cac8a728d486",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
-
Enrollment Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-14T22:00:24.705316+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": "TOTP",
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_enabled",
"log_id": "7ed13faf-9e3c-4905-839d-ff44309c2f72",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Enrollment Type
Success
{
"action_at": "2023-06-23T20:12:09.106337+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "+1 856-981-2588",
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_disabled",
"log_id": "34628772-1560-46da-81d0-2371c5cc3106",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T15:51:50.253793+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "True",
"oauth_application_id": null,
"old_value": "False",
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": "Direct Auth Enabled",
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ao_sys_setting_change",
"log_id": "d2c46cde-44f7-43ac-84f5-79b8184c8105",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:21:55.407230+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": 442431,
"policy_name": "EMM Test Policy",
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.1",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "policy_created",
"log_id": "cb89b034-2f3b-4b41-9a34-6fdb289f4a6a",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": 442431,
"service_id": null,
"service_name": null,
"service_type": "box",
"user_id": 3187
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:05:09.728571+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": null,
"user_ip": null,
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ms_detection_ingestion_disabled",
"log_id": "ea080b00-2cf0-49fe-b1ba-6081f17a66ff",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": 35781,
"service_name": "AppOmni",
"service_type": "box",
"user_id": 3187
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-07-12T19:07:57.569196+00:00",
"action_data":
{
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"policy_id": 410860,
"policy_name": "Test Salesforce Policy",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "bob@example.com"
},
"action_type": "policy_deleted",
"log_id": "d4b105e8-d29b-436e-947e-52a6be5f58de",
"org_id": 176,
"service_type": "sfdc",
"user_id": 3187
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Audit Logs
AppOmni audit logs that provide a record of user activity.
References
Retention Details
Storage Duration: 180 days
Historical audit logs are stored for 180 days.
Latency Details
Duration: Near Real-Time
Historical audit logs are stored for 180 days.
Product Details
AppOmni is a cloud-based platform designed to help organizations assess, monitor, and protect their data and configurations within SaaS applications. AppOmni audit logs are collected via the *auditlogs* API, and can be streamed to a Threat Detection event sink. Historical audit logs are also stored for 180 days and can be accessed via the scheduled reports feature. There are currently minor formatting differences between API/Event Sink logs, and the logs retrieved via scheduled reports.
Audit Logs API
To collect events, make a call to the /core/auditlogs endpoint and specify the desired parameters.
References
Event Sink Streaming
Audit logs are delivered to all Threat Detection event sinks.
References
Scheduled Reports
Create a scheduled report of type "AppOmni Audit Logs" to download audit logs.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T08:28:41-07:00",
"created_by":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "00000000-abcd-1234-ab08-2cfe92d42606",
"event_type": "LOGIN",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Failure
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:08:06-07:00",
"created_by":
{
"id": "2",
"login": "",
"name": "Unknown User",
"type": "user"
},
"event_id": "00000000-abcd-1234-84ee-12298e09cfa9",
"event_type": "FAILED_LOGIN",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"id": "12345648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"type": "event"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:34:43-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-92ad-46f2f69e45cd",
"event_type": "NEW_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "25512345631",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Update
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:29-07:00",
"created_by":
{
"id": "12345648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "00000000-abcd-1234-be64-7fdc0421e478",
"event_type": "EDIT_USER",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:58-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-9c97-5e32f323b9f0",
"event_type": "DELETE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:36-07:00",
"created_by":
{
"id": "18863648385",
"login": "John Doe",
"name": "john@example.com",
"type": "user"
},
"event_id": "00000000-abcd-1234-a8a6-6f5474e5d86d",
"event_type": "GROUP_CREATION",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "my_sample_group"
},
"type": "event"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Update
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:46-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "49d24c58-a0e5-4ec7-9ccd-347827b0afed",
"event_type": "GROUP_EDITED",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"type": "event"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T10:46:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "24ada35a-a9e9-4c67-8fc9-33b5b9f9b52b",
"event_type": "GROUP_DELETION",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"group_id": "15299083860",
"group_name": "a_sample_group"
},
"type": "event"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"action_by": null,
"additional_details":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:24:15-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "f0545aa9-4be4-451e-a8d2-3c56aa257b8a",
"event_type": "GROUP_ADD_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Remove
{
"action_by": null,
"additional_details":
{
"group_id": "9744086129",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:45:45-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "56ae6ebb-7d6c-418e-bdeb-98d067c52af2",
"event_type": "GROUP_REMOVE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"accessible_by":
{
"id": "25575650631",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"action_by": null,
"additional_details":
{
"collab_id": "44582004179",
"is_performed_by_admin": false,
"role": "Editor",
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:57:12-07:00",
"created_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "15f0f70a-4502-496a-badf-5a0b12e49656",
"event_type": "COLLABORATION_INVITE",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_id": "25575650631",
"user_name": "John Doe"
},
"type": "event"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
Remove
{
"action_by": null,
"additional_details":
{
"collab_id": "44582741378",
"is_performed_by_admin": false,
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:47:09-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "052e68a2-7a29-4694-a77f-fec5713cb26f",
"event_type": "COLLABORATION_REMOVE",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_email": "alice@example.com"
},
"type": "event"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Add
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:27:03-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "7fd655c7-5a4a-4e13-8375-dc08cd2cf8b9",
"event_type": "MULTI_FACTOR_AUTH_ENABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Remove
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:29:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "0bf5e6ad-a068-4770-9979-c7f409eb976b",
"event_type": "MULTI_FACTOR_AUTH_DISABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"type": "event"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details":
{
"ekm_id": "b87156a9-6aff-4c21-910b-c5f1a8a02afd",
"service_id": "231318",
"service_name": "Multiput Uploads",
"size": 2584,
"version_id": "1319684204015"
},
"created_at": "2023-05-09T11:15:47-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "aeffeb99-f9a5-4243-9d3c-93f862dceec7",
"event_type": "UPLOAD",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"item_id": "1209714644015",
"item_name": "a_sample_file.csv",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Read
{
"action_by": null,
"additional_details":
{
"access_token_identifier": "16c1948d38e23d80203df77a0273928ff0eb50bad8b62fcc6b4fe73e03482a11",
"ekm_id": "fb01c788-3be7-444d-b165-89a52741235f",
"service_id": "553530",
"service_name": "Box Elements (used in Box Web App)",
"size": 2584,
"version_id": "1319684204015"
},
"created_at": "2023-05-09T11:16:00-07:00",
"created_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "80ddc3b3-dd44-4377-9fe7-a634228cc952",
"event_type": "CONTENT_ACCESS",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"item_id": "1209714644015",
"item_name": "a_sample_file.csv",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Update
{
"action_by": null,
"additional_details":
{
"file_hash": "0d012f12345678de3df12345b0b123a59f123456",
"file_path": "/SAMPLE/Reference Documents",
"hash_type": "sha1",
"service_id": "254429",
"service_name": "Box Drive",
"size": 4398971,
"version_id": "1319736874242"
},
"created_at": "2023-05-09T11:30:38-07:00",
"created_by":
{
"id": "12345678124",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "00000000-abcd-1234-8b08-418033e43a4b",
"event_type": "RENAME",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"item_id": "12012345678942",
"item_name": "a_sample_file.pdf",
"item_type": "file",
"owned_by":
{
"id": "12345678124",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"parent":
{
"id": "1234567807873",
"name": "Reference Documents",
"type": "folder"
}
},
"type": "event"
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details":
{
"size": 360705,
"version_id": "1319678729473"
},
"created_at": "2023-05-09T11:15:12-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "9fbcf20f-aeb7-4149-ab8e-3f56cab43337",
"event_type": "DELETE",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"item_id": "1209709863073",
"item_name": "a_sample_file.pdf",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Download
{
"action_by": null,
"additional_details":
{
"ekm_id": "5b300b24-36d8-493a-a823-41ac400d284e",
"size": 360705,
"version_id": "1319678729473"
},
"created_at": "2023-05-09T11:14:52-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "f70ed75d-9a96-4aac-aef8-5cce1a5c1eb8",
"event_type": "DOWNLOAD",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"item_id": "1209709863073",
"item_name": "a_sample_report.pdf",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}
Admin Logs
Box enterprise logs that provide an audit trail of user activity.
References
Retention Details
Storage Duration: 365 Days
Based on the admin_logs stream type.
Latency Details
Duration: Near Real-Time
Based on the admin_logs stream type.
Product Details
Box is a cloud-based content management and file sharing service. It's designed to help organizations store, manage, and collaborate on files and documents. The Box Events API provides an event feed for enterprise events that have been generated within Box across the enterprise. Depending on the specified stream_type, the Events API can provide real-time monitoring or historical querying of events. The admin_logs_streaming stream type provides low latency, real-time access to events as they are processed by Box. Only two weeks of events are available via this stream type. The admin_logs stream type emphasizes completeness over latency, and provides access to events up to one year.
Get Enterprise Events
To collect enterprise events, make a call to the /events API and specify the desired stream_type.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
IP Address
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Unsupported
-
Event ID
-
User ID
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
Success
{
"action": "admin_login",
"description":
{
"device": "123-456-7890",
"factor": "push",
"ip_address": "192.168.10.1",
"primary_auth_method": "Password",
"role": "Owner"
},
"isotimestamp": "2024-05-17T17:24:21+00:00",
"object": null,
"timestamp": 1715966661,
"username": "John Doe"
}Failure
{
"action": "admin_login_error",
"description":
{
"email": "jane.doe@acme.com",
"error": "Invalid password attempt",
"ip_address": "192.168.1.1"
},
"isotimestamp": "2024-05-20T19:23:45+00:00",
"object": null,
"timestamp": 1716233025,
"username": "Jane Doe"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
IP Address
-
Verification Method
-
Verification Flagged
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Activity Performed
Failure
{
"action": "admin_2fa_error",
"description":
{
"email": "john.smith@example.com",
"error": "Invalid passcode.",
"factor": "sms",
"ip_address": "192.168.10.1"
},
"isotimestamp": "2024-05-21T17:58:04+00:00",
"object": null,
"timestamp": 1716314284,
"username": "Smith, John"
}Flagged
{
"action": "admin_2fa_error",
"description":
{
"email": "joe.smith@example.com",
"error": "Login request reported as fraudulent.",
"factor": "push",
"ip_address": "192.168.1.2"
},
"isotimestamp": "2024-05-23T19:17:28+00:00",
"object": null,
"timestamp": 1716491848,
"username": "Joe Smith"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User Type / Role
-
Target Username
Unsupported
-
Event ID
-
Result
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_create",
"description":
{
"email": "",
"enable_auto_prompt": true,
"notes": "",
"realname": "",
"status": "Active",
"uname": "bbanner@example.com"
},
"isotimestamp": "2024-05-17T17:24:53+00:00",
"object": "bbanner@example.com",
"timestamp": 1715966693,
"username": "Jane Doe"
}Admin
{
"action": "admin_create",
"description":
{
"administrative_units": "",
"email": "bwayne@batman.com",
"hardtoken": null,
"is_temporary_password": false,
"name": "Bruce Wayne",
"phone": null,
"restricted_by_admin_units": false,
"role": "Administrator",
"status": "Pending Activation",
"subaccount_access_tags":
[]
},
"isotimestamp": "2024-05-23T20:16:23+00:00",
"object": "Bruce Wayne",
"timestamp": 1716495383,
"username": "Jane Doe"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
-
Target Attribute Context
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_update",
"description":
{
"email": "tonystark@acme.com",
"realname": "Tony Stark"
},
"isotimestamp": "2024-05-23T19:41:21+00:00",
"object": "tonystark",
"timestamp": 1716493281,
"username": "James Doe"
}Admin
{
"action": "admin_update",
"description":
{
"administrative_units": "",
"restricted_by_admin_units": false,
"role": "Help Desk"
},
"isotimestamp": "2024-05-29T12:54:47+00:00",
"object": "Bruce Banner",
"timestamp": 1716987287,
"username": "John Doe"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User Type / Role
-
Target Username
Unsupported
-
Event ID
-
Result
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_pending_delete",
"description":
{
"status": "Pending Deletion"
},
"isotimestamp": "2024-05-17T17:30:04+00:00",
"object": "sally.smith@example.com",
"timestamp": 1715967004,
"username": "John Doe"
}Admin
{
"action": "admin_delete",
"description":
{
"administrative_units": "",
"email": "bob.smith@example.com",
"hardtoken": null,
"is_temporary_password": false,
"name": "Bob Smith",
"phone": null,
"restricted_by_admin_units": false,
"role": "Administrator",
"status": "Pending Activation",
"subaccount_role": "Administrator"
},
"isotimestamp": "2024-05-23T20:16:36+00:00",
"object": "Bob Smith",
"timestamp": 1716495396,
"username": "Jane Doe"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "group_create",
"description":
{
"_status": "Active",
"administrative_units": "",
"desc": "East coast admin group",
"name": "custom_admin_group_east"
},
"isotimestamp": "2024-05-17T17:31:18+00:00",
"object": "custom_admin_group_east",
"timestamp": 1715967078,
"username": "Jane Doe"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "group_update",
"description":
{
"_status": "Disabled"
},
"isotimestamp": "2024-05-23T19:42:49+00:00",
"object": "custom_group_bypass_users",
"timestamp": 1716493369,
"username": "John Doe"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "group_delete",
"description":
{
"_status": "Disabled",
"administrative_units": "",
"desc": "",
"name": "local_login"
},
"isotimestamp": "2024-05-23T19:43:09+00:00",
"object": "custom_group_west_users",
"timestamp": 1716493389,
"username": "John Doe"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "user_update",
"description":
{
"groups":
[
{
"_status": "Bypass",
"desc": "custom group for bypass users",
"name": "custom_group_user_bypass"
}
]
},
"isotimestamp": "2024-05-23T19:43:23+00:00",
"object": "Mary Smith",
"timestamp": 1716493403,
"username": "Jane Doe"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"action": "user_update",
"description":
{
"groups":
[
null
]
},
"isotimestamp": "2024-05-23T19:43:42+00:00",
"object": "Steve Smith",
"timestamp": 1716493422,
"username": "Jane Doe"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User Agent Name
-
Target Username
-
Enrollment Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "webauthncredential_create",
"description":
{
"authenticator_type": "Security key",
"browser": "Chrome",
"browser_version": "125.0.0.0",
"credential_name": "Security key",
"os": "Mac OS X",
"os_version": "10.15.7",
"owner_id": "DURTAOK2HW7ORVKHXQDU",
"owner_name": "luke.skywalker@republic.com",
"owner_type": "user",
"passwordless_authorized": false,
"transport_types": "nfc,usb",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
},
"isotimestamp": "2024-05-17T17:36:03+00:00",
"object": "WAB9XG0DD12N34EQDGTP",
"timestamp": 1715967363,
"username": "Jane Doe"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
-
Enrollment Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_update",
"description": "{\"phones\": \"\"}",
"isotimestamp": "2024-05-28T17:17:58+00:00",
"object": "bob.smith@acme.com",
"timestamp": 1716916678,
"username": "John Doe"
}Admin
{
"action": "admin_update",
"description": "{\"phone\": null}",
"isotimestamp": "2024-05-28T17:18:45+00:00",
"object": "Bruce Banner",
"timestamp": 1716916725,
"username": "Jane Doe"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"action": "cloudsso_add_saml_authsource",
"description": null,
"isotimestamp": "2024-05-29T15:03:35+00:00",
"object": null,
"timestamp": 1716995015,
"username": "John Doe"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"action": "updated_risk_profile",
"description":
{
"applications": "Admin API",
"countries": "Ascension, Afghanistan, Albania, Algeria, Antigua and Barbuda",
"groups": "",
"ips": "192.168.100.10",
"net_blocks": "",
"non_authentication_events":
{
"bypass_status_enablement": "Always"
}
},
"isotimestamp": "2024-05-29T14:34:59+00:00",
"object": null,
"timestamp": 1716993299,
"username": "Jane Doe"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "policy_delete",
"description":
{
"admin_email": "jane.doe@example.com",
"anonymous_ip_policy": "Deny access",
"browser_max_ood_days": 30,
"chrome_remediation": "notify and allow",
"edge_remediation": "notify and allow",
"enroll_policy": "Require Enrollment",
"firefox_remediation": "notify and allow",
"ie_remediation": "notify and allow",
"mobile_chrome_remediation": "notify and allow",
"mobile_edge_remediation": "notify and allow",
"mobile_firefox_remediation": "notify and allow",
"mobile_safari_remediation": "notify and allow",
"name": "TEST POLICY",
"other_browsers_remediation": "notify and allow",
"pretty_trusted_devices": "",
"safari_remediation": "block all"
},
"isotimestamp": "2024-05-29T14:49:14+00:00",
"object": "TEST POLICY",
"timestamp": 1716994154,
"username": "Jane Doe"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Integration / App Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "integration_create",
"description":
{
"greeting": "",
"group_access": "",
"missing_web_referer_policy": "deny",
"name": "Salesforce - Single Sign-On",
"networks_for_api_access": "",
"notes": "",
"offline_auth_enabled": 0,
"offline_max_attempts": 0,
"offline_max_days": 0,
"os_logon_pwl_enabled": false,
"raw_type": "sso-salesforce",
"self_service_allowed": false,
"type": "Salesforce - Single Sign-On",
"username_normalization_policy": "None"
},
"isotimestamp": "2024-05-21T15:49:00+00:00",
"object": "Salesforce - Single Sign-On",
"timestamp": 1716306540,
"username": "Jane Doe"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Integration / App Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"action": "integration_update",
"description":
{
"adminapi_admins": true,
"adminapi_info": true,
"adminapi_read_log": true,
"adminapi_read_resource": true,
"adminapi_settings": true
},
"isotimestamp": "2024-05-24T18:51:14+00:00",
"object": "Admin API",
"timestamp": 1716576674,
"username": "John Doe"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Integration / App Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "integration_delete",
"description":
{
"greeting": "",
"group_access": "",
"missing_web_referer_policy": "deny",
"name": "Workday - Single Sign-On",
"networks_for_api_access": "",
"notes": "",
"offline_auth_enabled": 0,
"offline_max_attempts": 0,
"offline_max_days": 0,
"os_logon_pwl_enabled": false,
"raw_type": "sso-workday",
"self_service_allowed": false,
"type": "Workday - Single Sign-On",
"username_normalization_policy": "None"
},
"isotimestamp": "2024-05-21T15:52:12+00:00",
"object": "Workday - Single Sign-On",
"timestamp": 1716306732,
"username": "Jane Doe"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "administrative_unit_create",
"description":
{
"Administrators": "No assignments",
"Applications": "No assignments",
"Description": "",
"Groups": "No assignments",
"Name": "Test Admin Unit",
"Restricted by applications": "True",
"Restricted by groups": "True"
},
"isotimestamp": "2024-05-29T15:55:42+00:00",
"object": "Test Admin Unit",
"timestamp": 1716998142,
"username": "John Doe"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "custom_messaging_update",
"description":
{
"help_links":
[],
"help_text_by_locale":
{
"en_US": "This is a custom Help Desk Message"
}
},
"isotimestamp": "2024-05-29T16:04:19+00:00",
"object": null,
"timestamp": 1716998659,
"username": "John Doe"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "phone_delete",
"description":
{
"extension": "",
"number": "+11234567890",
"platform": "Generic Smartphone",
"pname": "",
"postdelay": null,
"predelay": null,
"type": "Mobile"
},
"isotimestamp": "2024-05-28T17:17:58+00:00",
"object": "123-456-6789",
"timestamp": 1716916678,
"username": "Jane Doe"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Duo Administrator Logs
Provides an audit trail of administrative actions taken within the Duo Security platform.
References
Retention Details
Storage Duration: Configurable
Administrator logs are stored based on the log retention interval setting. If no custom log retention interval has been specified, Administrator logs can be retrieved from the time the account was initially created, reference https://help.duo.com/s/article/2990?language=en_US
Latency Details
Duration: Near real-time
Administrator logs are stored based on the log retention interval setting. If no custom log retention interval has been specified, Administrator logs can be retrieved from the time the account was initially created, reference https://help.duo.com/s/article/2990?language=en_US
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Result
-
Username
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Unsupported
-
Event ID
-
Event Code / Type
-
User ID
-
User Type / Role
-
Session ID
Success
{
"access_device":
{
"browser": "Chrome",
"browser_version": "125.0.6422.61",
"flash_version": "uninstalled",
"java_version": "uninstalled",
"os": "Mac OS X",
"os_version": "14.5.0",
"trusted_endpoint_status": "unknown"
},
"alias": "",
"device": "123-456-7890",
"email": "",
"factor": "Verified Duo Push",
"integration": "Salesforce - Single Sign-On",
"ip": "192.168.10.1",
"isotimestamp": "2024-05-21T18:09:57.825584+00:00",
"location":
{
"city": "San Francisco",
"country": "US",
"state": "California"
},
"new_enrollment": false,
"ood_software": null,
"reason": "Push answered with correct verification code",
"result": "SUCCESS",
"timestamp": 1716314997,
"username": "Bruce Wayne"
}Failure
{
"access_device":
{
"browser": "Chrome",
"browser_version": "125.0.6422.61",
"flash_version": "uninstalled",
"java_version": "uninstalled",
"os": "Mac OS X",
"os_version": "14.5.0",
"trusted_endpoint_status": "unknown"
},
"alias": "",
"device": "123-456-7890",
"email": "",
"factor": "Verified Duo Push",
"integration": "Duo Central",
"ip": "192.168.10.1",
"isotimestamp": "2024-05-21T18:08:48.081423+00:00",
"location":
{
"city": "San Francisco",
"country": "US",
"state": "California"
},
"new_enrollment": false,
"ood_software": null,
"reason": "User entered incorrect verification code",
"result": "FAILURE",
"timestamp": 1716314928,
"username": "Tony Stark"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Duo Authentication Logs
Provides an audit trail of authentication activity within the Duo Security platform.
References
Retention Details
Storage Duration: 180 days
Maximum retention of 180 days, even if the log retention interval is set to a value greater than 180 days, reference https://help.duo.com/s/article/2990?language=en_US
Latency Details
Duration: Near real-time
Maximum retention of 180 days, even if the log retention interval is set to a value greater than 180 days, reference https://help.duo.com/s/article/2990?language=en_US
Product Details
Duo is a cloud-based security platform which provides multi-factor authentication, identity and device verification, and single sign-on to company resources. The Duo Admin API provides programmatic access to the Duo platform. The Admin API can be used to to manage users, tokens, bypass codes, and retrieve audit logs.
Duo Admin API
The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Credential Context
-
Identity Service Provider Context
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Failure Context
Success
{
"@timestamp": 1685981286101,
"_document_id": "mdvjC2kuRvXW_3Gkg7ni7Q",
"action": "org.sso_response",
"actor": "john.doe",
"actor_id": 12345678,
"actor_location": {
"country_code": "US"
},
"created_at": 1685981286101,
"issuer": "https://accounts.google.com/o/saml2?idpid=C02abcd01",
"operation_type": "authentication",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.1 Safari/537.36"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686001364120,
"_document_id": "FLl6thHIizqa55S1P1tjIA",
"action": "team.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"created_at": 1686001364120,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"team": "acme-inc/approvers",
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"user_id": 95659676
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
-
Target Attribute Context
Success
{
"@timestamp": 1694792374166,
"_document_id": "JLMgkpYMkGmRiukmKjn4CQ",
"action": "team.rename",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1694792374166,
"name": "Acme_Devs",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"team": "acme-inc/devs",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1714145080936,
"_document_id": "alg4QbCba1UhZA2VFJSTxQ",
"action": "team.destroy",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_is_bot": false,
"actor_location":
{
"country_code": "US"
},
"business": "acme-inc",
"business_id": 1234000,
"created_at": 1714145080936,
"external_identity_nameid": "john@example.com",
"external_identity_username": null,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"team": "acme-inc/approvers",
"user_agent": "Mozilla/5.0 (Macintosh Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686151363489,
"_document_id": "rLVAJb3ZtiugVygHs84Agw",
"action": "org.add_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686151363489,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"permission": "read",
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_id": 98490879
}Success
{
"@timestamp": 1686159261336,
"_document_id": "8s0hw2CW8Y44_rjiM9yNkw",
"action": "repo.add_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686159261336,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"permission": "admin",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0",
"user_id": 24304531,
"visibility": "private"
}Success
{
"@timestamp": 1686096308885,
"_document_id": "SwDxpQo4Gs5NMybfaD9mig",
"action": "team.add_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686096308885,
"hashed_token": "mZp8g+OGBjSnsxiRSjcYhBTpoXi5BfdF2q8F1+kPW4M=",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"team": "acme-inc/approvers",
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "alice.brown",
"user_agent": "python-requests/2.25.1",
"user_id": 87766365
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
User Agent Name
-
Device/Client Type
Success
{
"@timestamp": 1685999458723,
"_document_id": "7IscVOcqIFzcj5OSXLDtig",
"action": "org.remove_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1685999458723,
"hashed_token": "zQVfYwWXODOOEd4WcNdcJCBfPDJBrFXRGvmX25Q7ZjU=",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"token_id": 47105702648,
"user": "alice.brown",
"user_agent": "PyGithub/Python",
"user_id": 1234567
}Success
{
"@timestamp": 1686096006218,
"_document_id": "Pm9_xkuRvV-rrHd2Tjk0Tw",
"action": "repo.remove_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686096006218,
"hashed_token": "mZp8g+OGBjSnsxiRSjcYhBTpoXi5BfdF2q8F1+kLW4M=",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "alice.brown",
"user_agent": "python-requests/2.25.1",
"user_id": 116757057,
"visibility": "internal"
}Success
{
"@timestamp": 1685998981304,
"_document_id": "XQwkRXOV8tJYCbbgk9d6TQ",
"action": "team.remove_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1685998981304,
"hashed_token": "zQVfYwWXODOOEd4WcNdcJCBfPDJBrFXRGvmX25Q7ZjU=",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"team": "acme-inc/approvers",
"token_id": 57105909618,
"user": "alice.brown",
"user_agent": "PyGithub/Python",
"user_id": 110431782
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686215687636,
"_document_id": "TrmGicxMRvbKCHwf3vmJdD",
"action": "team.update_repository_permission",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686215687636,
"hashed_token": "mZp8g+OGBjSnsxiRAjcYhBTpoXi5BfdF2d8F1+kLW4M=",
"new_repo_base_role": null,
"new_repo_permission": "maintain",
"old_permissions": {
"admin": true,
"maintain": true,
"pull": true,
"push": true,
"triage": true
},
"old_repo_base_role": null,
"old_repo_permission": "admin",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 641582886,
"team": "acme-inc/dev-leads",
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "gh-automate-prod",
"user_agent": "python-requests/2.25.0",
"user_id": 92325258
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686215687636,
"_document_id": "TrmGicxMRvbKCHwb3vmJdQ",
"action": "team.update_repository_permission",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686215687636,
"hashed_token": "mZp8g+OGBjSnsxiRSjcYhBTpoXi5BfdF2q8F1+kLW4M=",
"new_repo_base_role": null,
"new_repo_permission": "maintain",
"old_permissions": {
"admin": true,
"maintain": true,
"pull": true,
"push": true,
"triage": true
},
"old_repo_base_role": null,
"old_repo_permission": "admin",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 641582886,
"team": "acme-inc/dev-leads",
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "gh-automate-prod",
"user_agent": "python-requests/2.25.0",
"user_id": 92325258
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686011086644,
"_document_id": "RxxlJ0MRNMQR8olkdIgPvQ",
"action": "private_repository_forking.enable",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"created_at": 1686011086644,
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 649922249,
"user": "john.doe",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"user_id": 12345678
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686158250381,
"_document_id": "_I3yfAxtGRuNaaiuffqtvA",
"action": "hook.config_changed",
"active": true,
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"config": {
"content_type": "json",
"insecure_ssl": "0",
"url": "https://webhook.acme.com/deliver/fghij"
},
"config_was": {
"content_type": "json",
"insecure_ssl": "0",
"url": "https://webhook.acme.com/deliver/abcde"
},
"created_at": 1686158250381,
"events": [
"deployment",
"pull_request",
"push"
],
"hook_id": 418200273,
"name": "webhook",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 649951183,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686246022669,
"_document_id": "Ko2tnAiduqWy3KZSsh1nGA",
"action": "repo.change_merge_setting",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686246022669,
"hashed_token": "WQH64WU0ciJ0EBQcMlkneYRFGeQoW6FocQt8NYpNy5c=",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 651188699,
"token_id": 1139584588,
"token_scopes": "admin:repo_hook,delete_repo,repo",
"user_agent": "octokit.js/2.0.10 octokit-core.js/4.1.0 Node.js/16.20.0 (linux; x64)",
"visibility": "private"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686093901098,
"_document_id": "-hMpj-RFDXOlc43Zf9woMw",
"action": "integration.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686093901098,
"integration": "Acme: integration 001",
"name": "Acme: integration 001",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1689093550092,
"_document_id": "IrAm5tty1DHWLJG7uRCusA",
"action": "integration.destroy",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 120,
"created_at": 1689093550092,
"integration": "Acme: integration 1",
"name": "Acme: integration 1",
"operation_type": "remove",
"org": "acme",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686078595170,
"_document_id": "sMyjmd8KUm6uTtRwQJ1hsw",
"action": "hook.create",
"active": true,
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"config": {
"content_type": "json",
"insecure_ssl": "0",
"secret": "********",
"url": "https://us-west-2.webhooks.aws/trigger"
},
"created_at": 1686078595170,
"events": [
"push"
],
"hashed_token": "DfeiN4v7CaRl56/VnmeKJ3+U9G9A1/zW9IFvFB3r268=",
"hook_id": 418227875,
"name": "webhook",
"oauth_application": null,
"oauth_application_id": null,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"token_id": 610414153,
"token_scopes": "admin:repo_hook,repo",
"user_agent": "AWS CodePipeline"
}Success
{
"@timestamp": 1686078898897,
"_document_id": "Dn-NJGInb1qGinKSmx-Hhg",
"action": "pull_request.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686078898897,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1381374259,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/example-repo/pull/64",
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_id": 105299763
}Success
{
"@timestamp": 1686163479794,
"_document_id": "HxMMNJg2Ek8AJoNUGZ_6Yw",
"action": "pull_request_review.submit",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686163479794,
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1383147660,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/dice-instl-reset-password-ui/pull/159",
"repo": "acme-inc/example-repo",
"repo_id": 343699946,
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686079082576,
"_document_id": "GohZoGvnLxIsTepkIgnPuA",
"action": "pull_request_review_comment.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686079082576,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686077942218,
"_document_id": "Mgash4pqBYVy5lV3xeohLg",
"action": "repo.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686077942218,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"visibility": "private"
}Success
{
"@timestamp": 1685772210579,
"_document_id": "CyTAhfqvaaz5kqONoaJ1hg",
"action": "repo.create_actions_secret",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1685772210579,
"key": "ACME_TOKEN",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"visibility": null
}Success
{
"@timestamp": 1686078701893,
"_document_id": "RDSIX6X7F8WlXCkyaBqtOA",
"action": "workflows.created_workflow_run",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686078701893,
"event": "pull_request",
"hashed_token": "nfd4LqkxPUWZZgY4Gw0ouzqnR6Vil/6QVSKnIeDsKjk=",
"head_branch": "master-1",
"head_sha": "39c3ffd3a48a3b8e1dd17329724f503e508a5d71",
"name": "ci-pr",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"run_number": 5754,
"started_at": "2023-06-06T19:11:41.000Z",
"token_id": 57189181686,
"trigger_id": 1380004667,
"user_agent": "launch/production",
"workflow_id": 36840124,
"workflow_run_id": 5192442613
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686141043334,
"_document_id": "1Ed3MPt5rEKAbpW-k9jKVQ",
"action": "pull_request.create_review_request",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686141043334,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1382584132,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/example-repo/pull/4298",
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"user_id": 89937142
}Success
{
"@timestamp": 1686134016077,
"_document_id": "rRDqrkWAyr4etNHVBN2MdQ",
"action": "pull_request_review_comment.update",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686134016077,
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686092778658,
"_document_id": "ySsAv7blcNhEhRvlw2cnbQ",
"action": "repo.rename",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686092778658,
"old_name": "copy-s3-objects",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15",
"visibility": "private"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686089206322,
"_document_id": "4qrOaf_n_cB0BEUfoTXeyw",
"action": "hook.destroy",
"active": true,
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"config": {
"content_type": "form",
"insecure_ssl": "0"
},
"created_at": 1686089206322,
"events": [],
"hook_id": 418246386,
"name": "webhook",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686092779312,
"_document_id": "2AAQbnEVxg_qkh4S5XcQDg",
"action": "pull_request_review.delete",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686092779312,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1376005422,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/example-repo/pull/965",
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686093347760,
"_document_id": "4cV9xbCwSP5t5IT1TXEY1A",
"action": "pull_request_review_comment.delete",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686093347760,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686163467515,
"_document_id": "1V2e_uoTEqkgh4EIgIq28g",
"action": "repo.destroy",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686163467515,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"visibility": "private"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
-
Resource Metadata
Success
{
"@timestamp": 1686153022502,
"_document_id": "TaE7QBpn7eLwzy62M2_I8g",
"action": "repo.download_zip",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686153022502,
"hashed_token": "wEEhJjHXoWXUrZ2RjPughm1z3SFJBMM1P7ezCwNHUtM=",
"operation_type": "access",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"token_id": 57266916082,
"user_agent": "AWS CodeStar Connections",
"visibility": "internal"
}
Audit Logs
GitHub enterprise audit logs that provide an audit trail of user and system activity.
References
Retention Details
Storage Duration: Infinite
Can be changed by an enterprise admin
Latency Details
Duration: Near Real-Time
Can be changed by an enterprise admin
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Attribute Context
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "member",
"action": "edited",
"changes": {
"permission": {
"from": "admin",
"to": "maintain"
}
},
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2019-05-06T23:02:11Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme-inc",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme-inc",
"updated_at": "2023-09-18T18:37:11Z",
"website_url": ""
},
"installation": {
"id": 36327543,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc1NDM="
},
"member": {
"avatar_url": "https://avatars.githubusercontent.com/u/125585944?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 125585944,
"login": "john.doe",
"node_id": "U_kgDOB3xKGA",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/57419047?v=4",
"description": "Technology products that deliver great experiences.",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 57419047,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU3NDE5MDQ3",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"repository": {
"allow_forking": false,
"archive_url": "https://api.github.com/repos/acme/acme-search-service/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/acme/acme-search-service/assignees{/user}",
"blobs_url": "https://api.github.com/repos/acme/acme-search-service/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/acme/acme-search-service/branches{/branch}",
"clone_url": "https://github.com/acme/acme-search-service.git",
"collaborators_url": "https://api.github.com/repos/acme/acme-search-service/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/acme/acme-search-service/comments{/number}",
"commits_url": "https://api.github.com/repos/acme/acme-search-service/commits{/sha}",
"compare_url": "https://api.github.com/repos/acme/acme-search-service/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/acme/acme-search-service/contents/{+path}",
"contributors_url": "https://api.github.com/repos/acme/acme-search-service/contributors",
"created_at": "2023-03-06T18:27:33Z",
"default_branch": "develop",
"deployments_url": "https://api.github.com/repos/acme/acme-search-service/deployments",
"description": "This repository has code for hosting associate search process endpoints",
"disabled": false,
"downloads_url": "https://api.github.com/repos/acme/acme-search-service/downloads",
"events_url": "https://api.github.com/repos/acme/acme-search-service/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/acme/acme-search-service/forks",
"full_name": "acme/acme-search-service",
"git_commits_url": "https://api.github.com/repos/acme/acme-search-service/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/acme/acme-search-service/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/acme/acme-search-service/git/tags{/sha}",
"git_url": "git://github.com/acme/acme-search-service.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_projects": true,
"has_wiki": true,
"homepage": "",
"hooks_url": "https://api.github.com/repos/acme/acme-search-service/hooks",
"html_url": "https://github.com/acme/acme-search-service",
"id": 610418220,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/acme/acme-search-service/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/acme/acme-search-service/issues/events{/number}",
"issues_url": "https://api.github.com/repos/acme/acme-search-service/issues{/number}",
"keys_url": "https://api.github.com/repos/acme/acme-search-service/keys{/key_id}",
"labels_url": "https://api.github.com/repos/acme/acme-search-service/labels{/name}",
"language": "Python",
"languages_url": "https://api.github.com/repos/acme/acme-search-service/languages",
"license": null,
"merges_url": "https://api.github.com/repos/acme/acme-search-service/merges",
"milestones_url": "https://api.github.com/repos/acme/acme-search-service/milestones{/number}",
"mirror_url": null,
"name": "acme-search-service",
"node_id": "R_kgDOJGI-LA",
"notifications_url": "https://api.github.com/repos/acme/acme-search-service/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/57419047?v=4",
"events_url": "https://api.github.com/users/acme/events{/privacy}",
"followers_url": "https://api.github.com/users/acme/followers",
"following_url": "https://api.github.com/users/acme/following{/other_user}",
"gists_url": "https://api.github.com/users/acme/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme",
"id": 57419047,
"login": "acme",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU3NDE5MDQ3",
"organizations_url": "https://api.github.com/users/acme/orgs",
"received_events_url": "https://api.github.com/users/acme/received_events",
"repos_url": "https://api.github.com/users/acme/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/acme"
},
"private": true,
"pulls_url": "https://api.github.com/repos/acme/acme-search-service/pulls{/number}",
"pushed_at": "2023-05-08T16:25:35Z",
"releases_url": "https://api.github.com/repos/acme/acme-search-service/releases{/id}",
"size": 65114,
"ssh_url": "git@github.com:acme/acme-search-service.git",
"stargazers_count": 1,
"stargazers_url": "https://api.github.com/repos/acme/acme-search-service/stargazers",
"statuses_url": "https://api.github.com/repos/acme/acme-search-service/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/acme/acme-search-service/subscribers",
"subscription_url": "https://api.github.com/repos/acme/acme-search-service/subscription",
"svn_url": "https://github.com/acme/acme-search-service",
"tags_url": "https://api.github.com/repos/acme/acme-search-service/tags",
"teams_url": "https://api.github.com/repos/acme/acme-search-service/teams",
"topics": [
"aa00003030"
],
"trees_url": "https://api.github.com/repos/acme/acme-search-service/git/trees{/sha}",
"updated_at": "2023-03-31T15:19:08Z",
"url": "https://api.github.com/repos/acme/acme-search-service",
"visibility": "private",
"watchers": 1,
"watchers_count": 1,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/124079944?v=4",
"events_url": "https://api.github.com/users/acme-bot/events{/privacy}",
"followers_url": "https://api.github.com/users/acme-bot/followers",
"following_url": "https://api.github.com/users/acme-bot/following{/other_user}",
"gists_url": "https://api.github.com/users/acme-bot/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme-bot",
"id": 124079944,
"login": "acme-bot",
"node_id": "U_kgDOB2VPSA",
"organizations_url": "https://api.github.com/users/acme-bot/orgs",
"received_events_url": "https://api.github.com/users/acme-bot/received_events",
"repos_url": "https://api.github.com/users/acme-bot/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme-bot/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme-bot/subscriptions",
"type": "User",
"url": "https://api.github.com/users/acme-bot"
}
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "team",
"action": "created",
"installation": {
"id": 20061973,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMjAwNjE5NzM="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/57452020",
"description": null,
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 10001234,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU3NDUyMDI4",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/64659350",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 64659356,
"login": "john.doe",
"node_id": "MDQ6VXNlcjY0NjU5MzU2",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"team": {
"description": "",
"html_url": "https://github.com/orgs/acme-inc/teams/python-dev-team",
"id": 8035041,
"members_url": "https://api.github.com/organizations/10001234/team/8035041/members{/member}",
"name": "python-dev-team",
"node_id": "T_kwDOA2yl_M4Aeprh",
"notification_setting": "notifications_enabled",
"parent": null,
"permission": "pull",
"privacy": "closed",
"repositories_url": "https://api.github.com/organizations/10001234/team/8035041/repos",
"slug": "python-dev-team",
"url": "https://api.github.com/organizations/10001234/team/8035041"
}
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "team",
"action": "edited",
"changes": {
"description": {
"from": "Acme devs"
}
},
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806770",
"description": "Acme, Inc.",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/114508650",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 114508655,
"login": "john.doe",
"node_id": "U_kgDOBtNDbw",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"team": {
"description": "Acme Dev Team",
"html_url": "https://github.com/orgs/acme/teams/acme-devs",
"id": 100123,
"members_url": "https://api.github.com/organizations/52806779/team/100123/members{/member}",
"name": "acme-devs",
"node_id": "T_kwDOAyXEe84AbHIq",
"notification_setting": "notifications_enabled",
"parent": null,
"permission": "pull",
"privacy": "closed",
"repositories_url": "https://api.github.com/organizations/52806779/team/100123/repos",
"slug": "acme-devs",
"url": "https://api.github.com/organizations/52806779/team/100123"
}
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "team",
"action": "deleted",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/2070",
"created_at": "2020-01-23T22:48:48Z",
"description": null,
"html_url": "https://github.com/enterprises/acme-inc",
"id": 2077,
"name": "Acme",
"node_id": "MDEwOkVudGVycHJpc2UyMDc3",
"slug": "acme-inc",
"updated_at": "2023-02-28T01:36:46Z",
"website_url": null
},
"installation": {
"id": 11045851,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMTEwNDU4NTE="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/123456",
"description": "",
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 123456,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjM2MjQ2MA==",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/74208070",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 74208074,
"login": "john.doe",
"node_id": "MDQ6VXNlcjc0MjA4MDc0",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"team": {
"description": "",
"html_url": "https://github.com/orgs/acme-inc/teams/repo-admin",
"id": 7304304,
"members_url": "https://api.github.com/organizations/123456/team/7304304/members{/member}",
"name": "repo-admin",
"node_id": "T_kwDOAAWH3M4Ab3Rw",
"notification_setting": "notifications_enabled",
"parent": null,
"permission": "pull",
"privacy": "closed",
"repositories_url": "https://api.github.com/organizations/123456/team/7304304/repos",
"slug": "repo-admin",
"url": "https://api.github.com/organizations/123456/team/7304304"
}
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "organization",
"action": "member_added",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme-inc",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme-inc",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"membership": {
"organization_url": "https://api.github.com/orgs/acme",
"role": "member",
"state": "pending",
"url": "https://api.github.com/orgs/acme/memberships/john.doe",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/132913314?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 132913314,
"login": "john.doe",
"node_id": "U_kgDOB-wYog",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806770",
"description": "Sample repo",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/92325258?v=4",
"events_url": "https://api.github.com/users/gh-automate/events{/privacy}",
"followers_url": "https://api.github.com/users/gh-automate/followers",
"following_url": "https://api.github.com/users/gh-automate/following{/other_user}",
"gists_url": "https://api.github.com/users/gh-automate/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/gh-automate",
"id": 92325258,
"login": "gh-automate",
"node_id": "U_kgDOBYDFig",
"organizations_url": "https://api.github.com/users/gh-automate/orgs",
"received_events_url": "https://api.github.com/users/gh-automate/received_events",
"repos_url": "https://api.github.com/users/gh-automate/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/gh-automate/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/gh-automate/subscriptions",
"type": "User",
"url": "https://api.github.com/users/gh-automate"
}
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "organization",
"action": "member_removed",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"membership": {
"organization_url": "https://api.github.com/orgs/acme",
"role": "unaffiliated",
"state": "inactive",
"url": "https://api.github.com/orgs/acme/memberships/john.doe",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/127213976?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 127213976,
"login": "john.doe",
"node_id": "U_kgDOB5UhmA",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806779?v=4",
"description": "Acme",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/92325258?v=4",
"events_url": "https://api.github.com/users/gh-automate/events{/privacy}",
"followers_url": "https://api.github.com/users/gh-automate/followers",
"following_url": "https://api.github.com/users/gh-automate/following{/other_user}",
"gists_url": "https://api.github.com/users/gh-automate/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/gh-automate",
"id": 92325258,
"login": "gh-automate",
"node_id": "U_kgDOBYDFig",
"organizations_url": "https://api.github.com/users/gh-automate/orgs",
"received_events_url": "https://api.github.com/users/gh-automate/received_events",
"repos_url": "https://api.github.com/users/gh-automate/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/gh-automate/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/gh-automate/subscriptions",
"type": "User",
"url": "https://api.github.com/users/gh-automate"
}
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Resource Name
-
Resource Type
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "repository",
"action": "created",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2019-05-06T23:02:11Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327745,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc3NDU="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/55462088?v=4",
"description": "Sample repo",
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 55462088,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaSrhdGlvbjU1NDYyMDg5",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"repository": {
"allow_forking": false,
"archive_url": "https://api.github.com/repos/acme-inc/sample-repo/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/acme-inc/sample-repo/assignees{/user}",
"blobs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/acme-inc/sample-repo/branches{/branch}",
"clone_url": "https://github.com/acme-inc/sample-repo.git",
"collaborators_url": "https://api.github.com/repos/acme-inc/sample-repo/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/acme-inc/sample-repo/comments{/number}",
"commits_url": "https://api.github.com/repos/acme-inc/sample-repo/commits{/sha}",
"compare_url": "https://api.github.com/repos/acme-inc/sample-repo/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/acme-inc/sample-repo/contents/{+path}",
"contributors_url": "https://api.github.com/repos/acme-inc/sample-repo/contributors",
"created_at": "2021-10-31T01:45:00Z",
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/acme-inc/sample-repo/deployments",
"description": null,
"disabled": false,
"downloads_url": "https://api.github.com/repos/acme-inc/sample-repo/downloads",
"events_url": "https://api.github.com/repos/acme-inc/sample-repo/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/acme-inc/sample-repo/forks",
"full_name": "acme-inc/sample-repo",
"git_commits_url": "https://api.github.com/repos/acme-inc/sample-repo/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/acme-inc/sample-repo/git/tags{/sha}",
"git_url": "git://github.com/acme-inc/sample-repo.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_projects": true,
"has_wiki": true,
"homepage": null,
"hooks_url": "https://api.github.com/repos/acme-inc/sample-repo/hooks",
"html_url": "https://github.com/acme-inc/sample-repo",
"id": 651592972,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/events{/number}",
"issues_url": "https://api.github.com/repos/acme-inc/sample-repo/issues{/number}",
"keys_url": "https://api.github.com/repos/acme-inc/sample-repo/keys{/key_id}",
"labels_url": "https://api.github.com/repos/acme-inc/sample-repo/labels{/name}",
"language": null,
"languages_url": "https://api.github.com/repos/acme-inc/sample-repo/languages",
"license": null,
"merges_url": "https://api.github.com/repos/acme-inc/sample-repo/merges",
"milestones_url": "https://api.github.com/repos/acme-inc/sample-repo/milestones{/number}",
"mirror_url": null,
"name": "sample-repo",
"node_id": "R_kgDOJtaFDA",
"notifications_url": "https://api.github.com/repos/acme-inc/sample-repo/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/55462080",
"events_url": "https://api.github.com/users/acme-inc/events{/privacy}",
"followers_url": "https://api.github.com/users/acme-inc/followers",
"following_url": "https://api.github.com/users/acme-inc/following{/other_user}",
"gists_url": "https://api.github.com/users/acme-inc/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme-inc",
"id": 55462088,
"login": "acme-inc",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU1NDYyMDg4",
"organizations_url": "https://api.github.com/users/acme-inc/orgs",
"received_events_url": "https://api.github.com/users/acme-inc/received_events",
"repos_url": "https://api.github.com/users/acme-inc/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme-inc/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme-inc/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/acme-inc"
},
"private": true,
"pulls_url": "https://api.github.com/repos/acme-inc/sample-repo/pulls{/number}",
"pushed_at": "2023-06-09T15:30:00Z",
"releases_url": "https://api.github.com/repos/acme-inc/sample-repo/releases{/id}",
"size": 0,
"ssh_url": "git@github.com:acme-inc/sample-repo.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/acme-inc/sample-repo/stargazers",
"statuses_url": "https://api.github.com/repos/acme-inc/sample-repo/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/acme-inc/sample-repo/subscribers",
"subscription_url": "https://api.github.com/repos/acme-inc/sample-repo/subscription",
"svn_url": "https://github.com/acme-inc/sample-repo",
"tags_url": "https://api.github.com/repos/acme-inc/sample-repo/tags",
"teams_url": "https://api.github.com/repos/acme-inc/sample-repo/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/acme-inc/sample-repo/git/trees{/sha}",
"updated_at": "2023-06-09T15:30:00Z",
"url": "https://api.github.com/repos/acme-inc/sample-repo",
"visibility": "private",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/126112697?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 126112697,
"login": "john.doe",
"node_id": "U_kgDOB4RTuQ",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Resource Name
-
Resource Type
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "repository",
"action": "deleted",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806770",
"description": "Sample repo",
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"repository": {
"allow_forking": false,
"archive_url": "https://api.github.com/repos/acme-inc/sample-repo/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/acme-inc/sample-repo/assignees{/user}",
"blobs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/acme-inc/sample-repo/branches{/branch}",
"clone_url": "https://github.com/acme-inc/sample-repo.git",
"collaborators_url": "https://api.github.com/repos/acme-inc/sample-repo/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/acme-inc/sample-repo/comments{/number}",
"commits_url": "https://api.github.com/repos/acme-inc/sample-repo/commits{/sha}",
"compare_url": "https://api.github.com/repos/acme-inc/sample-repo/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/acme-inc/sample-repo/contents/{+path}",
"contributors_url": "https://api.github.com/repos/acme-inc/sample-repo/contributors",
"created_at": "2021-10-31T01:45:00Z",
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/acme-inc/sample-repo/deployments",
"description": null,
"disabled": true,
"downloads_url": "https://api.github.com/repos/acme-inc/sample-repo/downloads",
"events_url": "https://api.github.com/repos/acme-inc/sample-repo/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/acme-inc/sample-repo/forks",
"full_name": "acme-inc/sample-repo",
"git_commits_url": "https://api.github.com/repos/acme-inc/sample-repo/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/acme-inc/sample-repo/git/tags{/sha}",
"git_url": "git://github.com/acme-inc/sample-repo.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_projects": true,
"has_wiki": true,
"homepage": null,
"hooks_url": "https://api.github.com/repos/acme-inc/sample-repo/hooks",
"html_url": "https://github.com/acme-inc/sample-repo",
"id": 621910567,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/events{/number}",
"issues_url": "https://api.github.com/repos/acme-inc/sample-repo/issues{/number}",
"keys_url": "https://api.github.com/repos/acme-inc/sample-repo/keys{/key_id}",
"labels_url": "https://api.github.com/repos/acme-inc/sample-repo/labels{/name}",
"language": null,
"languages_url": "https://api.github.com/repos/acme-inc/sample-repo/languages",
"license": null,
"merges_url": "https://api.github.com/repos/acme-inc/sample-repo/merges",
"milestones_url": "https://api.github.com/repos/acme-inc/sample-repo/milestones{/number}",
"mirror_url": null,
"name": "sample-repo",
"node_id": "R_kgDOJRGaJw",
"notifications_url": "https://api.github.com/repos/acme-inc/sample-repo/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806779?v=4",
"events_url": "https://api.github.com/users/acme-inc/events{/privacy}",
"followers_url": "https://api.github.com/users/acme-inc/followers",
"following_url": "https://api.github.com/users/acme-inc/following{/other_user}",
"gists_url": "https://api.github.com/users/acme-inc/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme-inc",
"id": 52806779,
"login": "acme-inc",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"organizations_url": "https://api.github.com/users/acme-inc/orgs",
"received_events_url": "https://api.github.com/users/acme-inc/received_events",
"repos_url": "https://api.github.com/users/acme-inc/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme-inc/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme-inc/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/acme-inc"
},
"private": true,
"pulls_url": "https://api.github.com/repos/acme-inc/sample-repo/pulls{/number}",
"pushed_at": "2023-03-31T16:50:57Z",
"releases_url": "https://api.github.com/repos/acme-inc/sample-repo/releases{/id}",
"size": 0,
"ssh_url": "git@github.com:acme-inc/sample-repo.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/acme-inc/sample-repo/stargazers",
"statuses_url": "https://api.github.com/repos/acme-inc/sample-repo/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/acme-inc/sample-repo/subscribers",
"subscription_url": "https://api.github.com/repos/acme-inc/sample-repo/subscription",
"svn_url": "https://github.com/acme-inc/sample-repo",
"tags_url": "https://api.github.com/repos/acme-inc/sample-repo/tags",
"teams_url": "https://api.github.com/repos/acme-inc/sample-repo/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/acme-inc/sample-repo/git/trees{/sha}",
"updated_at": "2023-06-07T18:45:54Z",
"url": "https://api.github.com/repos/acme-inc/sample-repo",
"visibility": "private",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/19332120",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 19332128,
"login": "john.doe",
"node_id": "MDQ6VXNlcjE5MzMyMTI4",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Webhook Events
GitHub webhook events are delivered whenever certain events occur on GitHub.
References
Retention Details
Storage Duration: N/A
GitHub does not officially retain webhook events. Recent webhook events can be accessed at `https://github.com/<ORGANIZATION>/<REPOSITORY>/settings/hooks`.
Latency Details
Duration: Near Real-Time
GitHub does not officially retain webhook events. Recent webhook events can be accessed at `https://github.com/<ORGANIZATION>/<REPOSITORY>/settings/hooks`.
Product Details
GitHub is a cloud-based service that provides a range of services related to version control, software development, and collaboration. The GitHub audit log API provides a feed for events that have been generated across the enterprise. If an organization does not use Enterprise Managed Users, the audit log only includes events related to the enterprise account and the organizations within the enterprise account. If an organization uses Enterprise Managed Users, the audit log also includes user events for managed user accounts. GitHub webhooks provide a way for notifications to be delivered to an external web server whenever certain events occur on GitHub.
Enterprise Audit Events
To collect enterprise events, use the audit log API.
Webhook Events
To collect webhook events, create and configure a webhook(s).
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Failure Context
-
Credential Context
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Identity Service Provider Context
Success
{
"kind": "admin#reports#activity",
"id": {
"applicationName": "login",
"customerId": "C03nyz48b",
"time": "2023-10-04T17:05:18.707Z",
"uniqueQualifier": "-8053599687898373773"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpogfhr6664Y4wU0J6c8Yw/T8TMuJvnXTPKpwK263SLxaXX-EA\"",
"actor": {
"email": "egrt@test.com",
"profileId": "10206845645323004074611"
},
"ipAddress": "211.150.189.540",
"event": {
"type": "login",
"name": "login_success",
"parameters": [
{
"name": "login_type",
"value": "reauth"
},
{
"name": "login_challenge_method",
"multiValue": [
"none"
]
},
{
"name": "is_suspicious",
"boolValue": false
}
]
}
}
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"email": "tlsdfr@test.com",
"profileId": "10906988138484515654"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCsdfsdfsdf0J6c8Yw/g9-7HZArWTv3ua4W8l_UrML6aj4\"",
"event": {
"type": "login",
"name": "logout",
"parameters": [
{
"name": "login_type",
"value": "google_password"
}
]
},
"id": {
"time": "2023-10-04T16:44:09.155Z",
"uniqueQualifier": "-2936062481883257414",
"applicationName": "login",
"customerId": "C03nyz48b"
},
"ipAddress": "117.92.113.444",
"kind": "admin#reports#activity"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
Verification Method
-
Verification Flagged
-
Activity Performed
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"ipAddress": "38.62.201.104",
"event": {
"type": "login",
"name": "login_success",
"parameters": [
{
"name": "login_type",
"value": "google_password"
},
{
"name": "login_challenge_method",
"multiValue": [
"password",
"google_authenticator"
]
},
{
"name": "is_suspicious",
"boolValue": false
}
]
},
"kind": "admin#reports#activity",
"id": {
"applicationName": "login",
"customerId": "C1567gg8b",
"time": "2023-10-04T17:00:38.873Z",
"uniqueQualifier": "-288098944121678920"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpo6zAdUtM4hgihb7gw/-PaydDWGhijb567DzxG3-Q\"",
"actor": {
"email": "dfggg@test.com",
"profileId": "1081510555451515508623"
}
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T17:27:02.768Z",
"uniqueQualifier": "-3314472940692087673",
"applicationName": "admin",
"customerId": "C02rtjjj7y"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnwwpo6zAd3g53g55U0J6c8Yw/5pzih88L6fo0NupRAuuLv2Ar5M\"",
"actor": {
"email": "test@test.com",
"profileId": "111620519819984096",
"callerType": "USER"
},
"ipAddress": "42.130.180.122",
"event": {
"type": "USER_SETTINGS",
"name": "CREATE_USER",
"parameters": [
{
"value": "test2@test.com",
"name": "USER_EMAIL"
}
]
}
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
-
Target Attribute Context
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"event": {
"type": "LICENSES_SETTINGS",
"name": "USER_LICENSE_REVOKE",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
},
{
"value": "Cloud Identity Premium",
"name": "PRODUCT_NAME"
},
{
"name": "OLD_VALUE",
"value": "Cloud Identity Premium"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T17:12:20.110Z",
"uniqueQualifier": "-7032755160008235805",
"applicationName": "admin",
"customerId": "C52egrg2wc"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpo6ze8herg98hJ6c8Yw/jgqx0-DnGyAy2VkAPVBcOFCT3-Q\"",
"actor": {
"callerType": "USER",
"email": "test2@test2.com",
"profileId": "1169451581811976442"
},
"ipAddress": "34.64.200.101"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T17:26:56.224Z",
"uniqueQualifier": "54041277512397100",
"applicationName": "admin",
"customerId": "C2f8cunnf"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgerfe5t5g0J6c8Yw/jWiJ6tV0iybyuoS8eKnls3m4HkY\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "11111118126984096"
},
"ipAddress": "42.100.140.172",
"event": {
"name": "DELETE_USER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
}
],
"type": "USER_SETTINGS"
}
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"profileId": "1122063181981927490212",
"callerType": "USER",
"email": "test@test.com"
},
"ipAddress": "59.87.51.187",
"event": {
"name": "CREATE_GROUP",
"parameters": [
{
"name": "GROUP_EMAIL",
"value": "test2@test.com"
}
],
"type": "GROUP_SETTINGS"
},
"kind": "admin#reports#activity",
"id": {
"customerId": "C03cdidn3",
"time": "2023-10-04T16:19:08.748Z",
"uniqueQualifier": "-7965913039404370824",
"applicationName": "admin"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpo6ref454w4t3f6c8Yw/D6SAzt5ZDFR6eWcnRdAnF1gCQGo\""
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T14:33:20.949Z",
"uniqueQualifier": "-7981887426606302427",
"applicationName": "admin",
"customerId": "C03huyf5"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi887ghvuhbu77byv55c8Yw/b20Viygiyu7bUjyhpl56kx-M0\"",
"actor": {
"profileId": "154848611551817490212",
"callerType": "USER",
"email": "test@test.com"
},
"event": {
"name": "CHANGE_GROUP_SETTING",
"parameters": [
{
"name": "SETTING_NAME",
"value": "WHO_CAN_DISCOVER_GROUP"
},
{
"name": "GROUP_EMAIL",
"value": "test2@test.com"
},
{
"name": "OLD_VALUE",
"value": "ALL_IN_DOMAIN_CAN_DISCOVER"
},
{
"value": "ALL_MEMBERS_CAN_DISCOVER",
"name": "NEW_VALUE"
}
],
"type": "GROUP_SETTINGS"
}
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"profileId": "117158165166014059",
"callerType": "USER",
"email": "test@test.com"
},
"ipAddress": "154.109.108.92",
"event": {
"type": "GROUP_SETTINGS",
"name": "DELETE_GROUP",
"parameters": [
{
"name": "GROUP_EMAIL",
"value": "test-group@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-09T22:12:29.027Z",
"uniqueQualifier": "-8638445205597242715",
"applicationName": "admin",
"customerId": "C03hrryy3"
},
"etag": "\"rQ3qpTrpjMdfg4544rG#GEGrY4w55c8Yw/rpsdsSCER8_5--B_QCoUl8YBEHycL8\""
}
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"event": {
"type": "GROUP_SETTINGS",
"name": "ADD_GROUP_MEMBER",
"parameters": [
{
"value": "test@test.com",
"name": "USER_EMAIL"
},
{
"name": "GROUP_EMAIL",
"value": "test-group@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T18:24:54.690Z",
"uniqueQualifier": "-6798022200064344802",
"applicationName": "admin",
"customerId": "C00zibi7"
},
"etag": "\"rQ3qpTrpjMqlOD9Fifgh8f1fghf81gh4wU0J6c8Yw/MjJkdF51dfg5np52vLSY2l-gM\"",
"actor": {
"callerType": "USER",
"email": "testa@test.com",
"profileId": "10248166192532690543"
},
"ipAddress": "34.100.985.103"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"profileId": "10295165132690543",
"callerType": "USER",
"email": "testa@test.com"
},
"ipAddress": "34.90.206.115",
"event": {
"type": "GROUP_SETTINGS",
"name": "REMOVE_GROUP_MEMBER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
},
{
"name": "GROUP_EMAIL",
"value": "test@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"uniqueQualifier": "-7875301117743978886",
"applicationName": "admin",
"customerId": "C00znhgfh",
"time": "2023-10-04T18:24:58.074Z"
},
"etag": "\"rQ345lOD9Fi6Z65145556c8Yw/MFIFIW4tg4g51dg5157HWa1Lwss5Cr6g\""
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Role Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-17T23:13:13.915Z",
"uniqueQualifier": "-7017303223676593170",
"applicationName": "admin",
"customerId": "Ckkd8hc"
},
"etag": "\"jc94nIMyBsgegergergergOA9OLU9Ps/8q7ergergergergergeAca075m_AUp4pA\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "1169519165745888518"
},
"ipAddress": "164.220.241.143",
"event": {
"name": "CREATE_ROLE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "New Admin"
},
{
"name": "ROLE_ID",
"value": "84898198181155903"
}
],
"type": "DELEGATED_ADMIN_SETTINGS"
}
}
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Attribute Context
-
Target Role Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-17T23:13:13.915Z",
"uniqueQualifier": "-7017303223676593170",
"applicationName": "admin",
"customerId": "Ckkd8hc"
},
"etag": "\"jc94nIMyBsgegergergergOA9OLU9Ps/8q7ergergergergergeAca075m_AUp4pA\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "1169519165745888518"
},
"ipAddress": "164.220.241.143",
"event": {
"name": "UPDATE_ROLE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "New Admin"
},
{
"name": "ROLE_ID",
"value": "84898198181155903"
}
],
"type": "DELEGATED_ADMIN_SETTINGS"
}
}
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Role Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-17T23:13:13.915Z",
"uniqueQualifier": "-7017303223676593170",
"applicationName": "admin",
"customerId": "Ckkd8hc"
},
"etag": "\"jc94nIMyBsgegergergergOA9OLU9Ps/8q7ergergergergergeAca075m_AUp4pA\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "1169519165745888518"
},
"ipAddress": "164.220.241.143",
"event": {
"name": "DELETE_ROLE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "New Admin"
},
{
"name": "ROLE_ID",
"value": "84898198181155903"
}
],
"type": "DELEGATED_ADMIN_SETTINGS"
}
}
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"id": {
"time": "2023-10-10T20:59:40.904Z",
"uniqueQualifier": "-7549838176766410754",
"applicationName": "admin",
"customerId": "C13bsdvd4"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgdfgdf4wU0J6c8Yw/9MRxYfzAnE9dVdfgdfgdfgORupSE\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10782284568708731702"
},
"ipAddress": "125.215.53.31",
"event": {
"type": "DELEGATED_ADMIN_SETTINGS",
"name": "ADD_PRIVILEGE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "Test Role"
},
{
"name": "ROLE_ID",
"value": "43792651651651557"
},
{
"name": "PRIVILEGE_NAME",
"value": "Alert Center;APPS_INCIDENTS_FULL_ACCESS"
}
]
},
"kind": "admin#reports#activity"
}
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Success
{
"ipAddress": "19.20.200.21",
"event": {
"type": "USER_SETTINGS",
"name": "SECURITY_KEY_REGISTERED_FOR_USER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"applicationName": "admin",
"customerId": "C03nyzrf3",
"time": "2023-10-03T23:11:59.995Z",
"uniqueQualifier": "-6330457545647588246"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCef34f34f36c8Yw/3t4sr-Fc34f34fgC0do\"",
"actor": {
"profileId": "11290751345894345842",
"callerType": "USER",
"email": "test@test.com"
}
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Success
{
"actor": {
"email": "test@test.com",
"profileId": "221195616515142",
"callerType": "USER"
},
"ipAddress": "9.10.100.22",
"event": {
"parameters": [
{
"value": "test@test.com",
"name": "USER_EMAIL"
}
],
"type": "USER_SETTINGS",
"name": "REVOKE_SECURITY_KEY"
},
"kind": "admin#reports#activity",
"id": {
"applicationName": "admin",
"customerId": "C03ihi7vv",
"time": "2023-10-03T22:33:48.843Z",
"uniqueQualifier": "-7457679779333247500"
},
"etag": "\"rQ3qpTrp45g35log5yh5btM4Y4wU0J6c8Yw/Njl5tg5tg5ergai-Mk\""
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"email": "test@test.com",
"profileId": "185459392577373"
},
"event": {
"type": "SECURITY_SETTINGS",
"name": "CHANGE_CAA_APP_ASSIGNMENTS",
"parameters": [
{
"name": "APPLICATION_NAME",
"value": "PLUS"
},
{
"name": "CAA_ASSIGNMENTS_OLD",
"multiValue": [
"device_policy_high"
]
},
{
"name": "CAA_ASSIGNMENTS_NEW",
"multiValue": [
"device_policy_medium"
]
},
{
"name": "CAA_ENFORCEMENT_ENDPOINTS_OLD",
"value": "CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS"
},
{
"name": "CAA_ENFORCEMENT_ENDPOINTS_NEW",
"value": "CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS"
},
{
"name": "TARGET_ENTITY_TYPE",
"value": "GROUP"
},
{
"name": "TARGET_ENTITY_NAME",
"value": "test-group@test.com"
},
{
"name": "MODE",
"value": "MONITOR"
}
]
},
"kind": "admin#reports#activity",
"id": {
"uniqueQualifier": "-8357743806993103819",
"applicationName": "admin",
"customerId": "C07811bh",
"time": "2023-10-03T21:26:36.365Z"
},
"etag": "\"rQ3qpTrpjMqlryth5yh5yh5yh5J6c8Yw/0g3r6h6hHHU8fvg5zE\""
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"uniqueQualifier": "-5992544593425859742",
"applicationName": "admin",
"customerId": "C00ntyhtyhty",
"time": "2023-10-12T15:59:23.551Z"
},
"etag": "\"jc94nIMfgrtgrthrthrtXqUGGHrthrt9OLU9Ps/EN0CkgUCOrthrthrth5CvTHwbLE\"",
"actor": {
"profileId": "105905796516511368150",
"callerType": "USER",
"email": "test@test.com"
},
"event": {
"type": "DOMAIN_SETTINGS",
"name": "ADD_APPLICATION",
"parameters": [
{
"name": "APP_ID",
"value": "4265846946440"
},
{
"name": "APPLICATION_NAME",
"value": "TestApplication"
},
{
"name": "APPLICATION_ENABLED",
"value": "false"
}
]
}
}
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"id": {
"time": "2023-10-04T16:37:47.039Z",
"uniqueQualifier": "-7371635294043122777",
"applicationName": "admin",
"customerId": "C02wayb7g"
},
"etag": "\"rQ3qpTrpjMqlOD9Firtrth56Y4wU0J6c8Yw/TmNY5656h6hhH4-rjrEGWN7Ko\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "11726318198115861321"
},
"ipAddress": "2500:1700:69d1:13f:5555:a5a3:fc15:c189",
"event": {
"type": "APPLICATION_SETTINGS",
"name": "CHANGE_APPLICATION_SETTING",
"parameters": [
{
"name": "APPLICATION_NAME",
"value": "Google Workspace Marketplace"
},
{
"name": "ORG_UNIT_NAME",
"value": "testdomain.com"
},
{
"value": "Allowlist app_access",
"name": "SETTING_NAME"
},
{
"name": "OLD_VALUE",
"value": "[app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"9999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n]"
},
{
"name": "NEW_VALUE",
"value": "[app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"9999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"999999999\"\n}\nallowed: true\n]"
}
]
},
"kind": "admin#reports#activity"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"event": {
"type": "DOMAIN_SETTINGS",
"name": "REMOVE_APPLICATION",
"parameters": [
{
"name": "APP_ID",
"value": "10284841265"
},
{
"name": "APPLICATION_NAME",
"value": "TESTApplication"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-12T16:40:07.644Z",
"uniqueQualifier": "-9185053452471991843",
"applicationName": "admin",
"customerId": "C0ijnijn9"
},
"etag": "\"jc94nIMyBF33ertgrhrthHOA9OLU9Ps/9CWrthretherthrTdaKCiZzGNsYU\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "105905798198198168150"
}
}
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "105951899444368150"
},
"ipAddress": "211.62.43.159",
"event": {
"name": "CREATE_SAML2_SERVICE_PROVIDER_CONFIG",
"parameters": [
{
"name": "SAML2_SERVICE_PROVIDER_ENTITY_ID",
"value": "https://test.com/sso/"
},
{
"name": "SAML2_SERVICE_PROVIDER_NAME",
"value": "BigCorp"
}
],
"type": "SAML2_SERVICE_PROVIDER_CONFIG_SETTINGS"
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-12T15:59:23.557Z",
"uniqueQualifier": "-7078025062376461990",
"applicationName": "admin",
"customerId": "C004knnh7y"
},
"etag": "\"jc94nIMyBF33rgergergergH0EHOA9OLU9Ps/JergergergereWa6e8Ij7s\""
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"ipAddress": "113.213.81.31",
"event": {
"type": "EMAIL_SETTINGS",
"name": "CHANGE_EMAIL_SETTING",
"parameters": [
{
"name": "SETTING_NAME",
"value": "NUMBER_OF_EMAIL_IMAGE_URL_WHITELIST_PATTERNS"
},
{
"name": "ORG_UNIT_NAME",
"value": "TestOrg"
},
{
"name": "OLD_VALUE",
"value": "15"
},
{
"name": "NEW_VALUE",
"value": "16"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-13T13:20:21.544Z",
"uniqueQualifier": "-7278920505284409591",
"applicationName": "admin",
"customerId": "C00jhhdbdn3"
},
"etag": "\"jc94nIMyBF33sdsdgefefbe0EHOA9OLU9Ps/iRevefvefvefvCgiwiS_XwN7wc\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10785165158808731702"
}
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"id": {
"uniqueQualifier": "-7002522530705235178",
"applicationName": "admin",
"customerId": "C08njnjknv",
"time": "2023-10-16T09:48:53.629Z"
},
"etag": "\"jc94nIMyBFdfggbrtbEHOA9OLU9Ps/6AY_7_Kbx--X_ArtbrtbrtbGBo0\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10355165165102363077"
},
"ipAddress": "fdc3:e723:ac4:10:14:9d12:af8:4c35",
"event": {
"type": "USER_SETTINGS",
"name": "DELETE_2SV_SCRATCH_CODES",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test2@test.com"
}
]
},
"kind": "admin#reports#activity"
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-15T23:35:01.493Z",
"uniqueQualifier": "-5681301083801866672",
"applicationName": "drive",
"customerId": "C07hbjkkbjkj"
},
"etag": "\"jc94nIMyBF33504pdfefgegegGH0EHOA9erg6Y7Yn5ugkRL-3ergergcdimwc\"",
"actor": {
"profileId": "1095156489815781956899",
"email": "test@test.com"
},
"ipAddress": "2601:1700:39d1:8yt2:74df:5a1f:15ec:fc79",
"event": {
"type": "access",
"name": "download",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "billable",
"boolValue": true
},
{
"name": "owner_is_shared_drive",
"boolValue": false
},
{
"name": "owner",
"value": "test@test.com"
},
{
"name": "doc_id",
"value": "1tml8KIcsdwgewrg8jejg_jdid88"
},
{
"name": "doc_type",
"value": "txt"
},
{
"boolValue": false,
"name": "is_encrypted"
},
{
"value": "cooldoc.txt",
"name": "doc_title"
},
{
"name": "visibility",
"value": "shared_externally"
},
{
"name": "originating_app_id",
"value": "9471519811803"
},
{
"name": "actor_is_collaborator_account",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": false
}
]
}
}
Workspace Activity Audit
The activity audit log provides log events for actions occurring with your Google Workspace deployment.
References
Retention Details
Storage Duration: Typically 6 months
Service dependant - see https://support.google.com/a/answer/7061566?hl=en
Latency Details
Duration: Near real time up to a couple hours
Service dependant - see https://support.google.com/a/answer/7061566?hl=en
Product Details
Google Workspace (formerly GSuite) provides audit logging for all business plans to help admins and security teams monitor activities in their instance. Google Workspace offers a single stream of data for collection with the ability to filter the services in Google Workspace you intend to collect. Google Workspace also offers an Alert Center API to help admins and security teams monitor alerts generated by Google.
Google Workspace Activity Report
Activity reports list information for activities in a specific Google Workspace application or service.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Identity Service Provider Context
Unsupported
-
Result
-
IP Geolocation / ASN
-
Failure Context
-
Credential Context
Success
{
"CreationTime":"2024-05-01T17:24:06",
"Id":"0e523898-a3ab-4ba8-9c33-a6cc38050b03",
"Operation":"UserLoggedIn",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":15,
"ResultStatus":"Success",
"UserKey":"1a3b0ad5-eda1-4f48-b877-3b002e5d85b5",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"198.51.100.1",
"ObjectId":"00000002-0000-0ff1-ce00-000000000000",
"UserId":"example@test.onmicrosoft.comm",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"ResultStatusDetail",
"Value":"Success"
},{
"Name":"UserAgent",
"Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0"
},{
"Name":"RequestType",
"Value":"OAuth2:Authorize"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":0
},{
"ID":"example@test.onmicrosoft.com",
"Type":5
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ActorIpAddress":"198.51.100.1",
"InterSystemsId":"fb9e8227-8661-b935-9245-caaa4dafbab5",
"IntraSystemId":"0e523898-a3ab-4ba8-9c33-a6cc38050b03",
"SupportTicketId":"",
"Target":[{
"ID":"00000002-0000-0ff1-ce00-000000000000",
"Type":0
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ApplicationId":"00000002-0000-0ff1-ce00-000000000000",
"DeviceProperties":[{
"Name":"OS",
"Value":"Windows10"
},{
"Name":"BrowserType",
"Value":"Firefox"
},{
"Name":"SessionId",
"Value":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}],
"ErrorNumber":"0"
}Failure
{
"CreationTime":"2024-05-02T02:15:53",
"Id":"514d0006-6b28-446c-8f7c-e85271a31200",
"Operation":"UserLoginFailed",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":15,
"ResultStatus":"Success",
"UserKey":"1a3b0ad5-eda1-4f48-b877-3b002e5d85b5",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"198.51.100.1",
"ObjectId":"00000003-0000-0000-c000-000000000000",
"UserId":"Not Available",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"ResultStatusDetail",
"Value":"Success"
},{
"Name":"UserAgent",
"Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0"
},{
"Name":"RequestType",
"Value":"SAS:BeginAuth"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":0
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ActorIpAddress":"198.51.100.1",
"InterSystemsId":"cb18cf68-7234-4c40-8092-532f41063417",
"IntraSystemId":"514d0006-6b28-446c-8f7c-e85271a31200",
"SupportTicketId":"",
"Target":[{
"ID":"00000003-0000-0000-c000-000000000000",
"Type":0
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ApplicationId":"19db86c3-b2b9-44cc-b339-36da233a3be2",
"DeviceProperties":[{
"Name":"OS",
"Value":"Windows"
},{
"Name":"BrowserType",
"Value":"Firefox"
}],
"ErrorNumber":"50074",
"LogonError":"UserStrongAuthClientAuthNRequiredInterrupt"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Session ID
-
IP Geolocation / ASN
-
Verification Method
-
Verification Flagged
-
Activity Performed
Success
{
"CreationTime":"2024-05-01T03:59:39",
"Id":"ffdb8af6-ce7e-4218-93f8-79024f7e3300",
"Operation":"UserLoggedIn",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":15,
"ResultStatus":"Success",
"UserKey":"1a3b0ad5-eda1-4f48-b877-3b002e5d85b5",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"198.51.100.1",
"ObjectId":"00000002-0000-0000-c000-000000000000",
"UserId":"Not Available",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"ResultStatusDetail",
"Value":"Success"
},{
"Name":"UserAgent",
"Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0"
},{
"Name":"RequestType",
"Value":"SAS:BeginAuth"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":0
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ActorIpAddress":"198.51.100.1",
"InterSystemsId":"82fd1a94-4b4e-4b6e-ab01-ae97923206d6",
"IntraSystemId":"ffdb8af6-ce7e-4218-93f8-79024f7e3300",
"SupportTicketId":"",
"Target":[{
"ID":"00000002-0000-0000-c000-000000000000",
"Type":0
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ApplicationId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"DeviceProperties":[{
"Name":"OS",
"Value":"Windows"
},{
"Name":"BrowserType",
"Value":"Firefox"
}],
"ErrorNumber":"0"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:29:10",
"Id":"d17a8564-4f63-4792-a063-4ecf01e1b7a1",
"Operation":"Add user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"AccountEnabled",
"NewValue":"[\r\n true\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"Test User 10\"\r\n]",
"OldValue":"[]"
},{
"Name":"MailNickname",
"NewValue":"[\r\n \"TestUser10\"\r\n]",
"OldValue":"[]"
},{
"Name":"StsRefreshTokensValidFrom",
"NewValue":"[\r\n \"2024-05-01T21:29:10Z\"\r\n]",
"OldValue":"[]"
},{
"Name":"UserPrincipalName",
"NewValue":"[\r\n \"TestUser10@test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"UserType",
"NewValue":"[\r\n \"Member\"\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"AccountEnabled, DisplayName, MailNickname, StsRefreshTokensValidFrom, UserPrincipalName, UserType",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"8134ebac-1bab-411b-a547-b1610cf84a8f",
"IntraSystemId":"8004de8c-eb2b-4c14-b55a-2525ccedaa82",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Attribute Context
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T19:03:01",
"Id":"7df508c4-a9a3-4c58-b39f-a6ef3c171d41",
"Operation":"Update user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"example@test.onmicrosoft.com",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"UserType\":\"Member\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"Included Updated Properties",
"NewValue":"",
"OldValue":""
},{
"Name":"TargetId.UserType",
"NewValue":"Member",
"OldValue":""
},{
"Name":"ActorId.ServicePrincipalNames",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
},{
"Name":"SPN",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
}],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"627e042e-637b-4a2a-9c65-ac00b2d08906",
"IntraSystemId":"c434b12d-544d-4db1-90cd-21a79a9a8c0a",
"SupportTicketId":"",
"Target":[{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:34:00",
"Id":"d168a319-f0e6-4fff-900f-447a4f624d9d",
"Operation":"Delete user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"0c1966ef97c24558a7fd962fba9dcbc4test15@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"Is Hard Deleted",
"NewValue":"False",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"171ad712-02d9-4f5e-b7dd-40aa612bf7a9",
"IntraSystemId":"5e05f73f-ea8c-4e94-8149-9a7e9abf4031",
"SupportTicketId":"",
"Target":[{
"ID":"User_0c1966ef-97c2-4558-a7fd-962fba9dcbc4",
"Type":2
},{
"ID":"0c1966ef-97c2-4558-a7fd-962fba9dcbc4",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"0c1966ef97c24558a7fd962fba9dcbc4test15@test.onmicrosoft.com",
"Type":5
},{
"ID":"10032003546DB13C",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T16:25:27",
"Id":"dadb97b5-59e0-40e8-9d39-0be9bbcf584b",
"Operation":"Add group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"Description",
"NewValue":"[\r\n \"This is a test distribution group\"\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"Test Group\"\r\n]",
"OldValue":"[]"
},{
"Name":"Mail",
"NewValue":"[\r\n \"testdistro@test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"MailEnabled",
"NewValue":"[\r\n true\r\n]",
"OldValue":"[]"
},{
"Name":"MailNickname",
"NewValue":"[\r\n \"testdistro\"\r\n]",
"OldValue":"[]"
},{
"Name":"ProxyAddresses",
"NewValue":"[\r\n \"SMTP:testdistro@test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"RenewedDateTime",
"NewValue":"[\r\n \"2024-05-01T16:25:27Z\"\r\n]",
"OldValue":"[]"
},{
"Name":"SecurityEnabled",
"NewValue":"[\r\n false\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"Description, DisplayName, Mail, MailEnabled, MailNickname, ProxyAddresses, RenewedDateTime, SecurityEnabled",
"OldValue":""
},{
"Name":"ActorId.ServicePrincipalNames",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
},{
"Name":"SPN",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
}],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"cd44d8b8-42a5-4b68-b11f-bd6e7f028c72",
"IntraSystemId":"89114104-c53a-4f24-8211-c4019169bc6c",
"SupportTicketId":"",
"Target":[{
"ID":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"Group",
"Type":2
},{
"ID":"Test Group",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"CreationTime":"2024-05-01T16:26:29",
"Id":"469d7f6a-494e-42ef-aebd-195301726b0c",
"Operation":"Update group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"GroupType\":\"\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"DisplayName",
"NewValue":"[\r\n \"Test Group 24\"\r\n]",
"OldValue":"[\r\n \"Test Group\"\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"DisplayName",
"OldValue":""
},{
"Name":"TargetId.GroupType",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"f8cfcb03-97fa-44a2-a4eb-71b05660c65f",
"IntraSystemId":"badb759f-7b05-4eec-b6b7-efa5cf84cf0d",
"SupportTicketId":"",
"Target":[{
"ID":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"Group",
"Type":2
},{
"ID":"Test Group 24",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T16:26:51",
"Id":"1bcdf6d9-d41e-408a-ad70-0a2ec1e040d2",
"Operation":"Delete group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"ce7facf0-60d9-4594-9536-02839e0633bb",
"IntraSystemId":"495208b4-932d-4768-9d16-6d9f059b5494",
"SupportTicketId":"",
"Target":[{
"ID":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"Group",
"Type":2
},{
"ID":"Test Group 24",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Device/Client Type
-
Target Username
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
Success
{
"CreationTime":"2024-05-01T05:10:05",
"Id":"d74b2827-73e9-4ca4-8d9e-882f11a1f354",
"Operation":"Add member to group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"AlexW@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"O365AdminPortal\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"Group.ObjectID",
"NewValue":"a86f3642-1b11-468d-aaa3-8398902bd512",
"OldValue":""
},{
"Name":"Group.DisplayName",
"NewValue":"Test Group 100",
"OldValue":""
},{
"Name":"Group.WellKnownObjectName",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"Microsoft Office 365 Portal",
"Type":1
},{
"ID":"00000006-0000-0ff1-ce00-000000000000",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"771df599-2929-4f34-aeec-0d0d22d2df64",
"IntraSystemId":"ce463e56-df50-4961-bff1-6f1da69da656",
"SupportTicketId":"",
"Target":[{
"ID":"User_1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"AlexW@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320024DBC18D8",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Username
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T05:27:56",
"Id":"1ab6721e-1557-4138-8417-15378b431bda",
"Operation":"Remove member from group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"AlexW@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"O365AdminPortal\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"Group.ObjectID",
"NewValue":"",
"OldValue":"a86f3642-1b11-468d-aaa3-8398902bd512"
},{
"Name":"Group.DisplayName",
"NewValue":"",
"OldValue":"Test Group 100"
},{
"Name":"Group.WellKnownObjectName",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"Microsoft Office 365 Portal",
"Type":1
},{
"ID":"00000006-0000-0ff1-ce00-000000000000",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"d1887bb8-a1ed-4647-b3da-44ac87659630",
"IntraSystemId":"c5f0fcf1-7a94-4d63-96fe-f5bf859d068e",
"SupportTicketId":"",
"Target":[{
"ID":"User_1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"AlexW@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320024DBC18D8",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Role Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:35:05",
"Id":"414a577a-6bcc-489d-a3c3-6919423134b1",
"Operation":"Add role definition.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"RoleDefinition"
}],
"ModifiedProperties":[{
"Name":"AssignableScopes",
"NewValue":"[\r\n {\r\n \"Type\": \"Tenant\",\r\n \"Id\": null,\r\n \"IsSelfScope\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"New Test Role\"\r\n]",
"OldValue":"[]"
},{
"Name":"GrantedPermissions",
"NewValue":"[\r\n {\r\n \"Actions\": [\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Delete\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Read\",\r\n \"ReadPropertySet\": \"Owners\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n }\r\n ],\r\n \"Condition\": null,\r\n \"ScopeConstraints\": [],\r\n \"IsPrivileged\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"AssignableScopes, DisplayName, GrantedPermissions",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"17247e48-1e4d-416b-8aa0-55d44ab09716",
"IntraSystemId":"5d368745-fbc5-403d-84ca-6eda100ad00d",
"SupportTicketId":"",
"Target":[{
"ID":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"Other",
"Type":2
},{
"ID":"New Test Role",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Attribute Context
-
Target Role Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:35:59",
"Id":"c7a002e8-8dbd-43a7-8c64-8de5910f49ff",
"Operation":"Update role definition.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"RoleDefinition"
}],
"ModifiedProperties":[{
"Name":"GrantedPermissions",
"NewValue":"[\r\n {\r\n \"Actions\": [\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Delete\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Read\",\r\n \"ReadPropertySet\": \"Owners\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"ApplicationMyOrganization\",\r\n \"TaskType\": \"Update\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"Basic\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"ApplicationMyOrganization\",\r\n \"TaskType\": \"Update\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"Credentials\",\r\n \"TaskTypeSubsetName\": null\r\n }\r\n ],\r\n \"Condition\": null,\r\n \"ScopeConstraints\": [],\r\n \"IsPrivileged\": true\r\n }\r\n]",
"OldValue":"[\r\n {\r\n \"Actions\": [\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Delete\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Read\",\r\n \"ReadPropertySet\": \"Owners\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n }\r\n ],\r\n \"Condition\": null,\r\n \"ScopeConstraints\": [],\r\n \"IsPrivileged\": false\r\n }\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"GrantedPermissions",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"38e57fdb-584e-4c9e-a68d-2b1eca4fae68",
"IntraSystemId":"9b6be5d3-e88b-430f-8eb6-29b3b742800e",
"SupportTicketId":"",
"Target":[{
"ID":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"Other",
"Type":2
},{
"ID":"New Test Role",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Role Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:36:10",
"Id":"f377408a-4cde-46ae-a658-f0042cc3f652",
"Operation":"Delete role definition.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"RoleDefinition"
}],
"ModifiedProperties":[{
"Name":"Included Updated Properties",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"d68f7c29-5a2c-43e4-a113-51b6bd72d0ea",
"IntraSystemId":"9b6be5d3-e88b-430f-8eb6-29b3b7428016",
"SupportTicketId":"",
"Target":[{
"ID":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"Other",
"Type":2
},{
"ID":"New Test Role",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Permission Name
-
Target Resource Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:31:15",
"Id":"87025648-8434-4b73-a311-9eb82a0845fd",
"Operation":"Add member to role.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Role"
}],
"ModifiedProperties":[{
"Name":"Role.ObjectID",
"NewValue":"025dfbe5-67e0-44ce-9718-7cce87afdc00",
"OldValue":""
},{
"Name":"Role.DisplayName",
"NewValue":"Application Developer",
"OldValue":""
},{
"Name":"Role.TemplateId",
"NewValue":"cf1c38e5-3621-4004-a7cb-879624dced7c",
"OldValue":""
},{
"Name":"Role.WellKnownObjectName",
"NewValue":"ApplicationDevelopers",
"OldValue":""
}],
"Actor":[{
"ID":"MS-PIM",
"Type":1
},{
"ID":"01fc33a7-78ba-4d2f-a4b7-768e336e890e",
"Type":2
},{
"ID":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"da951f55-bdae-488a-8c47-ef670c358b09",
"IntraSystemId":"302d6a09-2d3d-49d1-9549-3966d6b649a2",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Permission Name
-
Target Resource Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:31:15",
"Id":"b6973e19-e37e-4b03-b077-0a1d2de71106",
"Operation":"Remove member from role.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Role"
}],
"ModifiedProperties":[{
"Name":"Role.ObjectID",
"NewValue":"",
"OldValue":"025dfbe5-67e0-44ce-9718-7cce87afdc00"
},{
"Name":"Role.DisplayName",
"NewValue":"",
"OldValue":"Application Developer"
},{
"Name":"Role.TemplateId",
"NewValue":"",
"OldValue":"cf1c38e5-3621-4004-a7cb-879624dced7c"
},{
"Name":"Role.WellKnownObjectName",
"NewValue":"",
"OldValue":"ApplicationDevelopers"
}],
"Actor":[{
"ID":"MS-PIM",
"Type":1
},{
"ID":"01fc33a7-78ba-4d2f-a4b7-768e336e890e",
"Type":2
},{
"ID":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"31800963-cabe-47e6-8500-68ed16ffdfa7",
"IntraSystemId":"302d6a09-2d3d-49d1-9549-3966d6b649a2",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Enrollment Type
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-02T01:47:58",
"Id":"d13709bc-1139-4afe-996c-40d28014186b",
"Operation":"Update user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"TestUser10@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"UserType\":\"Member\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"StrongAuthenticationUserDetails",
"NewValue":"[\r\n {\r\n \"PhoneNumber\": \"+1 1234567891\",\r\n \"AlternativePhoneNumber\": null,\r\n \"Email\": null,\r\n \"VoiceOnlyPhoneNumber\": null\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"StrongAuthenticationUserDetails",
"OldValue":""
},{
"Name":"TargetId.UserType",
"NewValue":"Member",
"OldValue":""
}],
"Actor":[{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
},{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"5ee3f9c0-16e7-464b-af39-8cac70d274e0",
"IntraSystemId":"cb5af41a-7779-45c4-b9fb-258f78a3dadf",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Enrollment Type
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-02T02:16:16",
"Id":"0ec7c8b7-77cb-4aa4-bee9-834e4dc9491a",
"Operation":"Update user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"ServicePrincipal_14de7e5c-d71d-4803-afd0-4cbc978b0d84",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"UserType\":\"Member\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"StrongAuthenticationPhoneAppDetail",
"NewValue":"[]",
"OldValue":"[\r\n {\r\n \"DeviceName\": \"iPhone 12 Pro\",\r\n \"DeviceToken\": \"apns2-f5f9da4aa265ab5f8f45948763d0fc07d560e25fa2f7452706d82bfe1eee0d0b\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.8.7\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"780c65ef-b4d2-4c09-a84f-fc8ee722c6fe\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 2,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-02T01:46:51.1234035Z\",\r\n \"AuthenticatorFlavor\": null,\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"StrongAuthenticationPhoneAppDetail",
"OldValue":""
},{
"Name":"TargetId.UserType",
"NewValue":"Member",
"OldValue":""
}],
"Actor":[{
"ID":"Azure MFA StrongAuthenticationService",
"Type":1
},{
"ID":"b5a60e17-278b-4c92-a4e2-b9262e66bb28",
"Type":2
},{
"ID":"ServicePrincipal_14de7e5c-d71d-4803-afd0-4cbc978b0d84",
"Type":2
},{
"ID":"14de7e5c-d71d-4803-afd0-4cbc978b0d84",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"6bc227a7-2e1d-4108-be7d-afab72e4887d",
"IntraSystemId":"8d98157b-5aec-459d-a4fd-39773a9b0b7d",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:41:34",
"Id":"b1fe6046-32f3-4464-9769-1fedc9122000",
"Operation":"Add policy.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Policy"
}],
"ModifiedProperties":[{
"Name":"DisplayName",
"NewValue":"[\r\n \"Default Policy\"\r\n]",
"OldValue":"[]"
},{
"Name":"PolicyType",
"NewValue":"[\r\n \"ConditionalAccessPolicy\"\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"DisplayName, PolicyType",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"1392787e-f8a4-44f1-bc52-40f5c542b317",
"IntraSystemId":"0d381482-0e74-49eb-9a16-edf059158785",
"SupportTicketId":"",
"Target":[{
"ID":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"Policy",
"Type":2
},{
"ID":"Default Policy",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:41:53",
"Id":"5bf46a0b-5c14-468e-9b1f-bbb861d60411",
"Operation":"Update policy.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Policy"
}],
"ModifiedProperties":[{
"Name":"Included Updated Properties",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"59e475aa-49be-4608-b3c2-4163f5a4285f",
"IntraSystemId":"198cceb4-2226-451c-bccf-7500fd31da79",
"SupportTicketId":"",
"Target":[{
"ID":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"Policy",
"Type":2
},{
"ID":"Default Policy",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Configuration / Setting Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"CreationTime":"2024-05-01T21:42:17",
"Id":"f26d627b-40b0-42d6-9ab1-97de7ec000d6",
"Operation":"Delete policy.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Policy_673e6616-0786-46cb-bd95-118b7cf949a6",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Policy"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"fcb00c2e-c2ec-49c8-80fe-34131490dd8b",
"IntraSystemId":"5c9e3a73-f101-4ccb-8358-fdc8c4e206b2",
"SupportTicketId":"",
"Target":[{
"ID":"Policy_673e6616-0786-46cb-bd95-118b7cf949a6",
"Type":2
},{
"ID":"673e6616-0786-46cb-bd95-118b7cf949a6",
"Type":2
},{
"ID":"Policy",
"Type":2
},{
"ID":"Test CAP",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:43:37",
"Id":"2f2af1ba-6d5f-40d2-863e-5263bb46a62c",
"Operation":"Add application.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"UserId":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"AppId\":\"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Application"
}],
"ModifiedProperties":[{
"Name":"AppAddress",
"NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://sso.services.box.net/sp/ACS.saml2\",\r\n \"ReplyAddressClientType\": 0,\r\n \"ReplyAddressIndex\": null,\r\n \"IsReplyAddressDefault\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"AppId",
"NewValue":"[\r\n \"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"\r\n]",
"OldValue":"[]"
},{
"Name":"AvailableToOtherTenants",
"NewValue":"[\r\n false\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"Box\"\r\n]",
"OldValue":"[]"
},{
"Name":"Entitlement",
"NewValue":"[\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e5bf6e42-3702-45c6-b19e-e0113417b6ad\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"Access Box\",\r\n \"Description\": \"Allow the application to access Box on behalf of the signed-in user.\",\r\n \"Definition\": null,\r\n \"ClaimValue\": \"user_impersonation\",\r\n \"ResourceScopeType\": 1,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": \"Access Box\",\r\n \"UserConsentDescription\": \"Allow the application to access Box on your behalf.\",\r\n \"DirectAccessGrantTypes\": [],\r\n \"ImpersonationAccessGrantTypes\": [\r\n {\r\n \"Impersonator\": 29,\r\n \"Impersonated\": 20\r\n }\r\n ],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"PublicClient",
"NewValue":"[\r\n false\r\n]",
"OldValue":"[]"
},{
"Name":"WwwHomepage",
"NewValue":"[\r\n \"https://sso.services.box.net/sp/ACS.saml2?metadata=box|ISV9.1|primary|z\"\r\n]",
"OldValue":"[]"
},{
"Name":"PublisherDomain",
"NewValue":"[\r\n \"test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage, PublisherDomain",
"OldValue":""
}],
"Actor":[{
"ID":"AAD App Management",
"Type":1
},{
"ID":"f0ae4899-d877-4d3c-ae25-679e38eea492",
"Type":2
},{
"ID":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"ceb1bc66-ebc1-4cee-ac1c-c79573942636",
"IntraSystemId":"00000000-0000-0000-0000-000000000000",
"SupportTicketId":"",
"Target":[{
"ID":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"Application",
"Type":2
},{
"ID":"Box",
"Type":1
},{
"ID":"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12",
"Type":2
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:43:39",
"Id":"86732c26-5672-4756-acad-6d336ecaea71",
"Operation":"Update application.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"UserId":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"AppId\":\"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Application"
}],
"ModifiedProperties":[{
"Name":"Entitlement",
"NewValue":"[\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e5bf6e42-3702-45c6-b19e-e0113417b6ad\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"Access Box\",\r\n \"Description\": \"Allow the application to access Box on behalf of the signed-in user.\",\r\n \"Definition\": null,\r\n \"ClaimValue\": \"user_impersonation\",\r\n \"ResourceScopeType\": 1,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": \"Access Box\",\r\n \"UserConsentDescription\": \"Allow the application to access Box on your behalf.\",\r\n \"DirectAccessGrantTypes\": [],\r\n \"ImpersonationAccessGrantTypes\": [\r\n {\r\n \"Impersonator\": 29,\r\n \"Impersonated\": 20\r\n }\r\n ],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n },\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e18f0405-fdec-4ae8-a8a0-d8edb98b061f\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"User\",\r\n \"Description\": \"User\",\r\n \"Definition\": null,\r\n \"ClaimValue\": null,\r\n \"ResourceScopeType\": 0,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": null,\r\n \"UserConsentDescription\": null,\r\n \"DirectAccessGrantTypes\": [\r\n 20\r\n ],\r\n \"ImpersonationAccessGrantTypes\": [],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n },\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"ef7437e6-4f94-4a0a-a110-a439eb2aa8f7\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"msiam_access\",\r\n \"Description\": \"msiam_access\",\r\n \"Definition\": null,\r\n \"ClaimValue\": null,\r\n \"ResourceScopeType\": 0,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": null,\r\n \"UserConsentDescription\": null,\r\n \"DirectAccessGrantTypes\": [\r\n 20\r\n ],\r\n \"ImpersonationAccessGrantTypes\": [],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n }\r\n]",
"OldValue":"[\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e5bf6e42-3702-45c6-b19e-e0113417b6ad\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"Access Box\",\r\n \"Description\": \"Allow the application to access Box on behalf of the signed-in user.\",\r\n \"Definition\": null,\r\n \"ClaimValue\": \"user_impersonation\",\r\n \"ResourceScopeType\": 1,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": \"Access Box\",\r\n \"UserConsentDescription\": \"Allow the application to access Box on your behalf.\",\r\n \"DirectAccessGrantTypes\": [],\r\n \"ImpersonationAccessGrantTypes\": [\r\n {\r\n \"Impersonator\": 29,\r\n \"Impersonated\": 20\r\n }\r\n ],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n }\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"Entitlement",
"OldValue":""
}],
"Actor":[{
"ID":"AAD App Management",
"Type":1
},{
"ID":"f0ae4899-d877-4d3c-ae25-679e38eea492",
"Type":2
},{
"ID":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"6a768b60-62e7-4e3b-b49b-8713093979c7",
"IntraSystemId":"00000000-0000-0000-0000-000000000000",
"SupportTicketId":"",
"Target":[{
"ID":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"Application",
"Type":2
},{
"ID":"Box",
"Type":1
},{
"ID":"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12",
"Type":2
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:45:46",
"Id":"dc3a6b43-7cbf-4e35-8cc0-0ac7622aedcb",
"Operation":"Delete application.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"AppId\":\"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Application"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"5e481f17-a030-48a4-818d-94e014f54189",
"IntraSystemId":"00000000-0000-0000-0000-000000000000",
"SupportTicketId":"",
"Target":[{
"ID":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"Application",
"Type":2
},{
"ID":"Box Test",
"Type":1
},{
"ID":"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12",
"Type":2
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Azure Active Directory Audit Logs
Includes logs from Azure Active Directory including authentication and user management.
References
Retention Details
Storage Duration: 180 days
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Latency Details
Duration: Typically 60 to 90 minutes after an event occurs.
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Result
-
IP Geolocation / ASN
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"CreationTime":"2024-04-30T01:50:30",
"Id":"15146ca7-c8b4-4661-1189-08dc68b7ea96",
"Operation":"MailboxLogin",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"test4@test.onmicrosoft.com",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=/owa/startupdata.ashx; Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"test4@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"SJ0PR06MB7068",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:20:08",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:25:27",
"Id":"60ee7c61-f9d1-49eb-1743-08dc69fb4fdc",
"Operation":"New-DistributionGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:13736",
"ObjectId":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Alias",
"Value":"testdistro"
},{
"Name":"Description",
"Value":"This is a test distribution group"
},{
"Name":"RequireSenderAuthenticationEnabled",
"Value":"True"
},{
"Name":"DisplayName",
"Value":"Test Group"
},{
"Name":"MemberDepartRestriction",
"Value":"Open"
},{
"Name":"ManagedBy",
"Value":"example@test.onmicrosoft.com"
},{
"Name":"Name",
"Value":"Test Group20240501162508"
},{
"Name":"MemberJoinRestriction",
"Value":"Open"
},{
"Name":"PrimarySmtpAddress",
"Value":"testdistro@test.onmicrosoft.com"
}],
"RequestId":"a36f3f21-295b-52e0-28bf-4ed14ed99ae1",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:21:28",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:26:29",
"Id":"baba650a-2d56-4b03-586a-08dc69fb74e4",
"Operation":"Set-DistributionGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:14492",
"ObjectId":"Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508"
},{
"Name":"GrantSendOnBehalfTo",
"Value":""
},{
"Name":"ModeratedBy",
"Value":""
},{
"Name":"BypassModerationFromSendersOrMembers",
"Value":""
},{
"Name":"AcceptMessagesOnlyFromSendersOrMembers",
"Value":""
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
},{
"Name":"DisplayName",
"Value":"Test Group 24"
}],
"RequestId":"de7de5af-cf19-7e5d-375b-1d32f22226a4",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:21:50",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:26:51",
"Id":"165ebb45-ec0e-40a2-0a76-08dc69fb81d7",
"Operation":"Remove-DistributionGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:12185",
"ObjectId":"Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508"
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
}],
"RequestId":"e7b9495a-3dae-61c4-d07b-061ca7db5010",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:21:07",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:26:08",
"Id":"33c59316-c708-4a04-7a24-08dc69fb680a",
"Operation":"Add-DistributionGroupMember",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:17461",
"ObjectId":"Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508"
},{
"Name":"Member",
"Value":"93714996-ddb9-4e6a-b1aa-6db081388f73"
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
}],
"RequestId":"377d3ffb-35c0-1272-3ca4-c373e68de9f1",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:36:14",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:41:15",
"Id":"5c59f5eb-e4fb-49aa-8a57-08dc69fd84ef",
"Operation":"Remove-DistributionGroupMember",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:21866",
"ObjectId":"Test Group 220240501164027",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group 220240501164027"
},{
"Name":"Member",
"Value":"0c1966ef-97c2-4558-a7fd-962fba9dcbc4"
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
}],
"RequestId":"7c5778ce-acd5-a41f-8078-5de5af9dc897",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Role Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:54:48",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:00:43",
"Id":"f09281ab-848e-4de0-6356-08dc69934603",
"Operation":"New-RoleGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:10267",
"ObjectId":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Name",
"Value":"Test Role Group"
},{
"Name":"Roles",
"Value":"Address Lists"
},{
"Name":"Members",
"Value":"fff85c15-3ce8-48c0-af17-4088dbdc5d62"
}],
"RequestId":"1e83e21b-eb7d-1e92-c02c-09292b02ebac",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Role Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:22:00",
"Id":"557d12c8-6bd9-4ad4-3b52-08dc69963f27",
"Operation":"Set-RoleGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:3533",
"ObjectId":"Security Operator",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"56882e99-c987-4492-aded-48e8bb029d3a"
},{
"Name":"Description",
"Value":"Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through Microsoft Exchange or Security and Compliance Center (SCC). Members of this role group may include cross-service administrators that have access beyond Exchange and SCC. By default, this group is not assigned any roles. However, it will be a member of the 'Records Management' and 'Compliance Management' role groups in Exchange and 'Compliance Data Administrator' role group in SCC. It will inherit the permissions of these role groups."
},{
"Name":"Name",
"Value":"Security Operator Test"
}],
"RequestId":"aadf0312-2bee-a4ec-e212-23b4c6ebf90d",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:07:35",
"Id":"e7305c7e-6db5-410e-e973-08dc69943bab",
"Operation":"Remove-RoleGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:8259",
"ObjectId":"Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"def12b29-0bac-42d0-8d75-fbfcfa3536cc"
}],
"RequestId":"3d63ba16-ade5-b4a1-eb17-b9ad63c5554f",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:06:31",
"Id":"3f044723-212c-4b70-966f-08dc6994156a",
"Operation":"New-ManagementRoleAssignment",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:8259",
"ObjectId":"test.onmicrosoft.com\\Audit Logs-Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Role",
"Value":"Audit Logs"
},{
"Name":"SecurityGroup",
"Value":"def12b29-0bac-42d0-8d75-fbfcfa3536cc"
}],
"RequestId":"f975c651-1df4-8b35-d560-2cb34a0f4c0f",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Permission Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Resource Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:06:22",
"Id":"159c17b5-7735-4d7f-d5a5-08dc69941015",
"Operation":"Remove-ManagementRoleAssignment",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:8259",
"ObjectId":"Address Lists-Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"379109cd-46a3-4a83-bfa9-6e4fbaf88531"
}],
"RequestId":"4e7af3ce-88f6-b205-007b-3abd6ecfc56d",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T04:41:30",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:47:03",
"Id":"02a67a6e-bddc-4a8b-bd8a-08dc6999bf35",
"Operation":"New-HostedContentFilterPolicy",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:10521",
"ObjectId":"test.onmicrosoft.com\\Inbound Spam",
"UserId":"example@test.onmicrosoft.com",
"AppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"MarkAsSpamEmptyMessages",
"Value":"Off"
},{
"Name":"TestModeBccToRecipients",
"Value":""
},{
"Name":"EnableLanguageBlockList",
"Value":"False"
},{
"Name":"MarkAsSpamFromAddressAuthFail",
"Value":"Off"
},{
"Name":"MarkAsSpamEmbedTagsInHtml",
"Value":"Off"
},{
"Name":"ModifySubjectValue",
"Value":""
},{
"Name":"MarkAsSpamNdrBackscatter",
"Value":"Off"
},{
"Name":"QuarantineRetentionPeriod",
"Value":"15"
},{
"Name":"AdminDisplayName",
"Value":""
},{
"Name":"MarkAsSpamWebBugsInHtml",
"Value":"Off"
},{
"Name":"TestModeAction",
"Value":"None"
},{
"Name":"SpamZapEnabled",
"Value":"True"
},{
"Name":"BlockedSenderDomains",
"Value":""
},{
"Name":"EnableRegionBlockList",
"Value":"False"
},{
"Name":"PhishQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"HighConfidencePhishAction",
"Value":"Quarantine"
},{
"Name":"MarkAsSpamFramesInHtml",
"Value":"Off"
},{
"Name":"RecommendedPolicyType",
"Value":"Custom"
},{
"Name":"HighConfidenceSpamQuarantineTag",
"Value":""
},{
"Name":"LanguageBlockList",
"Value":""
},{
"Name":"PhishZapEnabled",
"Value":"True"
},{
"Name":"HighConfidenceSpamAction",
"Value":"MoveToJmf"
},{
"Name":"SpamQuarantineTag",
"Value":""
},{
"Name":"RedirectToRecipients",
"Value":""
},{
"Name":"MarkAsSpamFormTagsInHtml",
"Value":"Off"
},{
"Name":"AllowedSenderDomains",
"Value":""
},{
"Name":"Name",
"Value":"Inbound Spam"
},{
"Name":"IncreaseScoreWithRedirectToOtherPort",
"Value":"Off"
},{
"Name":"BulkSpamAction",
"Value":"MoveToJmf"
},{
"Name":"AddXHeaderValue",
"Value":""
},{
"Name":"MarkAsSpamBulkMail",
"Value":"On"
},{
"Name":"HighConfidencePhishQuarantineTag",
"Value":"AdminOnlyAccessPolicy"
},{
"Name":"RegionBlockList",
"Value":""
},{
"Name":"BlockedSenders",
"Value":""
},{
"Name":"BulkQuarantineTag",
"Value":""
},{
"Name":"MarkAsSpamObjectTagsInHtml",
"Value":"Off"
},{
"Name":"IncreaseScoreWithBizOrInfoUrls",
"Value":"Off"
},{
"Name":"MarkAsSpamJavaScriptInHtml",
"Value":"Off"
},{
"Name":"MarkAsSpamSensitiveWordList",
"Value":"Off"
},{
"Name":"PhishSpamAction",
"Value":"Quarantine"
},{
"Name":"InlineSafetyTipsEnabled",
"Value":"True"
},{
"Name":"IncreaseScoreWithImageLinks",
"Value":"Off"
},{
"Name":"BulkThreshold",
"Value":"7"
},{
"Name":"MarkAsSpamSpfRecordHardFail",
"Value":"Off"
},{
"Name":"AllowedSenders",
"Value":""
},{
"Name":"SpamAction",
"Value":"MoveToJmf"
},{
"Name":"IncreaseScoreWithNumericIps",
"Value":"Off"
}],
"RequestId":"ff34430c-1050-0ab8-672d-4ff36901a536",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T04:41:30",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:47:36",
"Id":"c3d67096-6e45-4642-6454-08dc6999d2cd",
"Operation":"Set-HostedContentFilterPolicy",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:27251",
"ObjectId":"Inbound Spam",
"UserId":"example@test.onmicrosoft.com",
"AppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"MarkAsSpamEmptyMessages",
"Value":"Off"
},{
"Name":"EnableLanguageBlockList",
"Value":"False"
},{
"Name":"MarkAsSpamFromAddressAuthFail",
"Value":"On"
},{
"Name":"MarkAsSpamEmbedTagsInHtml",
"Value":"Off"
},{
"Name":"ModifySubjectValue",
"Value":""
},{
"Name":"IntraOrgFilterState",
"Value":"Default"
},{
"Name":"MarkAsSpamNdrBackscatter",
"Value":"On"
},{
"Name":"AdminDisplayName",
"Value":""
},{
"Name":"MarkAsSpamFormTagsInHtml",
"Value":"Off"
},{
"Name":"MarkAsSpamWebBugsInHtml",
"Value":"Off"
},{
"Name":"TestModeAction",
"Value":"None"
},{
"Name":"SpamZapEnabled",
"Value":"True"
},{
"Name":"Identity",
"Value":"Inbound Spam"
},{
"Name":"BlockedSenderDomains",
"Value":""
},{
"Name":"EnableRegionBlockList",
"Value":"False"
},{
"Name":"PhishQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"HighConfidencePhishAction",
"Value":"Quarantine"
},{
"Name":"MarkAsSpamFramesInHtml",
"Value":"Off"
},{
"Name":"HighConfidenceSpamQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"LanguageBlockList",
"Value":""
},{
"Name":"PhishZapEnabled",
"Value":"True"
},{
"Name":"DownloadLink",
"Value":"False"
},{
"Name":"HighConfidenceSpamAction",
"Value":"MoveToJmf"
},{
"Name":"SpamQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"RedirectToRecipients",
"Value":""
},{
"Name":"TestModeBccToRecipients",
"Value":""
},{
"Name":"AllowedSenderDomains",
"Value":""
},{
"Name":"IncreaseScoreWithRedirectToOtherPort",
"Value":"Off"
},{
"Name":"BulkSpamAction",
"Value":"MoveToJmf"
},{
"Name":"AddXHeaderValue",
"Value":""
},{
"Name":"QuarantineRetentionPeriod",
"Value":"15"
},{
"Name":"HighConfidencePhishQuarantineTag",
"Value":"AdminOnlyAccessPolicy"
},{
"Name":"RegionBlockList",
"Value":""
},{
"Name":"BlockedSenders",
"Value":""
},{
"Name":"BulkQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"MarkAsSpamObjectTagsInHtml",
"Value":"Off"
},{
"Name":"IncreaseScoreWithBizOrInfoUrls",
"Value":"Off"
},{
"Name":"MarkAsSpamJavaScriptInHtml",
"Value":"Off"
},{
"Name":"MarkAsSpamSensitiveWordList",
"Value":"Off"
},{
"Name":"PhishSpamAction",
"Value":"Quarantine"
},{
"Name":"InlineSafetyTipsEnabled",
"Value":"True"
},{
"Name":"IncreaseScoreWithImageLinks",
"Value":"Off"
},{
"Name":"MarkAsSpamBulkMail",
"Value":"On"
},{
"Name":"BulkThreshold",
"Value":"7"
},{
"Name":"MarkAsSpamSpfRecordHardFail",
"Value":"Off"
},{
"Name":"AllowedSenders",
"Value":""
},{
"Name":"SpamAction",
"Value":"MoveToJmf"
},{
"Name":"IncreaseScoreWithNumericIps",
"Value":"Off"
}],
"RequestId":"60356c4d-fe0b-a381-1840-3cd0eb74e865",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Configuration / Setting Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T04:41:30",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:48:06",
"Id":"646780a6-8b79-4310-9f6e-08dc6999e476",
"Operation":"Remove-HostedContentFilterPolicy",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:11212",
"ObjectId":"Inbound Spam",
"UserId":"example@test.onmicrosoft.com",
"AppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"Inbound Spam"
}],
"RequestId":"27f63301-2d1e-13f2-24e3-17b499983d95",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Integration / App Name
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"UniqueTokenId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2"
},
"CreationTime":"2024-05-01T01:11:16",
"Id":"323fd199-99bb-4bd5-5ca7-08dc697b9a0c",
"Operation":"New-App",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)",
"UserType":3,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:14804",
"ObjectId":"\\fe93bfe1-7947-460a-a5e0-7a5906b51360",
"UserId":"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)",
"AppId":"3c896ded-22c5-450f-91f6-3d1ef0848f6e",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2",
"CorrelationID":"",
"ExternalAccess":true,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"DefaultStateForUser",
"Value":"Enabled"
},{
"Name":"Enabled",
"Value":"True"
},{
"Name":"FileData",
"Value":"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhLS1DcmVhdGVkOmNiODViODBjLWY1OA==..."
},{
"Name":"OrganizationApp",
"Value":"True"
},{
"Name":"Organization",
"Value":"test.onmicrosoft.com"
}],
"RequestId":"28c1fbd6-98d3-4ee9-8411-d4ced8ae313a",
"SessionId":""
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Integration / App Name
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-04-29T19:52:05",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-04-30T15:48:21",
"Id":"ba11eba1-fd2a-4091-9356-08dc692cf680",
"Operation":"Enable-App",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:56377",
"ObjectId":"e06a29d3-3e3c-4f6a-8ae5-17cac1719f14\\fe93bfe1-7947-460a-a5e0-7a5906b51360",
"UserId":"example@test.onmicrosoft.com",
"AppId":"fb78d390-0c51-40cd-8e17-fdbfab77341b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4835 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"fe93bfe1-7947-460a-a5e0-7a5906b51360"
},{
"Name":"Mailbox",
"Value":"test4@test.onmicrosoft.com"
}],
"RequestId":"9e2c2638-a684-07dc-91d9-71366f88e271",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Integration / App Name
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-04-29T19:52:05",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-04-30T15:49:40",
"Id":"86328dc9-8a8d-4612-2156-08dc692d25cb",
"Operation":"Remove-App",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:56403",
"ObjectId":"f1c08887-d776-42f8-9911-06faa5ab392f\\fe93bfe1-7947-460a-a5e0-7a5906b51360",
"UserId":"example@test.onmicrosoft.com",
"AppId":"fb78d390-0c51-40cd-8e17-fdbfab77341b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4835 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"fe93bfe1-7947-460a-a5e0-7a5906b51360"
},{
"Name":"OrganizationApp",
"Value":"True"
},{
"Name":"Confirm",
"Value":"False"
}],
"RequestId":"53b9dec4-d210-788c-60cd-c365c8fd3666",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success - email
{
"CreationTime":"2024-04-30T01:50:44",
"Id":"b879cd77-f6df-4dd0-526a-08dc68b7f338",
"Operation":"Send",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"2603:1036:307:44::5",
"UserId":"test4@test.onmicrosoft.com",
"AppId":"63224634-e46c-47db-921f-42bf5bfeaf4e",
"ClientAppId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=REST;Client=RESTSystem;;",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"test4@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"SJ0PR06MB7068 (15.20.4200.000)\r\n",
"Item":{
"Attachments":"LogoM365.png (3442b); welcome_email_v3_conversations.png (12282b); welcome_email_v3_calendar.png (9778b); welcome_email_v3_files.png (10267b); welcome_email_v3_sharing_laptop.png (95913b); welcome_email_v3_onenote.png (8844b); welcome_email_v3_teamwork_laptop.png (75139b); group_photo (13165b); twitter_icon.png (2248b); salesforce.png (2742b); trello.png (1610b); jira.png (2516b); microsoft.png (2896b); arrow.png (415b)",
"Id":"RgAAAADVmE95ewSjS4ZrC2ktggLuBwBJYlPF4gPyS7/L9chR1JeWAAAAAAEPAABJYlPF4gPyS7/L9chR1JeWAAANOg+9AAAJ",
"InternetMessageId":"<SJ0PR06MB7068F00A3EE360BB9B9F05A0B81A2@SJ0PR06MB7068.namprd06.prod.outlook.com>",
"ParentFolder":{
"Id":"LgAAAADVmE95ewSjS4ZrC2ktggLuAQBJYlPF4gPyS7/L9chR1JeWAAAAAAEPAAAB",
"Path":"\\Drafts"
},
"SizeInBytes":268282,
"Subject":"Test4 added you to the Test Group 1 group"
},
"SaveToSentItems":false
}Success - calendar
{
"CreationTime":"2024-05-01T19:00:24",
"Id":"64922ffb-a517-43af-a0ea-737e0b67c577",
"Operation":"Create",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"Item":{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAENAABx36FMViA4QL6OjQQj0W4QAAFb0NzKAAAP",
"InternetMessageId":"<DM6PR06MB4844B915A8B9DF344FBF868ED7192@DM6PR06MB4844.namprd06.prod.outlook.com>",
"IsRecord":false,
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
},
"SizeInBytes":6098,
"Subject":"Test Entry 2"
}
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T17:24:12",
"Id":"121899a5-ff77-49a0-b344-e368a192ca4e",
"Operation":"MailItemsAccessed",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":50,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OperationProperties":[{
"Name":"MailAccessType",
"Value":"Bind"
},{
"Name":"IsThrottled",
"Value":"False"
}],
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"Folders":[{
"FolderItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEMAABx36FMViA4QL6OjQQj0W4QAAEORT/FAAAJ",
"InternetMessageId":"<3b64c23d-1d09-42db-a14e-847e7c20cb7e@CO1NAM11BG401.eop-nam11.prod.protection.outlook.com>",
"SizeInBytes":68843
}],
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEMAAAB",
"Path":"\\Inbox"
},{
"FolderItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLaAAAJ",
"InternetMessageId":"<Share-fa260ca1-f088-5000-076e-5dff216ee852-8bf3a8c9-6c84-4d50-bfac-772d9a2c684a-be002b43-f444-4369-9a4c-1b927d261a0c-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51258
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLjAAAJ",
"InternetMessageId":"<Share-40590ca1-0059-5000-002e-6582ba280cc1-cdb8a2df-27bf-4477-9e14-07ac42fe59f4-725c7be5-0afe-4c1a-ac8f-9499ed7c2659-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51854
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLiAAAJ",
"InternetMessageId":"<Share-05590ca1-e07b-5000-002e-61d3e2d54929-2a0ed38c-71da-4fda-ab73-be8cace5b65f-b84488ee-32fd-414c-b689-c4a088f18cfd-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51844
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLhAAAJ",
"InternetMessageId":"<Share-e3580ca1-10de-5000-002e-6500144c00a7-ad2892e9-321d-4107-a265-2578c4352ac6-d84bd92b-3723-4544-be37-75741e4f12cd-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51854
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLfAAAJ",
"InternetMessageId":"<Share-2a4b0ca1-8090-5000-002e-608620e7e3bb-98b79516-151c-4a43-b394-f522f34cb537-0cfb15fa-b2c7-4226-b20d-4b9b15007844-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51821
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLcAAAJ",
"InternetMessageId":"<Share-4e270ca1-2084-4000-d966-c5768aef30b1-c04a7cd6-2ec7-498e-b0f9-0fc821693b88-4595fc54-514c-4550-9684-245a97d76ceb-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":50892
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAB+0FwBAAAJ",
"InternetMessageId":"<odspmicro-Share-0e00b8a0-80a1-3000-a0d4-731f58e6eed1-2c744e41-f54d-47ec-a9db-4f77b3a242ae-346559c5-37cc-4251-850d-c5b77406336d-DispatchToRecipients-PreprocessPayload-r0-SendEmail@142E6560D08B>",
"SizeInBytes":53663
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAE4b96cAAAJ",
"InternetMessageId":"<Share-d0bd12a1-102a-5000-076e-5593148f9444-2078f187-0c3b-402b-b06a-fed510c0d20c-4cb255bc-096a-438e-b43f-638f8f632824-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":47826
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAE4b96bAAAJ",
"InternetMessageId":"<Share-c6bd12a1-204a-5000-0ea1-59536b5f1b95-fe36bb80-8416-4235-8628-2497d71e9df3-3057687e-93de-47cb-b2c6-82e17a79c9a5-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":47825
}],
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEJAAAB",
"Path":"\\Sent Items"
}],
"OperationCount":10
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Success
{
"CreationTime":"2024-05-01T19:00:32",
"Id":"0b41bd99-5ab2-4d17-359c-08dc6a10f9ac",
"Operation":"Update",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"Item":{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAENAABx36FMViA4QL6OjQQj0W4QAAFb0NzJAAAP",
"InternetMessageId":"<DM6PR06MB4844135DDF8FB5589A0935CAD7192@DM6PR06MB4844.namprd06.prod.outlook.com>",
"IsRecord":false,
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
},
"SizeInBytes":6758,
"Subject":"Test Calender Entry 24"
},
"ModifiedProperties":["MapiEndTime","MapiPREndDate","MapiStartTime","MapiPRStartDate","MapiSubject","NormalizedSubjectInternal"]
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success - email
{
"CreationTime":"2024-05-01T17:24:22",
"Id":"400c8963-12c3-417e-3e2c-08dc6a038ac8",
"Operation":"MoveToDeletedItems",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":3,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"AffectedItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEMAABx36FMViA4QL6OjQQj0W4QAAFas18+AAAJ",
"InternetMessageId":"<SJ0PR06MB7068F4D6BE10AC2D8368FC41B81A2@SJ0PR06MB7068.namprd06.prod.outlook.com>",
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEMAAAB",
"Path":"\\Inbox"
},
"Subject":"Test Message"
}],
"CrossMailboxOperation":false,
"DestFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEKAAAB",
"Path":"\\Deleted Items"
},
"Folder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEMAAAB",
"Path":"\\Inbox"
}
}Success - calendar
{
"CreationTime":"2024-05-01T19:21:16",
"Id":"e1fb94cb-2adc-4b4c-98bd-08dc6a13df45",
"Operation":"MoveToDeletedItems",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":3,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"AffectedItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAENAABx36FMViA4QL6OjQQj0W4QAAFb0NzJAAAA",
"InternetMessageId":"<DM6PR06MB4844135DDF8FB5589A0935CAD7192@DM6PR06MB4844.namprd06.prod.outlook.com>",
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
},
"Subject":"Test Calender Entry 24"
}],
"CrossMailboxOperation":false,
"DestFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEKAAAB",
"Path":"\\Deleted Items"
},
"Folder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
}
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Exchange Audit Logs
Includes logs for Exchange administration and mailbox activities.
References
Retention Details
Storage Duration: 180 days
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Latency Details
Duration: Typically 60 to 90 minutes after an event occurs.
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Result
-
Username
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-03T15:29:06",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-03T15:34:16",
"Id":"64ecdac9-543e-4046-99be-087dd56c2150",
"Operation":"TeamCreated",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":2,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"TeamGuid":"19:ni2H9QQogRGdOxflsO1Y_JGNwcM_g2bmD6ng483GF_41@thread.tacv2",
"TeamName":"New Team 1"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T21:11:45",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-03T15:50:19",
"Id":"2c658d54-4fc9-477f-b98c-48500df799b4",
"Operation":"TeamSettingChanged",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"Name":"Team name",
"TeamGuid":"19:908b4ca6d6d84b989347b8427e5048ce@thread.tacv2",
"NewValue":"Test Updated Team Name",
"OldValue":"Digital Initiative Public Relations",
"TeamName":"Test Updated Team Name"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T21:26:11",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-03T15:33:02",
"Id":"6718936a-de28-4f7d-9b40-29256adfca43",
"Operation":"TeamDeleted",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"62b732f7-fc71-40bc-b27d-35efcb0509de",
"UserType":5,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"Microsoft Teams Sync",
"TeamGuid":"19:xd7VhKaazsuwrJCpopRmHA1KCyC00Iftn7mqR-fV_ik1@thread.tacv2",
"TeamName":"Test Group 200"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T05:10:10",
"Id":"d84f2254-5d4b-5274-91ad-6729e781821f",
"Operation":"MemberAdded",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"AADGroupId":"a86f3642-1b11-468d-aaa3-8398902bd512",
"CommunicationType":"Team",
"ExtraProperties":[],
"Members":[{
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"DisplayName":"Alex Wilber",
"Role":1,
"UPN":"AlexW@test.onmicrosoft.com"
}],
"ParticipantInfo":{
"HasForeignTenantUsers":false,
"HasGuestUsers":false,
"HasUnauthenticatedUsers":false,
"ParticipatingDomains":[],
"ParticipatingSIPDomains":[]
},
"ResourceTenantId":"8326222c-5c86-45a1-b768-561ad270c694",
"TeamGuid":"19:xd7VhKaazsuwrJCpopRmHA1KCyC00Iftn7mqR-fV_ik1@thread.tacv2",
"ItemName":"Test Group 100",
"TeamName":"Test Group 100"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-03T15:49:22",
"Id":"a7c73bdd-0302-533a-bff4-97d64dc681a9",
"Operation":"MemberRemoved",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"AADGroupId":"21492354-b302-4664-ae50-bf7e27cabc0e",
"CommunicationType":"Team",
"ExtraProperties":[],
"Members":[{
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"DisplayName":"Pradeep Gupta",
"Role":1,
"UPN":"PradeepG@test.onmicrosoft.com"
}],
"ParticipantInfo":{
"HasForeignTenantUsers":false,
"HasGuestUsers":false,
"HasUnauthenticatedUsers":false,
"ParticipatingDomains":[],
"ParticipatingSIPDomains":[]
},
"ResourceTenantId":"8326222c-5c86-45a1-b768-561ad270c694",
"TeamGuid":"19:fdeeeb50e13d4630ac6be879c2318b53@thread.tacv2",
"ItemName":"U.S. Sales Updated v2",
"TeamName":"U.S. Sales Updated v2"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T21:11:45",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T21:21:45",
"Id":"46429b68-d31f-4329-9601-e1d77131f2b2",
"Operation":"AppInstalled",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"AddOnGuid":"31c1aadf-4a2e-4465-b1a4-6d4d7d9a284c",
"AddOnType":4,
"AppDistributionMode":"Store",
"OperationScope":3,
"TargetUserId":"f1c08887-d776-42f8-9911-06faa5ab392f",
"AddOnName":"Stipop Stickers"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T20:09:24",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:14:26",
"Id":"1d8ce214-a40b-4d03-b5f1-bc3872fc01f0",
"Operation":"AppDeleted",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"62b732f7-fc71-40bc-b27d-35efcb0509de",
"UserType":5,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"Microsoft Teams Sync",
"AddOnGuid":"19:212d1b70fc294d6e8a7b75964b40f23a@thread.tacv2",
"AddOnType":4,
"OperationScope":1,
"TeamGuid":"19:212d1b70fc294d6e8a7b75964b40f23a@thread.tacv2",
"TeamName":"19:212d1b70fc294d6e8a7b75964b40f23a@thread.tacv2"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
Success
{
"CreationTime":"2024-05-02T21:17:51",
"Id":"f36fd190-d3c2-47df-a62b-8d31eb7876c5",
"Operation":"ShiftAdded",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":73,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"AADGroupId":"a86f3642-1b11-468d-aaa3-8398902bd512",
"ExtraProperties":[{
"Key":"ShiftType",
"Value":"Shift"
},{
"Key":"ScheduleGroupId",
"Value":"TAG_3ef10228-af6c-4337-95de-1d4fb1dc84f9"
},{
"Key":"CorrelationId",
"Value":"2184a3795e56eb81ea8dcdb7f8e8bfc2"
}],
"TeamGuid":"19:xd7VhKaazsuwrJCpopRmHA1KCyC00Iftn7mqR-fV_ik1@thread.tacv2",
"TeamName":"Test Group 200",
"ScheduleId":"TEAM_64f16f25-30d0-42aa-af6d-18329a22cc02",
"Shift":{
"EndTime":"2024-04-29T00:00:00",
"Id":"SHFT_ed971e06-1a4b-4dc5-88a9-9f2f8839aa55",
"StartTime":"2024-04-29T00:00:00",
"AssignedTo":"f1c08887-d776-42f8-9911-06faa5ab392f"
}
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T21:11:45",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw-AA"
},
"CreationTime":"2024-05-02T21:17:24",
"Id":"2c506054-42a2-5e31-95b7-4c8c9219dff0",
"Operation":"MessageDeleted",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"ChatThreadId":"19:98616b7d-2f2a-44c2-926f-92010d8bc27d_f1c08887-d776-42f8-9911-06faa5ab392f@unq.gbl.spaces",
"CommunicationType":"OneOnOne",
"ExtraProperties":[{
"Key":"TimeZone",
"Value":"America/New_York"
},{
"Key":"OsName",
"Value":"mac"
},{
"Key":"OsVersion",
"Value":"10.15.7"
},{
"Key":"Country",
"Value":"us"
},{
"Key":"ClientName",
"Value":"skypeteams"
},{
"Key":"ClientVersion",
"Value":"1415/24033101817"
},{
"Key":"ClientUtcOffsetSeconds",
"Value":"-14400"
}],
"MessageDeleteType":"User Delete",
"MessageId":"1710796909408",
"MessageVersion":"1714684644850",
"ParticipantInfo":{
"HasForeignTenantUsers":false,
"HasGuestUsers":false,
"HasOtherGuestUsers":false,
"HasUnauthenticatedUsers":false,
"ParticipatingDomains":[],
"ParticipatingSIPDomains":[],
"ParticipatingTenantIds":["8326222c-5c86-45a1-b768-561ad270c694"]
},
"ResourceTenantId":"8326222c-5c86-45a1-b768-561ad270c694",
"ItemName":"19:98616b7d-2f2a-44c2-926f-92010d8bc27d_f1c08887-d776-42f8-9911-06faa5ab392f@unq.gbl.spaces"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
General Audit Logs
Includes workloads not included in other audit log types.
References
Retention Details
Storage Duration: 180 days
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Latency Details
Duration: Typically 60 to 90 minutes after an event occurs.
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"dcd124a1-d0b1-5000-62e6-155874ea96f9",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:13:40",
"Id":"a35c38f6-ed9d-4ddc-bbfd-08dc6ae45bd7",
"Operation":"SignInEvent",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":4,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"None",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"dcd124a1-d0b1-5000-62e6-155874ea96f9",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Invalid",
"Platform":"WinDesktop",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"DeviceDisplayName":"2a01:111:2054:217:7752:bc0c:d4bb:ce49",
"ApplicationDisplayName":"Unknown"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"1fd324a1-d00d-5000-62e6-11eac27b54b8",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:35:41",
"Id":"a18dd05a-4a13-4800-d1f6-08dc6ae76eef",
"Operation":"AddedToGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":14,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"FormsCookieAuth",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"1fd324a1-d00d-5000-62e6-11eac27b54b8",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Web",
"Platform":"WinDesktop",
"Site":"01a07a23-147e-4bba-9d38-f125def9657c",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"WebId":"e8abba12-89ec-44f9-bba6-20b240025424",
"DeviceDisplayName":"2a01:111:2054:215:7d96:7954:6e9e:f862",
"EventData":"<Group>Communication site Members</Group><GroupId>5</GroupId>",
"TargetUserOrGroupType":"Member",
"TargetUserOrGroupName":"example@test.onmicrosoft.com",
"SiteUrl":"https://test.sharepoint.com",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"20d324a1-4078-5000-827b-7266b80c290d",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:35:46",
"Id":"5eda0f9d-927f-4343-5669-08dc6ae77256",
"Operation":"RemovedFromGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":14,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"FormsCookieAuth",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"20d324a1-4078-5000-827b-7266b80c290d",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Web",
"Platform":"WinDesktop",
"Site":"01a07a23-147e-4bba-9d38-f125def9657c",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"WebId":"e8abba12-89ec-44f9-bba6-20b240025424",
"DeviceDisplayName":"2a01:111:2054:215:7d96:7954:6e9e:f862",
"EventData":"<Group>Communication site Members</Group>",
"TargetUserOrGroupType":"Member",
"TargetUserOrGroupName":"example@test.onmicrosoft.com",
"SiteUrl":"https://test.sharepoint.com",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"47d324a1-106f-5000-62e6-151e1aa4a24f",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:38:27",
"Id":"8b9a2076-6a67-4c8f-771f-08dc6ae7d259",
"Operation":"SiteCollectionAdminAdded",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":14,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"FormsCookieAuth",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"47d324a1-106f-5000-62e6-151e1aa4a24f",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Web",
"Platform":"WinDesktop",
"Site":"a849538d-406b-4e55-9c0e-20aad5fdce7d",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"WebId":"42eec027-1f90-4ad9-9c53-ca64dbce0ccb",
"DeviceDisplayName":"198.51.100.1",
"TargetUserOrGroupType":"SecurityGroup",
"TargetUserOrGroupName":"Global Administrator",
"SiteUrl":"https://test.sharepoint.com/sites/appcatalog",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com/sites/appcatalog"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"47d324a1-106f-5000-62e6-151e1aa4a24f",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:38:27",
"Id":"f8c5fd57-94c1-423b-64b2-08dc6ae7d265",
"Operation":"SiteCollectionAdminRemoved",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":14,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"FormsCookieAuth",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"47d324a1-106f-5000-62e6-151e1aa4a24f",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Web",
"Platform":"WinDesktop",
"Site":"a849538d-406b-4e55-9c0e-20aad5fdce7d",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"WebId":"42eec027-1f90-4ad9-9c53-ca64dbce0ccb",
"DeviceDisplayName":"198.51.100.1",
"ModifiedProperties":[{
"Name":"SiteAdmin",
"NewValue":"",
"OldValue":""
}],
"TargetUserOrGroupType":"Member",
"TargetUserOrGroupName":"SHAREPOINT\\system",
"SiteUrl":"https://test.sharepoint.com/sites/appcatalog",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com/sites/appcatalog"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"AppAccessContext":{
"ClientAppName":"TenantWorkflowEngine",
"CorrelationId":"045124a1-3080-5000-62e6-18339d196c67"
},
"CreationTime":"2024-05-01T06:41:58",
"Id":"bebaecd3-a9c7-4cd9-211d-08dc69a9ccab",
"Operation":"SiteIBModeChanged",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":4,
"UserKey":"S-1-0-0",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"",
"UserId":"SHAREPOINT\\system",
"CorrelationId":"045124a1-3080-5000-62e6-18339d196c67",
"EventSource":"SharePoint",
"ItemType":"Site",
"Site":"9c91ddba-ad04-4f5d-b659-6bfe37275e66",
"UserAgent":"",
"ModifiedProperties":[{
"Name":"SiteIBMode",
"NewValue":"Open",
"OldValue":"Implicit"
}],
"ApplicationDisplayName":"TenantWorkflowEngine",
"ObjectId":"https://test.sharepoint.com/sites/group1"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"47d324a1-106f-5000-62e6-151e1aa4a24f",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:38:33",
"Id":"786cf23e-013b-4fab-105e-08dc6ae7d5e1",
"Operation":"SiteCollectionCreated",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":4,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"FormsCookieAuth",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"47d324a1-106f-5000-62e6-151e1aa4a24f",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Site",
"Platform":"WinDesktop",
"Site":"a849538d-406b-4e55-9c0e-20aad5fdce7d",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"DeviceDisplayName":"198.51.100.1",
"EventData":"<SiteCreationSource>API</SiteCreationSource>",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com/sites/appcatalog"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2",
"ClientAppName":"Microsoft Teams Web Client",
"CorrelationId":"09d824a1-e0eb-5000-62e6-14d5e6194687",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T22:01:37",
"Id":"4af4f3a2-6584-48b4-e96d-08dc6af37076",
"Operation":"PageViewed",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":4,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"OneDrive",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"ApplicationId":"5e3ce6c0-2b1f-4285-8d4b-75ee78787346",
"AuthenticationType":"OAuth",
"BrowserName":"Chrome",
"BrowserVersion":"124.0.0.0",
"CorrelationId":"09d824a1-e0eb-5000-62e6-14d5e6194687",
"CustomUniqueId":true,
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"Page",
"ListItemUniqueId":"59a8433d-9bb8-cfef-643c-93f736346360",
"Platform":"MacOSX",
"Site":"2bac95bd-b43c-4cd9-ba36-53f030ac6a3e",
"UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
"WebId":"e56ef9c7-8c2b-4d54-9534-a1322ae10ac3",
"DeviceDisplayName":"198.51.100.1",
"ApplicationDisplayName":"Microsoft Teams Web Client",
"ObjectId":"https://test-my.sharepoint.com/personal/example_test_onmicrosoft_com/_layouts/15/filebrowser.aspx"
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
Success
{
"AppAccessContext":{
"ClientAppName":"Unknown",
"CorrelationId":"dfd124a1-a0fc-5000-62e6-18fd82d49a74"
},
"CreationTime":"2024-05-02T20:13:54",
"Id":"c3176f6b-847e-4615-3da2-08dc6ae46456",
"Operation":"SiteDeleted",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":6,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":2,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"John Doe",
"CorrelationId":"dfd124a1-a0fc-5000-62e6-18fd82d49a74",
"EventSource":"SharePoint",
"ItemType":"Web",
"ListItemUniqueId":"00000000-0000-0000-0000-000000000000",
"Site":"e4290a7d-331c-432a-bcd3-d2be5a10dbc0",
"UserAgent":"",
"WebId":"3098f69f-5903-4472-a2cb-88fb1ee8ea1f",
"HighPriorityMediaProcessing":false,
"ListBaseType":0,
"ListServerTemplate":0,
"SourceFileExtension":"",
"DestinationFileExtension":"",
"SiteUrl":"https://test.sharepoint.com/sites/Mark8ProjectTeam856/",
"SourceRelativeUrl":"..",
"SourceFileName":"Mark8ProjectTeam856",
"DestinationRelativeUrl":"../../https://test.sharepoint.com/sites",
"DestinationFileName":"Mark8ProjectTeam856",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com/sites/Mark8ProjectTeam856"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Resource Type
-
Resource Metadata
Success
{
"AppAccessContext":{
"AADSessionId":"c21adbd5-e8d4-44fe-a2a2-43e3251b04b5",
"ClientAppName":"Unknown",
"CorrelationId":"81d124a1-3094-5000-62e6-1202998ae76d",
"TokenIssuedAtTime":"2024-05-02T20:02:26",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-02T20:07:27",
"Id":"24052721-2860-4804-fe81-08dc6ae37d61",
"Operation":"FileDownloaded",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":6,
"UserKey":"i:0h.f|membership|100320015ED2DA21@live.com",
"UserType":0,
"Version":1,
"Workload":"SharePoint",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AuthenticationType":"FormsCookieAuth",
"BrowserName":"Firefox",
"BrowserVersion":"120.0",
"CorrelationId":"81d124a1-3094-5000-62e6-1202998ae76d",
"EventSource":"SharePoint",
"IsManagedDevice":false,
"ItemType":"File",
"ListId":"4e052150-0ee4-491f-b49a-64c46155b7bd",
"ListItemUniqueId":"6d5f5d0d-ac15-4323-8897-af9a4f2efba9",
"Platform":"WinDesktop",
"Site":"937d3dbd-bda1-45ba-8e85-b0bc4939425f",
"UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"WebId":"3098f69f-5903-4472-a2cb-88fb1ee8ea1f",
"DeviceDisplayName":"2a01:111:2054:217:7752:bc0c:d4bb:ce49",
"FileSizeBytes":18632,
"HighPriorityMediaProcessing":false,
"ListBaseType":1,
"ListServerTemplate":101,
"SourceFileExtension":"docx",
"SiteUrl":"https://test.sharepoint.com/sites/VerySecretInformation/",
"SourceRelativeUrl":"Shared Documents",
"SourceFileName":"Open File 6.docx",
"ApplicationDisplayName":"Unknown",
"ObjectId":"https://test.sharepoint.com/sites/VerySecretInformation/Shared Documents/Open File 6.docx"
}Sharepoint Audit Logs
Includes logs for Sharepoint and OneDrive.
References
Retention Details
Storage Duration: 180 days
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Latency Details
Duration: Typically 60 to 90 minutes after an event occurs.
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Product Details
Microsoft 365 (M365) is a cloud-based productivity platform which provides access to the full suite of office applications including Outlook, SharePoint, OneDrive, Word, Excel, PowerPoint, etc. Identity and access management is controlled through Microsoft Entra ID (formerly Azure Active Directory), which is also available as an audit log dataset. M365 provides all audit logs through the Microsoft Purview service via audit log subscriptions. Logging levels and retention are controlled by the license of an organization, as well as the license assigned to each individual user.
Management API
The Office 365 Management Activity API is a REST web service that provides access to audit logging via subscriptions.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Unsupported
-
Result
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"deviceFingerprint": "11111111111111111111111111111111",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"oktaUserAgentExtended": "okta-auth-js/7.0.1 okta-signin-widget-7.9.1",
"origin": "https://example.okta.com",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/authn",
"threatSuspected": "false",
"url": "/api/v1/authn?"
}
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-06T19:06:27.080Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target": null,
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Failure
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "unknown",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"deviceFingerprint": "11111111111111111111111111111111",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"logOnlySecurityData": "{\"risk\":{\"reasons\":\"Anomalous Device\",\"level\":\"MEDIUM\"},\"behaviors\":{\"New Geo-Location\":\"NEGATIVE\",\"New Device\":\"POSITIVE\",\"New IP\":\"NEGATIVE\",\"New State\":\"NEGATIVE\",\"New Country\":\"NEGATIVE\",\"New City\":\"NEGATIVE\"}}",
"oktaUserAgentExtended": "okta-auth-js/7.0.1 okta-signin-widget-7.9.1",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/authn",
"threatSuspected": "false",
"url": "/api/v1/authn?"
}
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"outcome":
{
"reason": "INVALID_CREDENTIALS",
"result": "FAILURE"
},
"published": "2023-09-13T16:27:10.220Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "WARN",
"target": null,
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"authnRequestId": "ABCD111111111111111111111000",
"deviceFingerprint": "11111111111111111111111111111111",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"oktaUserAgentExtended": "okta-auth-js/7.0.1 okta-signin-widget-7.9.1",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/authn",
"threatSuspected": "false",
"url": "/api/v1/authn?"
}
},
"displayMessage": "User logout from Okta",
"eventType": "user.session.end",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T16:24:24.572Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target": null,
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
Unsupported
-
User Type / Role
-
Activity Performed
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": "FACTOR_PROVIDER",
"authenticationStep": 0,
"credentialProvider": "GOOGLE",
"credentialType": "OTP",
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"authnRequestId": "ABCDEF_1111111111111",
"deviceFingerprint": "11111111111111111111111111111111",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"factor": "SOFT_TOKEN",
"promptingPolicyTypes": "[OKTA_SIGN_ON]",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/authn/factors/00ua1aaaa1abc0A0B987/verify",
"threatSuspected": "false",
"url": "/api/v1/authn/factors/00ua1aaaa1abc0A0B987/verify?rememberDevice=false"
}
},
"displayMessage": "Authentication of user via MFA",
"eventType": "user.authentication.auth_via_mfa",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T19:20:47.234Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Flagged
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/internal/users/me/report-suspicious-activity",
"suspiciousActivityBrowser": "CHROME",
"suspiciousActivityEventCity": "San Francisco",
"suspiciousActivityEventCountry": "United States",
"suspiciousActivityEventId": "11111111-0000-2222-0000-aaaaaaaaaaaa",
"suspiciousActivityEventIp": "198.51.100.2",
"suspiciousActivityEventLatitude": "37.8199",
"suspiciousActivityEventLongitude": "122.4783",
"suspiciousActivityEventState": "California",
"suspiciousActivityEventTransactionId": "1111111111111111111111111111",
"suspiciousActivityEventType": "system.email.new_device_notification.sent_message",
"suspiciousActivityOs": "Mac OS X",
"suspiciousActivityTimestamp": "2023-09-14T19:06:50.770Z",
"url": "/api/internal/users/me/report-suspicious-activity?i=xxxxxxxx"
}
},
"displayMessage": "User report suspicious activity",
"eventType": "user.account.report_suspicious_activity_by_enduser",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T19:07:28.185Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "WARN",
"target":
[
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/users",
"url": "/api/v1/users?activate=true"
}
},
"displayMessage": "Create okta user",
"eventType": "user.lifecycle.create",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:18:47.825Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B111",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"changedAttributes": "login,email",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/users/00ua1aaaa1abc0A0B456",
"url": "/api/v1/users/00ua1aaaa1abc0A0B456?"
}
},
"displayMessage": "Update user profile for Okta",
"eventType": "user.account.update_profile",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:20:05.557Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B456",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/users/00ua1aaaa1abc0A0B987",
"url": "/api/v1/users/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Delete Okta user initiated",
"eventType": "user.lifecycle.delete.initiated",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:21:30.151Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B987",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups",
"url": "/api/v1/groups?"
}
},
"displayMessage": "Create okta group",
"eventType": "group.lifecycle.create",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T18:58:09.243Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "custom_developers_group",
"id": "00ua1aaaa1abc0A0B789",
"type": "UserGroup"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"groupAppAssignmentId": "xxxxxxxxxxxxxxxxxxxxx",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/apps/00ua1aaaa1abc0A0B456/groups/00ua1aaaa1abc0A0B987",
"url": "/api/v1/apps/00ua1aaaa1abc0A0B456/groups/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Add assigned application to group",
"eventType": "group.application_assignment.add",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:22:38.036Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "salesforce_developers",
"id": "00ua1aaaa1abc0A0B987",
"type": "UserGroup"
},
{
"alternateId": "Salesforce",
"detailEntry": null,
"displayName": "Salesforce.com",
"id": "00ua1aaaa1abc0A0B456",
"type": "AppInstance"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups/00ua1aaaa1abc0A0B987",
"url": "/api/v1/groups/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Delete okta group",
"eventType": "group.lifecycle.delete",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:23:26.473Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "custom_okta_group",
"id": "00ua1aaaa1abc0A0B987",
"type": "UserGroup"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups/00ua1aaaa1abc0A0B456/users/00ua1aaaa1abc0A0B987",
"url": "/api/v1/groups/00ua1aaaa1abc0A0B456/users/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Add user to group membership",
"eventType": "group.user_membership.add",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:26:40.529Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B987",
"type": "User"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "custom_okta_group",
"id": "00ua1aaaa1abc0A0B456",
"type": "UserGroup"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups/00ua1aaaa1abc0A0B345/users/00ua1aaaa1abc0A0B987",
"url": "/api/v1/groups/00ua1aaaa1abc0A0B345/users/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Remove user from group membership",
"eventType": "group.user_membership.remove",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:27:00.112Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B987",
"type": "User"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "custom_okta_group",
"id": "00ua1aaaa1abc0A0B345",
"type": "UserGroup"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/iam/roles",
"url": "/api/v1/iam/roles?"
}
},
"displayMessage": "Role created",
"eventType": "iam.role.create",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:32:05.713Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "Custom Okta Role",
"id": "00ua1aaaa1abc0A0B345",
"type": "Role"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "okta.users.manage",
"id": "okta.users.manage",
"type": "Permission"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "okta.customizations.manage",
"id": "okta.customizations.manage",
"type": "Permission"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "okta.profilesources.import.run",
"id": "okta.profilesources.import.run",
"type": "Permission"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "okta.authzServers.manage",
"id": "okta.authzServers.manage",
"type": "Permission"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/iam/roles/00ua1aaaa1abc0A0B456/permissions/okta.users.manage",
"url": "/api/v1/iam/roles/00ua1aaaa1abc0A0B456/permissions/okta.users.manage?"
}
},
"displayMessage": "Permissions deleted from Role",
"eventType": "iam.role.permissions.delete",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:32:28.571Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "Custom Okta Role",
"id": "00ua1aaaa1abc0A0B456",
"type": "Role"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "okta.users.manage",
"id": "okta.users.manage",
"type": "Permission"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/iam/roles/00ua1aaaa1abc0A0B345",
"url": "/api/v1/iam/roles/00ua1aaaa1abc0A0B345?"
}
},
"displayMessage": "Role deleted",
"eventType": "iam.role.delete",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:32:33.316Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "Custom Okta Admin Role",
"id": "00ua1aaaa1abc0A0B345",
"type": "Role"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"privilegeGranted": "Super administrator",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups/cccccccccccccccccccc/users/00ua1aaaa1abc0A0B987",
"url": "/api/v1/groups/cccccccccccccccccccc/users/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Grant user privilege",
"eventType": "user.account.privilege.grant",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:26:40.657Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B987",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"privilegeRevoked": "Super administrator, Organization administrator, Application administrator (all), Application administrator, Read only admin, User administrator (all), User administrator, Help Desk administrator (all), Help Desk administrator, Mobile administrator, API Access Management administrator, Report administrator, Group Membership administrator",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups/00ua1aaaa1abc0A0B345/users/00ua1aaaa1abc0A0B987",
"url": "/api/v1/groups/00ua1aaaa1abc0A0B345/users/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Revoke user privilege",
"eventType": "user.account.privilege.revoke",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:27:00.236Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B987",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"authnRequestId": "bbbbbbbbbbbbbbbbbbbbbbbbbbb",
"deviceFingerprint": "11111111111111111111111111111111",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/authn/factors/2222222222222222222/lifecycle/activate",
"threatSuspected": "false",
"url": "/api/v1/authn/factors/2222222222222222222/lifecycle/activate?"
}
},
"displayMessage": "Activate factor for user",
"eventType": "user.mfa.factor.activate",
"outcome":
{
"reason": "User set up SOFT_TOKEN factor",
"result": "SUCCESS"
},
"published": "2023-09-14T19:09:25.749Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/users/00ua1aaaa1abc0A0B987/lifecycle/reset_factors",
"url": "/api/v1/users/00ua1aaaa1abc0A0B987/lifecycle/reset_factors?"
}
},
"displayMessage": "Reset factor for user",
"eventType": "user.mfa.factor.deactivate",
"outcome":
{
"reason": "User reset OKTA_SOFT_TOKEN factor",
"result": "SUCCESS"
},
"published": "2023-09-14T15:49:03.007Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "john@example.com",
"detailEntry": null,
"displayName": "John Doe",
"id": "00ua1aaaa1abc0A0B987",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
Unsupported
-
User Type / Role
-
Configuration / Setting Value
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"protocol": "OIDC",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/idps",
"url": "/api/v1/idps?"
}
},
"displayMessage": "Create an Identity Provider",
"eventType": "system.idp.lifecycle.create",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:33:22.575Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "oin_salesforce_idp",
"detailEntry": null,
"displayName": "Salesforce IDP",
"id": "00ua1aaaa1abc0A0B987",
"type": "IdentityProvider"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User Type / Role
-
Previous Configuration / Setting Value
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/zones/nzua1aaaa1abc0A0B987",
"url": "/api/v1/zones/nzua1aaaa1abc0A0B987?",
"zoneData":
{
"gateways":
[
{
"type": "CIDR",
"value": "10.0.0.1/32"
},
{
"type": "CIDR",
"value": "172.31.0.1/32"
},
{
"type": "CIDR",
"value": "192.168.1.0/24"
}
],
"proxies":
[],
"type": "IP"
}
}
},
"displayMessage": "Network zone update",
"eventType": "zone.update",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-12T01:40:39.219Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "Custon Okta Network Zone",
"id": "nzua1aaaa1abc0A0B987",
"type": "NetworkZoneEntity"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
Unsupported
-
User Type / Role
-
Configuration / Setting Value
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/behaviors/00ua1aaaa1abc0A0B987",
"url": "/api/v1/behaviors/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "A behavior setting was deleted",
"eventType": "security.behavior.settings.delete",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:34:41.030Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry":
{
"behaviorType": "ANOMALOUS_LOCATION"
},
"displayName": "Adding Location Behavior",
"id": "00ua1aaaa1abc0A0B987",
"type": "BehaviorSettings"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"appVersion": "00000000-1111-2222-3333-444444444444",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/internal/orgadmin/apps/saml",
"url": "/api/internal/orgadmin/apps/saml?"
}
},
"displayMessage": "Create application",
"eventType": "application.lifecycle.create",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:37:50.674Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "Salesforce",
"detailEntry": null,
"displayName": "Salesforce",
"id": "00ua1aaaa1abc0A0B987",
"type": "AppInstance"
},
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"customMessage": "Sign on method changed, Sign on method changed",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"newSignonModeType": "SAML_2_0",
"oldSignonModeType": "BROWSER_PLUGIN",
"requestUri": "/admin/app/salesforce/instance/00ua1aaaa1abc0A0B345/settings/sso",
"url": "/admin/app/salesforce/instance/00ua1aaaa1abc0A0B345/settings/sso?"
}
},
"displayMessage": "Update application",
"eventType": "application.lifecycle.update",
"outcome":
{
"reason": "Sign on method changed, Sign on method changed",
"result": "SUCCESS"
},
"published": "2023-09-14T20:39:48.184Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "Salesforce",
"detailEntry": null,
"displayName": "Salesforce",
"id": "00ua1aaaa1abc0A0B345",
"type": "AppInstance"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/admin/app/dev-salesforce_1/delete/00ua1aaaa1abc0A0B987",
"url": "/admin/app/dev-salesforce_1/delete/00ua1aaaa1abc0A0B987?"
}
},
"displayMessage": "Delete application",
"eventType": "application.lifecycle.delete",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T20:38:09.948Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "Salesforce",
"detailEntry": null,
"displayName": "Salesforce",
"id": "00ua1aaaa1abc0A0B987",
"type": "AppInstance"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROMIUM_EDGE",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"concurrencyPercentage": "50",
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"rateLimitPercentage": "50",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/internal/tokens",
"url": "/api/internal/tokens?expand=user"
}
},
"displayMessage": "Create API token",
"eventType": "system.api_token.create",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T15:00:54.589Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "external_api_token",
"id": "00ua1aaaa1abc0A0B456",
"type": "Token"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/api/v1/groups/rules/00ua1aaaa1abc0A0B567",
"url": "/api/v1/groups/rules/00ua1aaaa1abc0A0B567?"
}
},
"displayMessage": "Update policy rule",
"eventType": "policy.rule.update",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-19T20:41:41.654Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry":
{
"policyType": "group_rule"
},
"displayName": "group rule default policy",
"id": "00ua1aaaa1abc0A0B567",
"type": "PolicyEntity"
},
{
"alternateId": "Salesforce",
"detailEntry": null,
"displayName": "Salesforce",
"id": "00ua1aaaa1abc0A0B987",
"type": "PolicyRule"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROMIUM_EDGE",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"sessionId": "11111111-0000-2222-3333-999999999999"
}
},
"displayMessage": "Flow deleted",
"eventType": "workflows.user.flow.delete",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-18T19:16:16.459Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"securityContext": null,
"severity": "INFO",
"target":
[
{
"alternateId": "Okta Workflows",
"detailEntry": null,
"displayName": "Okta Workflows",
"id": "00ua1aaaa1abc0A0B987",
"type": "AppInstance"
},
{
"alternateId": "Custom Okta Workflow with Slack",
"detailEntry": null,
"displayName": "Custom Okta Workflow with Slack",
"id": "123456",
"type": "Flow"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
-
Resource Metadata
Success
{
"actor":
{
"alternateId": "alice@example.com",
"detailEntry": null,
"displayName": "Alice Brown",
"id": "00ua1aaaa1abc0A0B123",
"type": "User"
},
"authenticationContext":
{
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "10234ABC123abc1234abc1234",
"interface": null,
"issuer": null
},
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"id": null,
"ipAddress": "198.51.100.1",
"userAgent":
{
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext":
{
"debugData":
{
"dtHash": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"jobid": "mfa88888888888888888",
"requestId": "ABCD111111111111111111111111",
"requestUri": "/reports/user/mfa/download/mfa88888888888888888.csv",
"url": "/reports/user/mfa/download/mfa88888888888888888.csv?"
}
},
"displayMessage": "Report CSV Export Downloaded",
"eventType": "analytics.reports.export.download",
"outcome":
{
"reason": null,
"result": "SUCCESS"
},
"published": "2023-09-14T17:45:28.879Z",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "San Francisco",
"country": "United States",
"geolocation":
{
"lat": 37.8199,
"lon": 122.4783
},
"postalCode": "94016",
"state": "California"
},
"ip": "198.51.100.1",
"source": null,
"version": "V4"
}
]
},
"securityContext":
{
"asNumber": 14618,
"asOrg": "amazon corporate llc",
"domain": "amazon.com",
"isProxy": false,
"isp": "amazon.com inc"
},
"severity": "INFO",
"target":
[
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "MFA Usage",
"id": "mfa",
"type": "Report"
}
],
"transaction":
{
"detail":
{},
"id": "111111111111111111111111111",
"type": "WEB"
},
"uuid": "11111111-2222-3333-4444-abcdef111111111111",
"version": 0
}
System Log API
The Okta System Log API provides near real-time, read-only access to an organization's system log.
References
Retention Details
Storage Duration: System Log events are retained in Okta for a period of 90 days.
https://support.okta.com/help/s/article/Customer-Data-Retention-Policy?language=en_US
Latency Details
Duration: Near real-time
https://support.okta.com/help/s/article/Customer-Data-Retention-Policy?language=en_US
Product Details
Okta is a cloud-based identity and access management (IAM) platform that provides centralized authentication, management of user identities, and access control to applications and data. The Okta System Log records events related to an organization, such as user logins, password changes, and application access. The System Log can be used to understand platform and user activity, troubleshoot problems, and investigate security incidents. The Okta System Log API is a RESTful API that allows an organization to programmatically access the Okta System Log. The API provides a way to retrieve, filter, and export events.
System Log API
The Okta System Log API provides near real-time, read-only access to an organization's system log.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"account_id": 12345,
"actor_system": "",
"actor_user_id": 12345561,
"actor_user_name": "John Doe",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2015-11-26T01:11:22.575Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 5,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 1234512345,
"ipaddr": null,
"notes": "Authentication method: password + OTP.",
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 12345561,
"user_name": "John Doe"
}
Failure
{
"account_id": 12345,
"actor_system": "",
"actor_user_id": 12345123,
"actor_user_name": "John Doe",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2015-11-26T01:31:48.144Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 6,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 1234512345,
"ipaddr": "8.8.8.8",
"notes": "Authentication method: password (invalid password).",
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 12345194,
"user_name": "John Doe"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
Unsupported
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"account_id": 12345,
"actor_system": "",
"actor_user_id": 12345123,
"actor_user_name": "John Doe",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2015-11-24T16:53:16.188Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 7,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 1234512345,
"ipaddr": null,
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 12345629,
"user_name": "John Doe"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Verification Method
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Flagged
-
Activity Performed
Success
{
"account_id": 232548,
"actor_system": null,
"actor_user_id": 232044969,
"actor_user_name": "Harry Potter",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-26T21:10:40.642Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 1400,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 44962098238,
"ipaddr": "8.8.8.8",
"notes": "Authentication method: OTP (Valid OTP). Factor name: OneLogin Email",
"operation_name": null,
"otp_device_id": 18013181,
"otp_device_name": "OneLogin OneLogin Email",
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Failure
{
"account_id": 232548,
"actor_system": null,
"actor_user_id": 232044969,
"actor_user_name": "Harry Potter",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-27T23:48:09.212Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 1002,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 44994186214,
"ipaddr": "8.8.8.8",
"notes": "Validation failed",
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": 379268,
"policy_name": "MFA-policy-odza",
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"account_id": 12345,
"actor_system": "",
"actor_user_id": 1234517,
"actor_user_name": "John Doe",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2015-11-20T18:29:22.202Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 13,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 1234512345,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 12345679,
"user_name": "George Washington"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"account_id": 12345,
"actor_system": "",
"actor_user_id": 12345134,
"actor_user_name": "John Doe",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2015-11-25T05:39:01.919Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 14,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 1234512345,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 12345280,
"user_name": "John Bon Jovi"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 232044969,
"actor_user_name": "Harry Potter",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-28T17:58:03.705Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 17,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45015573454,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232309650,
"user_name": "John Doe"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-01T23:07:24.993Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 3020,
"event_type_ids": null,
"group_id": 509316,
"group_name": "createdgroup",
"id": 45082115051,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": null,
"user_name": null
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-01T23:07:45.758Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 3021,
"event_type_ids": null,
"group_id": 509316,
"group_name": "createdgroup",
"id": 45082120012,
"ipaddr": "8.8.8.8",
"notes": "\nPolicy changed from MFA-policy-test to Default policy",
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": null,
"user_name": null
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-01T23:07:33.053Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 3022,
"event_type_ids": null,
"group_id": 509222,
"group_name": "testnewgroup",
"id": 45082116944,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": null,
"user_name": null
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-06T18:08:39.200Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 14,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45191535162,
"ipaddr": "8.8.8.8",
"notes": "changed Group to examplegroup",
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-06T18:15:09.794Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 14,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45191722046,
"ipaddr": "8.8.8.8",
"notes": "changed Group to None",
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-01T23:10:26.647Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 1801,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45082158160,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": 712587,
"role_name": "newrole",
"since": null,
"until": null,
"user_id": 226011705,
"user_name": "Lance Armstrong"
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": 3184929,
"app_name": "Amiando",
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-06T18:31:12.396Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 1,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45192178366,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": 712587,
"role_name": "newrole",
"since": null,
"until": null,
"user_id": null,
"user_name": null
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-06T18:31:50.385Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 1802,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45192198208,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": 680252,
"role_name": "Default",
"since": null,
"until": null,
"user_id": 226011705,
"user_name": "Lance Armstrong"
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-01T23:18:00.847Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 72,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45082260689,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-26T19:03:42.544Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 73,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 44958862055,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Success
{
"account_id": 12345,
"actor_system": "",
"actor_user_id": 12345629,
"actor_user_name": "John Doe",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2015-11-24T09:02:46.359Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 22,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 1234512345,
"ipaddr": null,
"notes": null,
"operation_name": null,
"otp_device_id": 123456,
"otp_device_name": "john.doe@ext.acmecorp.com",
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 12345629,
"user_name": "John Doe"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-26T21:11:23.835Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 24,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 44962113859,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": 18013181,
"otp_device_name": "OneLogin Email",
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 232044969,
"actor_user_name": "Harry Potter",
"app_id": 3159937,
"app_name": "43 Things",
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-27T20:37:13.351Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 600,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 44990112363,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": 3159998,
"app_name": "Anaplan",
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-04T17:47:42.846Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 601,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45133717008,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 226011705,
"user_name": "Lance Armstrong"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 232044969,
"actor_user_name": "Harry Potter",
"app_id": 3159937,
"app_name": "43 Things",
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-27T20:38:22.572Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 602,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 44990138411,
"ipaddr": "",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-02-28T18:31:48.480Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 179,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45016591484,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 226011705,
"user_name": "Lance Armstrong"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-04T17:54:07.805Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 180,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45133880563,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 226011705,
"user_name": "Lance Armstrong"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Success
{
"account_id": 232548,
"actor_system": "",
"actor_user_id": 226011705,
"actor_user_name": "Lance Armstrong",
"app_id": null,
"app_name": null,
"assuming_acting_user_id": null,
"browser_fingerprint": null,
"client_id": null,
"created_at": "2024-03-04T17:58:38.133Z",
"custom_message": null,
"directory_id": null,
"directory_sync_run_id": null,
"error_description": null,
"event_type_id": 27,
"event_type_ids": null,
"group_id": null,
"group_name": null,
"id": 45133990798,
"ipaddr": "8.8.8.8",
"notes": null,
"operation_name": null,
"otp_device_id": null,
"otp_device_name": null,
"policy_id": null,
"policy_name": null,
"proxy_ip": null,
"resolution": null,
"resource_type_id": null,
"risk_cookie_id": null,
"risk_reasons": null,
"risk_score": null,
"role_id": null,
"role_name": null,
"since": null,
"until": null,
"user_id": 232044969,
"user_name": "Harry Potter"
}
Get Events API
The OneLogin events API provides near real-time, read-only access to an organization's activity log.
References
Retention Details
Storage Duration: Unknown
N/A
Latency Details
Duration: Near real-time
N/A
Product Details
OneLogin is a cloud-based identity and access management (IAM) platform that provides centralized authentication, management of user identities, and access control to applications and data. OneLogin Events record logs related to an organization, such as user logins, password changes, and application access. The Events can be used to understand platform and user activity, troubleshoot problems, and investigate security incidents. The OneLogin Get Events API allows an organization to programmatically access the OneLogin Event logs. The API provides a way to retrieve, filter, and export events.
Get Events API
The OneLogin Get Events API provides near real-time, read-only access to an organization's event log.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Access Allowed",
"type": "USER.ACCESS_ALLOWED"
},
"actors": {
"client": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/applications/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "ao",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T18:52:26.485Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"recordedAt": "2024-04-16T18:52:26.476Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Passed role access control",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Failure
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Access Denied",
"type": "USER.ACCESS_DENIED"
},
"actors": {
"client": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/applications/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "PingOne Admin Console",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jsmith@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-09T21:41:11.471Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"recordedAt": "2024-04-09T21:41:11.459Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jsmith@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Failed role access control",
"status": "FAILED"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Session Deleted",
"type": "SESSION.DELETED"
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:08:56.060Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"recordedAt": "2024-04-16T20:08:56.047Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
},
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/sessions/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "User Session 1234abc1-a123-1234-ab12-1ab123a1234a",
"type": "SESSION"
}
],
"result": {
"description": "Deleted Session '1234abc1-a123-1234-ab12-1ab123a1234a' for User '1234abc1-a123-1234-ab12-1ab123a1234a'",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Verification Method
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Verification Flagged
-
Activity Performed
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Otp Check Success",
"type": "OTP.CHECK_SUCCESS"
},
"actors": {
"client": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/applications/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "PingOne Admin Console",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-10T22:25:46.482Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-10T22:25:46.470Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/flows/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "1234abc1-a123-1234-ab12-1ab123a1234a",
"type": "FLOW"
},
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a/devices/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "TOTP",
"type": "DEVICE"
}
],
"result": {
"description": "TOTP authenticator authentication approved",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Created",
"type": "USER.CREATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:29:30.972Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T20:29:30.951Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_new_user",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Created User example_new_user",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
-
Target Attribute Context
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_embedded": {
"modifiedAttributes": [
"email"
]
},
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Updated",
"type": "USER.UPDATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-11T21:27:55.355Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-11T21:27:55.327Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "bob",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Updated email for User bob",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Deleted",
"type": "USER.DELETED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:31:37.779Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T20:31:37.745Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "bob",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Deleted User bob",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Group Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Group Created",
"type": "GROUP.CREATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:32:29.453Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T20:32:29.433Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/groups/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "newgrp",
"type": "GROUP"
}
],
"result": {
"description": "Created Group newgrp",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Group Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Group Deleted",
"type": "GROUP.DELETED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:33:07.019Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T20:33:07.000Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/groups/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "testgrup",
"type": "GROUP"
}
],
"result": {
"description": "Deleted Group testgrup",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Group Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Target Username
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Member Of Group Created",
"type": "MEMBER_OF_GROUP.CREATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:33:15.542Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T20:33:15.525Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a/memberOfGroups/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_group",
"type": "MEMBER_OF_GROUP"
}
],
"result": {
"description": "Created Member Of Group example_group",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Group Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Target Username
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Member Of Group Deleted",
"type": "MEMBER_OF_GROUP.DELETED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T20:37:01.802Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T20:37:01.783Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a/memberOfGroups/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_group",
"type": "MEMBER_OF_GROUP"
}
],
"result": {
"description": "Deleted Member Of Group example_group",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Role Assignment Created",
"type": "ROLE_ASSIGNMENT.CREATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T21:09:05.649Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T21:09:05.593Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a/roleAssignments/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "pbunyan@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Created role assignment '1234abc1-a123-1234-ab12-1ab123a1234a' for role '1234abc1-a123-1234-ab12-1ab123a1234a' scoped for ORGANIZATION '1234abc1-a123-1234-ab12-1ab123a1234a'",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
},
"tags": [
"adminIdentityEvent"
]
}
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Role Assignment Deleted",
"type": "ROLE_ASSIGNMENT.DELETED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T21:34:54.970Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T21:34:54.934Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a/roleAssignments/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "pbunyan@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "Deleted role assignment '1234abc1-a123-1234-ab12-1ab123a1234a' scoped for ORGANIZATION '1234abc1-a123-1234-ab12-1ab123a1234a'",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
},
"tags": [
"adminIdentityEvent"
]
}
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Enrollment Type
Success
{
"_embedded": {
"modifiedAttributes": [
"mfaEnabled"
]
},
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Updated",
"type": "USER.UPDATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-09T21:33:19.946Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-09T21:33:19.932Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "MFA enabled for User jdoe@acme.co",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Enrollment Type
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Target Username
Success
{
"_embedded": {
"modifiedAttributes": [
"mfaEnabled"
]
},
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "User Updated",
"type": "USER.UPDATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-09T21:17:42.793Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-09T21:17:42.779Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_user",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
],
"result": {
"description": "MFA disabled for User example_user",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Identity Provider Created",
"type": "IDENTITY_PROVIDER.CREATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-11T20:39:30.201Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-11T20:39:30.186Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/identityProviders/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_idp",
"type": "IDENTITY_PROVIDER"
}
],
"result": {
"description": "Created Identity Provider example_idp of type 'YAHOO'.",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Identity Provider Updated",
"type": "IDENTITY_PROVIDER.UPDATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-11T20:39:40.622Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-11T20:39:40.609Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/identityProviders/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_idp",
"type": "IDENTITY_PROVIDER"
}
],
"result": {
"description": "Updated Identity Provider f of type 'YAHOO'.",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Identity Provider Deleted",
"type": "IDENTITY_PROVIDER.DELETED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-11T20:39:43.177Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-11T20:39:43.186Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/identityProviders/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "example_idp",
"type": "IDENTITY_PROVIDER"
}
],
"result": {
"description": "Deleted Identity Provider f of type 'YAHOO'.",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Integration / App Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Application Created",
"type": "APPLICATION.CREATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-10T21:57:51.445Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-10T21:57:51.431Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/applications/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "Smartsheet",
"type": "APPLICATION"
}
],
"result": {
"description": "Created Application Smartsheet using 'SAML' protocol of type 'TEMPLATE_APP' with enabled state",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Integration / App Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Application Updated",
"type": "APPLICATION.UPDATED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T22:21:05.839Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T22:21:05.813Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/applications/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "Smartsheet",
"type": "APPLICATION"
}
],
"result": {
"description": "Updated Application Smartsheet using 'SAML' protocol of type 'TEMPLATE_APP' with enabled state",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Integration / App Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/activities/1234abc1-a123-1234-ab12-1ab123a1234a"
}
},
"action": {
"description": "Application Deleted",
"type": "APPLICATION.DELETED"
},
"actors": {
"client": {
"id": "adminui",
"name": "adminui",
"type": "CLIENT"
},
"user": {
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/users/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "jdoe@acme.co",
"population": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"type": "USER"
}
},
"correlationId": "1234abc1-a123-1234-ab12-1ab123a1234a",
"createdAt": "2024-04-16T22:29:48.767Z",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"internalCorrelation": {
"sessionId": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"recordedAt": "2024-04-16T22:29:48.749Z",
"resources": [
{
"environment": {
"id": "1234abc1-a123-1234-ab12-1ab123a1234a"
},
"href": "https://api.pingone.com/v1/environments/1234abc1-a123-1234-ab12-1ab123a1234a/applications/1234abc1-a123-1234-ab12-1ab123a1234a",
"id": "1234abc1-a123-1234-ab12-1ab123a1234a",
"name": "Smartsheet",
"type": "APPLICATION"
}
],
"result": {
"description": "Deleted Application Smartsheet using 'SAML' protocol of type 'TEMPLATE_APP' with enabled state",
"status": "SUCCESS"
},
"source": {
"ipAddress": "2001:4860:4860::8888",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
}
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Read User Activities API
The PingOne Read User Activities API provides near real-time, read-only access to an organization's audit activity events.
References
Retention Details
Storage Duration: Unknown
N/A
Latency Details
Duration: Near real-time
N/A
Product Details
PingOne is a cloud-based identity as a service (IDaaS) framework for secure identity access management that uses an organization-based model to define tenant accounts and their related entities within the PingOne platform. PingOne Audit Activities record logs related to an organization, such as user logins, password changes, and application access. The events can be used to understand platform and user activity, troubleshoot problems, and investigate security incidents. The PingOne Read User Activities API allows an organization to programmatically access the PingOne audit activity event logs. The API provides a way to retrieve, filter, and export events.
Read User Activities API
The PingOne Read User Activities API provides near real-time, read-only access to an organization's audit activity events.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
Unsupported
-
Event ID
-
Username
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Type
Success
{
"CLIENT_IP": "198.51.100.1",
"CPU_TIME": "13",
"EVENT_TYPE": "ApexCallout",
"LOGIN_KEY": "9870000000012300",
"METHOD": "GET",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_SIZE": "-1",
"RESPONSE_SIZE": "40407",
"RUN_TIME": "279",
"SESSION_KEY": "9870000000012300",
"SUCCESS": "1",
"TIME": "246",
"TIMESTAMP": "20230321171017.871",
"TIMESTAMP_DERIVED": "2023-03-21T17:10:17.871Z",
"TYPE": "REST",
"URI": "CALLOUT-LOG",
"URI_ID_DERIVED": "",
"URL": "https://prod-api.example.com/api/v1/",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC"
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
EventLogFile Apex Callout Event Type
Provides details about callouts (external requests) during Apex code execution.
References
Retention Details
Storage Duration: 30 Days
N/A
Latency Details
Duration: 3 Hours
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
Device/Client Type
-
Resource Type
Create
{
"ACTION_MESSAGE": "1$aura://RecordUiController/ACTION$createRecord=1616",
"CLIENT_IP": "198.51.100.1",
"CPU_TIME": "1184",
"DB_TOTAL_TIME": "384466656",
"EVENT_TYPE": "AuraRequest",
"LOGIN_KEY": "9870000000012300",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_METHOD": "POST",
"REQUEST_STATUS": "",
"RUN_TIME": "1651",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230317160937.079",
"TIMESTAMP_DERIVED": "2023-03-17T16:09:37.079Z",
"URI": "/aura",
"URI_ID_DERIVED": "",
"USER_AGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.2 Safari/537.36",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
Device/Client Type
-
Resource Type
Read
{
"ACTION_MESSAGE": "1$aura://RecordUiController/ACTION$getObjectInfo=4",
"CLIENT_IP": "198.51.100.1",
"CPU_TIME": "17",
"DB_TOTAL_TIME": "1112793",
"EVENT_TYPE": "AuraRequest",
"LOGIN_KEY": "9870000000012300",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_METHOD": "POST",
"REQUEST_STATUS": "",
"RUN_TIME": "20",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230317172646.960",
"TIMESTAMP_DERIVED": "2023-03-17T17:26:46.960Z",
"URI": "/aura",
"URI_ID_DERIVED": "",
"USER_AGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.2 Safari/537.36",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
Device/Client Type
-
Resource Type
Update
{
"ACTION_MESSAGE": "1$aura://RecordUiController/ACTION$updateRecord=574",
"CLIENT_IP": "198.51.100.1",
"CPU_TIME": "426",
"DB_TOTAL_TIME": "175309327",
"EVENT_TYPE": "AuraRequest",
"LOGIN_KEY": "9870000000012300",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_METHOD": "POST",
"REQUEST_STATUS": "",
"RUN_TIME": "614",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230317165202.419",
"TIMESTAMP_DERIVED": "2023-03-17T16:52:02.419Z",
"URI": "/aura",
"URI_ID_DERIVED": "",
"USER_AGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.2 Safari/537.36",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
Device/Client Type
-
Resource Type
Delete
{
"ACTION_MESSAGE": "1$apex://EmailMessageService/ACTION$deleteEmailDrafts=21",
"CLIENT_IP": "198.51.100.1",
"CPU_TIME": "40",
"DB_TOTAL_TIME": "7612998",
"EVENT_TYPE": "AuraRequest",
"LOGIN_KEY": "9870000000012300",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_METHOD": "POST",
"REQUEST_STATUS": "",
"RUN_TIME": "49",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230317141457.834",
"TIMESTAMP_DERIVED": "2023-03-17T14:14:57.834Z",
"URI": "/aura",
"URI_ID_DERIVED": "",
"USER_AGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.2 Safari/537.36",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
EventLogFile Aura Request Event Type
Provides details of requests to Apex methods from Aura and Lightning web components.
References
Retention Details
Storage Duration: 30 Days
N/A
Latency Details
Duration: 3 Hours
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Unsupported
-
Event ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"API_TYPE": "",
"API_VERSION": "9998.0",
"AUTHENTICATION_METHOD_REFERENCE": "",
"BROWSER_TYPE": "python-requests/2.28.2",
"CIPHER_SUITE": "ECDHE-RSA-AES256-GCM-SHA384",
"CLIENT_IP": "Salesforce.com IP",
"CPU_TIME": "31",
"DB_TOTAL_TIME": "72839779",
"EVENT_TYPE": "Login",
"LOGIN_KEY": "9870000000012300",
"LOGIN_STATUS": "LOGIN_OAUTH_NO_CONSUMER",
"LOGIN_SUB_TYPE": "",
"LOGIN_TYPE": "i",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_STATUS": "",
"RUN_TIME": "213",
"SESSION_KEY": "",
"SOURCE_IP": "198.51.100.1",
"TIMESTAMP": "20230315013819.200",
"TIMESTAMP_DERIVED": "2023-03-15T01:38:19.151Z",
"TLS_PROTOCOL": "TLSv1.2",
"URI": "/services/oauth2/token",
"URI_ID_DERIVED": "",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_NAME": "john@example.com",
"USER_TYPE": "Standard"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
EventLogFile Login Event
This event source is to track login events in Salesforce.
References
Retention Details
Storage Duration: 1 Day
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
Latency Details
Duration: 3 Hours
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event Code / Type
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Event ID
-
Result
-
Username
-
IP Geolocation / ASN
Success
{
"API_TYPE": "",
"API_VERSION,USER_INITIATED_LOGOUT": "1",
"APP_TYPE": "1000",
"BROWSER_TYPE": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.1 Safari/537.36",
"CLIENT_IP": "198.51.100.2",
"CLIENT_VERSION": "9998.0",
"EVENT_TYPE": "Logout",
"LOGIN_KEY": "9870000000012300",
"ORGANIZATION_ID": "000ABC000000123",
"PLATFORM_TYPE": "2003",
"REQUEST_ID": "1230000000000000000-12",
"RESOLUTION_TYPE": "9999",
"SESSION_KEY": "9870000000012300",
"SESSION_LEVEL": "HIGH_ASSURANCE(db=10,api=HIGH_ASSURANCE)",
"SESSION_TYPE": "UI",
"TIMESTAMP": "20230316210747.600",
"TIMESTAMP_DERIVED": "2023-03-16T21:07:47.645Z",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard(db=S,api=Standard)"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
EventLogFile Logout Event
This event source is to track logout events in Salesforce.
References
Retention Details
Storage Duration: 1 Day
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
Latency Details
Duration: 3 Hours
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Type
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
Create
{
"API_TYPE": "P",
"API_VERSION": "39.0",
"CLIENT_IP": "198.51.100.1",
"CLIENT_NAME": "vendor/integration_app",
"CPU_TIME": "1100",
"DB_BLOCKS": "19693",
"DB_CPU_TIME": "480",
"DB_TOTAL_TIME": "741700210",
"ENTITY_NAME": "Customer_Account__c",
"EVENT_TYPE": "API",
"EXCEPTION_MESSAGE": "",
"LOGIN_KEY": "9870000000012300",
"METHOD_NAME": "insert",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_SIZE": "35084",
"REQUEST_STATUS": "",
"RESPONSE_SIZE": "2406",
"ROWS_PROCESSED": "36",
"RUN_TIME": "1948",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230320145944.655",
"TIMESTAMP_DERIVED": "2023-03-20T14:59:44.655Z",
"URI": "Api",
"URI_ID_DERIVED": "",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Type
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
Read
{
"API_TYPE": "P",
"API_VERSION": "54.0",
"CLIENT_IP": "198.51.100.1",
"CLIENT_NAME": "vendor/integration_app",
"CPU_TIME": "48",
"DB_BLOCKS": "5251",
"DB_CPU_TIME": "20",
"DB_TOTAL_TIME": "46672557",
"ENTITY_NAME": "Customer_Account__c",
"EVENT_TYPE": "API",
"EXCEPTION_MESSAGE": "",
"LOGIN_KEY": "9870000000012300",
"METHOD_NAME": "query",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_SIZE": "1382",
"REQUEST_STATUS": "",
"RESPONSE_SIZE": "38019",
"ROWS_PROCESSED": "27",
"RUN_TIME": "97",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230320145933.958",
"TIMESTAMP_DERIVED": "2023-03-20T14:59:33.958Z",
"URI": "Api",
"URI_ID_DERIVED": "",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Type
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
Update
{
"API_TYPE": "P",
"API_VERSION": "45.0",
"CLIENT_IP": "198.51.100.1",
"CLIENT_NAME": "vendor/integration_app",
"CPU_TIME": "737",
"DB_BLOCKS": "3524",
"DB_CPU_TIME": "130",
"DB_TOTAL_TIME": "252705921",
"ENTITY_NAME": "Customer_Account__c",
"EVENT_TYPE": "API",
"EXCEPTION_MESSAGE": "",
"LOGIN_KEY": "9870000000012300",
"METHOD_NAME": "update",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_SIZE": "1409",
"REQUEST_STATUS": "",
"RESPONSE_SIZE": "462",
"ROWS_PROCESSED": "0",
"RUN_TIME": "1035",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230320145959.965",
"TIMESTAMP_DERIVED": "2023-03-20T14:59:59.965Z",
"URI": "Api",
"URI_ID_DERIVED": "",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Type
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
Delete
{
"API_TYPE": "E",
"API_VERSION": "54.0",
"CLIENT_IP": "198.51.100.1",
"CLIENT_NAME": "vendor/integration_app",
"CPU_TIME": "253",
"DB_BLOCKS": "5356",
"DB_CPU_TIME": "140",
"DB_TOTAL_TIME": "228432560",
"ENTITY_NAME": "Customer_Account__c",
"EVENT_TYPE": "API",
"EXCEPTION_MESSAGE": "",
"LOGIN_KEY": "9870000000012300",
"METHOD_NAME": "delete",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_SIZE": "690",
"REQUEST_STATUS": "",
"RESPONSE_SIZE": "464",
"ROWS_PROCESSED": "0",
"RUN_TIME": "498",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230320051932.701",
"TIMESTAMP_DERIVED": "2023-03-20T05:19:32.701Z",
"URI": "Api",
"URI_ID_DERIVED": "",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Type
-
Resource Metadata
Unsupported
-
Event ID
-
Username
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
Download
{
"API_TYPE": "P",
"API_VERSION": "54.0",
"CLIENT_IP": "198.51.100.1",
"CLIENT_NAME": "vendor/integration_app",
"CPU_TIME": "335",
"DB_BLOCKS": "11565",
"DB_CPU_TIME": "30",
"DB_TOTAL_TIME": "26718766",
"ENTITY_NAME": "Customer_Account__c",
"EVENT_TYPE": "API",
"EXCEPTION_MESSAGE": "",
"LOGIN_KEY": "9870000000012300",
"METHOD_NAME": "query_all",
"ORGANIZATION_ID": "000ABC000000123",
"REQUEST_ID": "1230000000000000000-12",
"REQUEST_SIZE": "818",
"REQUEST_STATUS": "",
"RESPONSE_SIZE": "296630",
"ROWS_PROCESSED": "100000",
"RUN_TIME": "672",
"SESSION_KEY": "9870000000012300",
"TIMESTAMP": "20230317180424.293",
"TIMESTAMP_DERIVED": "2023-03-17T18:04:24.293Z",
"URI": "Api",
"URI_ID_DERIVED": "",
"USER_ID": "000000000000123",
"USER_ID_DERIVED": "000000000000123AbC",
"USER_TYPE": "Standard"
}
EventLogFile SOAP API Event Type
Provides details about a Salesforce org's SOAP API request activity.
References
Retention Details
Storage Duration: 30 Days
N/A
Latency Details
Duration: 3 Hours
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
Read
{
"channel": "/event/ApiEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AdditionalInfo": "{}",
"ApiType": "REST",
"ApiVersion": 51.0,
"Application": "N/A",
"Client": null,
"ConnectedAppId": "567000000abc0004",
"CreatedDate": "2023-03-21T19:42:15.033+0000",
"ElapsedTime": 79,
"EvaluationTime": 0.0,
"EventDate": "2023-03-21T19:42:13.264+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginHistoryId": "000123000abc0004",
"LoginKey": "9870000000012300",
"Operation": "Query",
"Platform": "Unknown",
"PolicyId": null,
"PolicyOutcome": null,
"QueriedEntities": "Customer_Account__c",
"Query": "Select name, record, status__c, from Account where LastModifiedDate >= 2023-01-01T12:00:00Z ORDER BY LastModifiedDate ASC",
"Records": "{\"totalSize\":1000,\"done\":false,\"records\":[{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000123\",\"Name\":\"Sample Account 1\"},{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000124\",\"Name\":\"Sample Account 2\"}]}",
"RelatedEventIdentifier": null,
"RowsProcessed": 0.0,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserAgent": "Python-httplib2/0.19.0 (gzip)",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "ApiEvent",
"url": "/services/data/v55.0/sobjects/ApiEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
Download
{
"channel": "/event/ApiEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AdditionalInfo": "{}",
"ApiType": "REST",
"ApiVersion": 50.0,
"Application": "N/A",
"Client": null,
"ConnectedAppId": null,
"CreatedDate": "2023-03-21T10:04:45.101+0000",
"ElapsedTime": 430,
"EvaluationTime": 0.0,
"EventDate": "2023-03-21T10:04:39.747+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginHistoryId": "000123000abc0004",
"LoginKey": "9870000000012300",
"Operation": "QueryMore",
"Platform": "Unknown",
"PolicyId": null,
"PolicyOutcome": null,
"QueriedEntities": "Customer_Account__c",
"Query": "Select name, record, status__c, from Account where LastModifiedDate >= 2023-01-01T12:00:00Z ORDER BY LastModifiedDate ASC",
"Records": "{\"totalSize\":1000,\"done\":false,\"records\":[{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000123\",\"Name\":\"Sample Account 1\"},{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000124\",\"Name\":\"Sample Account 2\"}]}",
"RelatedEventIdentifier": null,
"RowsProcessed": 1000364.0,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserAgent": "python-requests/2.28.2",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "ApiEvent",
"url": "/services/data/v55.0/sobjects/ApiEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Real-Time Event Monitoring ApiEventStream
Tracks the user-initiated read-only API calls "query()", "queryMore()", and "count()". Captures API requests through SOAP API and Bulk API.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Download
{
"channel": "/event/BulkApiResultEvent",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"CreatedDate": "2023-03-22T15:07:23.864+0000",
"EvaluationTime": 0.0,
"EventDate": "2023-03-22T15:07:16.240+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"Id": "000000000000000AAA",
"LoginHistoryId": "000123000abc0004",
"LoginKey": "9870000000012300",
"PolicyId": null,
"PolicyOutcome": null,
"Query": "Select name, record, status__c, from Account where LastModifiedDate >= 2023-01-01T12:00:00Z ORDER BY LastModifiedDate ASC",
"RelatedEventIdentifier": null,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "BulkApiResultEventStore",
"url": "/services/data/v55.0/sobjects/BulkApiResultEventStore/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring BulkApiResultEventStore
Tracks when a user downloads the results of a Bulk API request.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Verification Method
-
Verification Flagged
-
Activity Performed
Unsupported
-
User Type / Role
-
User Agent Name
-
Device/Client Type
Success
{
"channel": "/event/IdentityVerificationEvent",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"Activity": "Login",
"City": "San Francisco",
"Country": "United States",
"CountryIso": "US",
"CreatedDate": "2023-03-08T16:50:51.554+0000",
"EventDate": "2023-03-08T16:50:46.153+0000",
"EventGroup": "000000033",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"Id": "000000000000000AAA",
"Latitude": 38.1111,
"LoginHistoryId": "000000000000123AbC",
"LoginKey": "9870000000012300",
"Longitude": 38.1111,
"Policy": "TwoFactorAuthentication",
"PostalCode": "94107",
"Remarks": null,
"ResourceId": null,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "2001db8fffffffffffffffffffffffa",
"Status": "Succeeded",
"Subdivision": "New York",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"VerificationMethod": "Totp",
"attributes":
{
"type": "IdentityVerificationEvent",
"url": "/services/data/v55.0/sobjects/IdentityVerificationEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring IdentityVerificationEvent
Tracks user identity verification events in a Salesforce org.
References
Retention Details
Storage Duration: 10 Years
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
IP Geolocation / ASN
-
User Agent Name
Create
{
"channel": "/event/LightningUriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AppName": "one:one",
"ConnectionType": null,
"CreatedDate": "2023-03-21T22:33:26.221+0000",
"DeviceId": null,
"DeviceModel": null,
"DevicePlatform": "SFX:BROWSER:DESKTOP",
"DeviceSessionId": "0000000000000000000000000000000000000001",
"Duration": 0.0,
"EffectivePageTime": 0.0,
"EventDate": "2023-03-21T22:33:21.481+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "987abc0000012400",
"Operation": "Create",
"OsName": "WINDOWS",
"OsVersion": "10",
"PageStartTime": "2023-03-21T22:11:37.378+0000",
"PageUrl": "/lightning/o/Case/new?count=1",
"PreviousPageAppName": null,
"PreviousPageEntityId": null,
"PreviousPageEntityType": null,
"PreviousPageUrl": null,
"QueriedEntities": "Customer_Account__c",
"RecordId": "120000033000123AbC",
"RelatedEventIdentifier": null,
"SdkAppType": null,
"SdkAppVersion": null,
"SdkVersion": null,
"SessionKey": "987abc0000012400",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "LightningUriEvent",
"url": "/services/data/v55.0/sobjects/LightningUriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
IP Geolocation / ASN
-
User Agent Name
Read
{
"channel": "/event/LightningUriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AppName": "one:one",
"ConnectionType": null,
"CreatedDate": "2023-03-21T20:59:37.010+0000",
"DeviceId": null,
"DeviceModel": null,
"DevicePlatform": "SFX:BROWSER:DESKTOP",
"DeviceSessionId": "0000000000000000000000000000000000000001",
"Duration": 7029.0,
"EffectivePageTime": 0.0,
"EventDate": "2023-03-21T20:59:33.069+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Operation": "Read",
"OsName": "OSX",
"OsVersion": "10.15.7",
"PageStartTime": "2023-03-21T20:57:39.770+0000",
"PageUrl": "/lightning/o/Case/new?count=1",
"PreviousPageAppName": "LightningSales",
"PreviousPageEntityId": "345000000mnp0004",
"PreviousPageEntityType": "Account",
"PreviousPageUrl": "/lightning/r/Account/001300000000000000/view",
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": null,
"SdkAppType": null,
"SdkAppVersion": null,
"SdkVersion": null,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "LightningUriEvent",
"url": "/services/data/v55.0/sobjects/LightningUriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
IP Geolocation / ASN
-
User Agent Name
Update
{
"channel": "/event/LightningUriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AppName": "one:one",
"ConnectionType": null,
"CreatedDate": "2023-03-21T16:53:47.889+0000",
"DeviceId": null,
"DeviceModel": null,
"DevicePlatform": "SFX:BROWSER:DESKTOP",
"DeviceSessionId": "0000000000000000000000000000000000000001",
"Duration": 0.0,
"EffectivePageTime": 0.0,
"EventDate": "2023-03-21T16:53:40.730+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Operation": "Update",
"OsName": "OSX",
"OsVersion": "10.15.7",
"PageStartTime": "2023-03-21T16:52:46.442+0000",
"PageUrl": "/lightning/o/Case/new?count=1",
"PreviousPageAppName": null,
"PreviousPageEntityId": null,
"PreviousPageEntityType": null,
"PreviousPageUrl": null,
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": null,
"SdkAppType": null,
"SdkAppVersion": null,
"SdkVersion": null,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "LightningUriEvent",
"url": "/services/data/v55.0/sobjects/LightningUriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
IP Geolocation / ASN
-
User Agent Name
Delete
{
"channel": "/event/LightningUriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AppName": "one:one",
"ConnectionType": null,
"CreatedDate": "2023-03-21T19:30:14.117+0000",
"DeviceId": null,
"DeviceModel": null,
"DevicePlatform": "SFX:BROWSER:DESKTOP",
"DeviceSessionId": "0000000000000000000000000000000000000001",
"Duration": 0.0,
"EffectivePageTime": 0.0,
"EventDate": "2023-03-21T19:30:05.644+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Operation": "Delete",
"OsName": "WINDOWS",
"OsVersion": "10",
"PageStartTime": "2023-03-21T19:17:24.981+0000",
"PageUrl": "/lightning/o/Case/new?count=1",
"PreviousPageAppName": null,
"PreviousPageEntityId": null,
"PreviousPageEntityType": null,
"PreviousPageUrl": null,
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": null,
"SdkAppType": null,
"SdkAppVersion": null,
"SdkVersion": null,
"SessionKey": "9870000000012300",
"SessionLevel": "HIGH_ASSURANCE",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "LightningUriEvent",
"url": "/services/data/v55.0/sobjects/LightningUriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring LightningUriEventStream
Detects when a user creates, accesses, updates, or deletes a record in Lightning Experience only.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Read
{
"channel": "/event/ListViewEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AppName": null,
"ColumnHeaders": "Name,Sales_Strategy_Name__c,Customer__c.Name,Sales___c,Status__c",
"CreatedDate": "2023-03-20T16:26:00.349+0000",
"DeveloperName": "All_Sales_Strategy_Plans",
"EvaluationTime": 0.0,
"EventDate": "2023-03-20T16:25:52.850+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"EventSource": "Classic",
"ExecutionIdentifier": "abcdefgh-1234-5678-0000-000000000001",
"FilterCriteria": "{\"whereCondition\":{\"type\":\"soqlCondition\",\"field\":\"RecordTypeId\",\"operator\":\"equals\",\"values\":[\"'0128000000000000\"]}}",
"ListViewId": "00B440000000000000",
"LoginHistoryId": "000123000abc0004",
"LoginKey": "9870000000012300",
"Name": "All Sales Call Plans",
"NumberOfColumns": 7,
"OrderBy": "[CreatedBy.Name ASC NULLS FIRST, Id ASC NULLS FIRST]",
"OwnerId": "000000000000000MAC",
"PolicyId": null,
"PolicyOutcome": null,
"QueriedEntities": "Customer_Account__c",
"Records": "{\"totalSize\":1000,\"done\":false,\"records\":[{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000123\",\"Name\":\"Sample Account 1\"},{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000124\",\"Name\":\"Sample Account 2\"}]}",
"RelatedEventIdentifier": null,
"RowsProcessed": 1000.0,
"Scope": "everything",
"Sequence": 4,
"SessionKey": "9870000000012300",
"SessionLevel": "HIGH_ASSURANCE",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "ListViewEvent",
"url": "/services/data/v55.0/sobjects/ListViewEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring ListViewEventStream
Tracks actions related to list views in Lightning Experience, Salesforce Classic, or the API. For example, the event captures when a user runs or exports a list view.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Unsupported
Success
{
"channel": "/event/LoginEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"AdditionalInfo": "{}",
"ApiType": "N/A",
"ApiVersion": "N/A",
"Application": "Browser",
"AuthServiceId": "000000000000123AbC",
"Browser": "Chrome 110",
"CipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"City": "San Francisco",
"ClientVersion": "N/A",
"Country": "United States",
"CountryIso": "US",
"CreatedDate": "2023-03-08T18:16:15.886+0000",
"EvaluationTime": 0.0,
"EventDate": "2023-03-08T18:16:11.493+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"HttpMethod": "POST",
"LoginGeoId": "000000000000123AbC",
"LoginHistoryId": "000000000000123AbC",
"LoginKey": "987abc0000012400",
"LoginLatitude": 38.1111,
"LoginLongitude": 38.1111,
"LoginType": "SAML Sfdc Initiated SSO",
"LoginUrl": "my.login.salesforce.com",
"Platform": "Windows 10",
"PolicyId": null,
"PolicyOutcome": null,
"PostalCode": "94107",
"RelatedEventIdentifier": null,
"SessionKey": null,
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"Status": "Success",
"Subdivision": "Ohio",
"TlsProtocol": "TLS 1.2",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "LoginEvent",
"url": "/services/data/v55.0/sobjects/LoginEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring LoginEventStream
Tracks login activity of users who log in to Salesforce.
References
Retention Details
Storage Duration: 10 Years
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"channel": "/event/LogoutEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"CreatedDate": "2023-03-01T19:33:54.885+0000",
"EventDate": "2023-03-01T19:33:50.037+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"SessionKey": "9870000000012300",
"SessionLevel": "HIGH_ASSURANCE",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "LogoutEvent",
"url": "/services/data/v55.0/sobjects/LogoutEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring LogoutEventStream
A logout event records a successful user logout from the Salesforce user interface.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
-
Resource Type
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
Read
{
"channel": "/event/ReportEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"ColumnHeaders": "Name,Sales_Strategy_Name__c,Customer__c.Name,Sales___c,Status__c",
"CreatedDate": "2023-03-22T11:59:19.149+0000",
"DashboardId": null,
"DashboardName": null,
"Description": null,
"EvaluationTime": 0.0,
"EventDate": "2023-03-22T11:59:17.340+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"EventSource": "Lightning",
"ExecutionIdentifier": "abcdefgh-1234-0000-stuv-000000000001",
"ExportFileFormat": null,
"Format": "Summary",
"IsScheduled": false,
"LoginHistoryId": "000123000abc0004",
"LoginKey": "9870000000012300",
"Name": "Financial Reports",
"NumberOfColumns": 7,
"Operation": "ReportRunFromLightning",
"OwnerId": "000000000000000AA2",
"PolicyId": null,
"PolicyOutcome": null,
"QueriedEntities": "Customer_Account__c",
"Records": "{\"totalSize\":1000,\"done\":false,\"records\":[{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000123\",\"Name\":\"Sample Account 1\"},{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000124\",\"Name\":\"Sample Account 2\"}]}",
"RelatedEventIdentifier": null,
"ReportId": "987000000abc0004Q",
"RowsProcessed": 1050.0,
"Scope": "organization",
"Sequence": 1,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "ReportEvent",
"url": "/services/data/v55.0/sobjects/ReportEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
Download
{
"channel": "/event/ReportEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"ColumnHeaders": "[CASE_NUMBER, CREATED_DATE, LAST_UPDATE, Case.BusinessUnit__c, Case.ProductMarket__c, Case.Market__c, OWNER, LAST_UPDATE_BY, STATUS, SUBJECT, Case.Brand__c, Case.Code__c]",
"CreatedDate": "2023-03-22T13:18:56.686+0000",
"DashboardId": null,
"DashboardName": null,
"Description": null,
"EvaluationTime": 0.0,
"EventDate": "2023-03-22T13:18:46.826+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"EventSource": "Lightning",
"ExecutionIdentifier": "8f831c68-3d87-4518-bb5b-c0550a2284d7",
"ExportFileFormat": null,
"Format": "Tabular",
"IsScheduled": false,
"LoginHistoryId": "000123000abc0004",
"LoginKey": "9870000000012300",
"Name": "Identify cases assigned to inactive user",
"NumberOfColumns": 12,
"Operation": "ReportExported",
"OwnerId": "0054J000004rPTUQA2",
"PolicyId": null,
"PolicyOutcome": null,
"QueriedEntities": "Customer_Account__c",
"Records": "{\"totalSize\":1000,\"done\":false,\"records\":[{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000123\",\"Name\":\"Sample Account 1\"},{\"attributes\":{\"type\":\"Account\"},\"Id\":\"0000G000000000124\",\"Name\":\"Sample Account 2\"}]}",
"RelatedEventIdentifier": null,
"ReportId": "987000000abc0004A",
"RowsProcessed": 20680.0,
"Scope": "organization",
"Sequence": 51,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"Username": "john@example.com",
"attributes":
{
"type": "ReportEvent",
"url": "/services/data/v55.0/sobjects/ReportEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Real-Time Event Monitoring ReportEventStream
Tracks report-related actions, such as when a user runs or exports a report.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"channel": "/event/UriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"CreatedDate": "2023-03-21T22:18:04.147+0000",
"EventDate": "2023-03-21T22:17:55.090+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Message": null,
"Name": null,
"Operation": "Create",
"OperationStatus": "Success",
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"SessionKey": "9870000000012300",
"SessionLevel": "HIGH_ASSURANCE",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "UriEvent",
"url": "/services/data/v55.0/sobjects/UriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Read
{
"channel": "/event/UriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"CreatedDate": "2023-03-21T21:59:46.600+0000",
"EventDate": "2023-03-21T21:59:44.159+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Message": null,
"Name": "2023 Customer Account Name",
"Operation": "Read",
"OperationStatus": "Success",
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": null,
"SessionKey": "9870000000012300",
"SessionLevel": "HIGH_ASSURANCE",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "UriEvent",
"url": "/services/data/v55.0/sobjects/UriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Update
{
"channel": "/event/UriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"CreatedDate": "2023-03-21T22:51:46.037+0000",
"EventDate": "2023-03-21T22:51:43.042+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Message": null,
"Name": "Customer Account Name",
"Operation": "Update",
"OperationStatus": "Initiated",
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": null,
"SessionKey": "9870000000012300",
"SessionLevel": "HIGH_ASSURANCE",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "UriEvent",
"url": "/services/data/v55.0/sobjects/UriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"channel": "/event/UriEventStream",
"data":
{
"event":
{
"replayId": ""
},
"payload":
{
"CreatedDate": "2023-03-21T16:48:59.154+0000",
"EventDate": "2023-03-21T16:48:57.548+0000",
"EventIdentifier": "abcdefgh-1234-0000-0000-000000000001",
"LoginKey": "9870000000012300",
"Message": null,
"Name": "AppName-92601",
"Operation": "Delete",
"OperationStatus": "Initiated",
"QueriedEntities": "Customer_Account__c",
"RecordId": "000000000000123AbC",
"RelatedEventIdentifier": null,
"SessionKey": "9870000000012300",
"SessionLevel": "STANDARD",
"SourceIp": "198.51.100.1",
"UserId": "000000000000123AbC",
"UserType": "Standard",
"Username": "john@example.com",
"attributes":
{
"type": "UriEvent",
"url": "/services/data/v55.0/sobjects/UriEvent/000000000000000AAA"
}
},
"schema": "AppOmni"
}
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Real-Time Event Monitoring UriEventStream
Detects when a user creates, accesses, updates, or deletes a record in Salesforce Classic only.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create
{
"action": "createduser",
"delegate_user": null,
"display": "Created new user Bob Example",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T16:51:17+00:00"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Attribute Context
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update
{
"action": "changedemail",
"delegate_user": null,
"display": "Changed email for user Sally Example (UserID: [00500000000000A]) from john@example.com to alice@example.com",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "bob@example.com",
"sfdc_created_date": "2023-03-09T17:41:59+00:00"
}
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action": "createdgroup",
"delegate_user": null,
"display": "Created Public Group Finance",
"record_id": "000000000000123AbC",
"section": "Groups",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T18:14:43+00:00"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Update
{
"action": "updatedgroup",
"delegate_user": "john@example.com",
"display": "Updated Public Group API Group: Changed DoesIncludeBosses from 1 to 0",
"record_id": "000000000000123AbC",
"section": "Groups",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "alice@example.com",
"sfdc_created_date": "2023-03-07T13:18:30+00:00"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action": "deletedgroup",
"delegate_user": null,
"display": "Deleted Public Group Human_Resources",
"record_id": "000000000000123AbC",
"section": "Groups",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T18:17:00+00:00"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Add
{
"action": "groupMembership",
"delegate_user": null,
"display": "Changed membership of Group All Company Internal Users ",
"record_id": "000000000000123AbC",
"section": "Groups",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T19:15:35+00:00"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Remove
{
"action": "groupMembership",
"delegate_user": null,
"display": "Changed membership of Group All Company Internal Users ",
"record_id": "000000000000123AbC",
"section": "Groups",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T19:15:35+00:00"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Role Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action": "profileClonedStandard",
"delegate_user": null,
"display": "Created profile cloned_system_admin: Cloned from profile System Administrator",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T21:16:28+00:00"
}
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Attribute Context
-
Target Role Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Update
{
"action": "SetupEntityAccessAudit_Profile_ConnectedApplication_EnabledStandard",
"delegate_user": null,
"display": "Changed profile System Administrator: SEAM connected app is enabled",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-09T18:56:52+00:00"
}
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Role Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"action": "PermSetEnableUserPerm",
"delegate_user": null,
"display": "Changed permission set App_Service_User: View All Users permission was changed from disabled to enabled",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "bob@example.com",
"sfdc_created_date": "2023-03-08T18:43:00+00:00"
}
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Remove
{
"action": "PermSetDisableUserPerm",
"delegate_user": null,
"display": "Changed permission set Management: View All Data permission was changed from enabled to disabled",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "alice@example.com",
"sfdc_created_date": "2023-03-09T08:59:49+00:00"
}
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Username
-
Enrollment Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"action": "insertAuthenticatorPairing",
"delegate_user": null,
"display": "Salesforce Authenticator pairing \"Salesforce Authenticator Pairing\" added for john@example.com",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-10T14:04:29+00:00"
}
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Username
-
Enrollment Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Remove
{
"action": "deleteTwoFactorInfo2",
"delegate_user": null,
"display": "Time-Based Token removed for john@example.com",
"record_id": "000000000000123AbC",
"section": "Manage Users",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-10T13:35:40+00:00"
}
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Configuration / Setting Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Create
{
"action": "tenantSecretCreated",
"delegate_user": null,
"display": "Generated tenant secret: Key version 1",
"record_id": "000000000000123AbC",
"section": "Platform Encryption",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-15T07:14:10+00:00"
}
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Configuration / Setting Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Update
{
"action": "passwordexpiry",
"delegate_user": null,
"display": "Changed password expiry policy from 90 days to 180 days",
"record_id": "000000000000123AbC",
"section": "Password Policies",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-15T13:11:50+00:00"
}
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Configuration / Setting Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Delete
{
"action": "deletedLoginIpRange_withProfile",
"delegate_user": null,
"display": "Deleted Login Ip Range to Read-Only HR User from 198.51.100.1 to 198.51.100.2",
"record_id": "000000000000123AbC",
"section": null,
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-15T09:50:12+00:00"
}
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action": "installedpackagingapp",
"delegate_user": null,
"display": "Installed AppExchange package: AppName",
"record_id": "000000000000123AbC",
"section": "Custom Apps",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-15T03:55:58+00:00"
}
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
Update
{
"action": "upgradedpackagingapp",
"delegate_user": null,
"display": "Upgraded AppExchange package: Vendor_App",
"record_id": "000000000000123AbC",
"section": "Custom Apps",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-15T13:17:28+00:00"
}
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action": "uninstalledpackagingapp",
"delegate_user": null,
"display": "Uninstalled AppExchange package: Sales_App_Name",
"record_id": "000000000000123AbC",
"section": "Custom Apps",
"sfdc_created_by_id": "000000000000123AbC",
"sfdc_created_by_name": "John Doe",
"sfdc_created_by_username": "john@example.com",
"sfdc_created_date": "2023-03-14T14:50:28+00:00"
}
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
SetupAuditTrail
The SetupAuditTrail object provides an audit trail of changes to user profiles, permission sets, security settings, custom objects, and other settings.
References
Retention Details
Storage Duration: 180 Days
N/A
Latency Details
Duration: Real-Time
N/A
Product Details
Salesforce is a cloud-based customer relationship management (CRM) platform. It is designed to help organizations manage their customer relationships, sales processes, marketing activities, and more. Salesforce audit logs are collected via objects, namely the SetupAuditTrail object, EventLogFile object, or Real-Time Event Monitoring objects. These objects are accessible via the Salesforce API. Salesforce supports a wide range of APIs, however with regards to audit logs, the primary APIs include the REST API, SOAP API, or Streaming API.
REST API
A REST interface that can be used to access Salesforce data without using the Salesforce user interface
SOAP API
An interface that can be used to access Salesforce data using the SOAP protocol
References
Streaming API
An API that provides a subscription mechanism for receiving events in near real-time
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Update
{
"documentkey": "34abc1234abc1234abc1234abc1234ab",
"fieldname": "u_date_last_risk_updated",
"newvalue": "2024-04-22 13:45:41",
"oldvalue": "2024-04-22 13:04:27",
"reason": null,
"sys_created_by": "system",
"sys_created_on": "2024-04-22 13:45:41",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"tablename": "demo_table",
"user": "system"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Delete
{
"documentkey": "34abc1234abc1234abc1234abc1234ab",
"fieldname": "DELETED",
"newvalue": "DELETED",
"oldvalue": "DELETED",
"reason": null,
"sys_created_by": "system",
"sys_created_on": "2024-04-22 14:21:25",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"tablename": "demo_table",
"user": "system"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Audit Events
ServiceNow audit events track changes to records in audited tables.
References
Retention Details
Storage Duration: Infinite
Can be changed by an instance admin.
Latency Details
Duration: Near Real-Time
Can be changed by an instance admin.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
-
Resource Metadata
Download
{
"classification": null,
"event": "34abc1234abc1234abc1234abc1234ab",
"records": "28",
"size": "7019",
"sys_class_name": "isc_export_event",
"sys_created_on": "2024-04-16 17:06:11",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"table": "task",
"user": "234abc1234abc1234abc1234abc1234a",
"user_name": "admin"
}Export Events
ServiceNow Instance Security Center export events track UI exports of record data.
References
Retention Details
Storage Duration: Infinite
Can be changed by an instance admin.
Latency Details
Duration: Near Real-Time
Can be changed by an instance admin.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add
{
"changed_by": "c706140d1b6379909f22e2eb234bcbed",
"changed_by.name": null,
"granted_by_group": "befe683c13fe07001e9ef107d144b022",
"granted_by_group.name": null,
"operation": "Added",
"role": "12e63637b7cb001004aae3fdde11a9bd",
"role.name": null,
"sys_created_on": "2024-04-19 18:30:54",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"user": "234abc1234abc1234abc1234abc1234a",
"user.name": null
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add
{
"changed_by": "9afadc375b33120088236ede91f91a5b",
"changed_by.name": null,
"granted_by_group": null,
"granted_by_group.name": null,
"operation": "Removed",
"role": "417b3f710b03120025666f3ef6673a98",
"role.name": null,
"sys_created_on": "2024-04-17 17:54:47",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"user": "234abc1234abc1234abc1234abc1234a",
"user.name": null
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Role Audit Events
The ServiceNow role audit table contains user role assignments.
References
Retention Details
Storage Duration: Infinite
Can be changed by an instance admin.
Latency Details
Duration: Near Real-Time
Can be changed by an instance admin.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Login
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "login",
"parm1": "admin",
"parm2": "198.51.100.1",
"sys_created_by": "admin",
"sys_created_on": "2024-04-15 15:20:07",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-15 15:20:17",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
IP Address
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Logout
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "logout",
"parm1": "admin",
"parm2": "198.51.100.1",
"sys_created_by": "guest",
"sys_created_on": "2024-04-15 16:01:53",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-15 16:02:04",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "guest"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create
{
"instance": null,
"name": "sys_user.insert",
"parm1": "5d7e55b69721021096f8ba6de053aff1",
"parm2": null,
"sys_created_by": "admin",
"sys_created_on": "2024-04-17 13:58:12",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-17 13:58:23",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "user.view",
"parm1": null,
"parm2": null,
"sys_created_by": "admin",
"sys_created_on": "2024-04-15 15:52:58",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-15 15:53:01",
"table": "sys_properties",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Delete
{
"instance": null,
"name": "sys_user.delete",
"parm1": "71826bf03710200044e0bfc8bcbe5d3b",
"parm2": null,
"sys_created_by": "admin",
"sys_created_on": "2024-04-17 13:57:47",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-17 13:57:51",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Update
{
"instance": null,
"name": "cmdb.group.modified",
"parm1": "32f097e7934d4a109a3afea47aba10a5",
"parm2": "update",
"sys_created_by": "admin",
"sys_created_on": "2024-03-26 09:50:23",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-03-26 09:50:53",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Delete
{
"instance": null,
"name": "cmdb.group.modified",
"parm1": "32f097e7934d4a109a3afea47aba10a5",
"parm2": "update",
"sys_created_by": "admin",
"sys_created_on": "2024-03-26 09:50:23",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-03-26 09:50:53",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Add
{
"instance": null,
"name": "sn_change_cab.group_member.added",
"parm1": "5408091a3b100300e81d47b334efc452",
"parm2": "d5fe9df69721021096f8ba6de053af69",
"sys_created_by": "admin",
"sys_created_on": "2024-04-17 14:01:27",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-17 14:01:32",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove
{
"instance": null,
"name": "sn_change_cab.group_member.removed",
"parm1": "5408091a3b100300e81d47b334efc452",
"parm2": "d5fe9df69721021096f8ba6de053af69",
"sys_created_by": "admin",
"sys_created_on": "2024-04-17 14:02:06",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-17 14:02:14",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "admin"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
Unsupported
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Update
{
"instance": null,
"name": "security.elevated_role.enabled",
"parm1": "A509500",
"parm2": "security_admin",
"sys_created_by": "A509500",
"sys_created_on": "2024-04-13 05:14:33",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-13 05:14:46",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "A509500"
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Create
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "sn_itsm_va.incident.comments.added",
"parm1": "INC012029997",
"parm2": "0123401234",
"sys_created_by": "0123401234",
"sys_created_on": "2024-04-22 15:33:41",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-22 15:33:47",
"table": "incident",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "0123401234"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Read
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "report.view",
"parm1": "682",
"parm2": "9de87927dbdd32041436feb5ae961917",
"sys_created_by": "0123401234",
"sys_created_on": "2024-04-16 17:34:21",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-16 17:34:22",
"table": "sys_report",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "0123401234"
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Update
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "live_feed.update",
"parm1": "[work_notes, business_duration, calendar_duration]",
"parm2": "9",
"sys_created_by": "servicenow_sync",
"sys_created_on": "2024-04-16 14:03:45",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-16 14:03:50",
"table": "incident",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "servicenow_sync"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Delete
{
"instance": "1234abc1234abc1234abc1234abc1234",
"name": "attachment.deleted",
"parm1": "sys_attachment",
"parm2": "93125c9a87254ad0aeb2dc273cbb35ea",
"sys_created_by": "012340123",
"sys_created_on": "2024-04-19 16:54:11",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-19 16:54:20",
"table": "",
"user_id": "34abc1234abc1234abc1234abc1234ab",
"user_name": "012340123"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
Unsupported
-
Event ID
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
-
Resource Metadata
Download
{
"instance": null,
"name": "snc.subscription.download.completed",
"parm1": null,
"parm2": null,
"sys_created_by": "system",
"sys_created_on": "2024-04-21 07:09:16",
"sys_id": "abc1234abc1234abc1234abc1234abc1",
"sys_updated_by": "system",
"sys_updated_on": "2024-04-21 07:09:31",
"table": "",
"user_id": "system",
"user_name": "system"
}System Events
ServiceNow system events are generated by pre-defined scripted triggers when users perform actions in the system.
References
Retention Details
Storage Duration: Infinite
Can be changed by an instance admin.
Latency Details
Duration: Near Real-Time
Can be changed by an instance admin.
Product Details
ServiceNow is a cloud-based platform that provides IT service management (ITSM) software solutions. It offers a range of services including incident management, problem management, change management, and asset management.
Audit Events
ServiceNow audit events track changes to records in audited tables.
Role Audit Events
The ServiceNow role audit table contains user role assignments.
References
System Events
ServiceNow system events are generated by pre-defined scripted triggers when users perform actions in the system.
References
Export Events
ServiceNow Instance Security Center export events track UI exports of record data.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"action": "user_login",
"actor":
{
"type": "user",
"user":
{
"email": "alice@example.com",
"id": "U0123456ABC",
"name": "Alice Brown",
"team": "01CDEFGHI"
}
},
"context":
{
"ip_address": "198.51.100.2",
"location":
{
"domain": "acme",
"id": "ETFABCDEF",
"name": "Acme",
"type": "workspace"
},
"session_id": 5267511593910,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5_0) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.33.84 Chrome/114.0.5735.134 Electron/25.2.0 Safari/537.36 AppleSilicon Sonic Slack_SSB/4.33.84"
},
"date_create": 1692033908,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "alice@example.com",
"id": "U0123456ABC",
"name": "Alice Brown",
"team": "01CDEFGHI"
}
},
"id": "44a8993d-0000-abcd-1e2f-9e7accba9876"
}Failure
{
"action": "user_login_failed",
"actor":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U0123456ABC",
"name": "John Doe",
"team": "01CDEFGHI"
}
},
"context":
{
"ip_address": "198.51.100.1",
"location":
{
"domain": "acme",
"id": "ETFABCDEF",
"name": "Acme",
"type": "enterprise"
},
"session_id": null,
"ua": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1692033735,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U0123456ABC",
"name": "John Doe",
"team": "01CDEFGHI"
}
},
"id": "44a8993d-0000-abcd-1e2f-9e7accba9876"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "user_logout",
"actor":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U0123456ABC",
"name": "Bob Smith",
"team": "01CDEFGHI"
}
},
"context":
{
"ip_address": "198.51.100.3",
"location":
{
"domain": "acme",
"id": "ETFABCDEF",
"name": "Acme",
"type": "workspace"
},
"session_id": null,
"ua": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
},
"date_create": 1692033072,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U0123456ABC",
"name": "Bob Smith",
"team": "01CDEFGHI"
}
},
"id": "44a8993d-0000-abcd-1e2f-9e7accba9876"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Member
{
"action": "user_created",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U1A1AABCD",
"name": "Jane Miller",
"team": "T00111AA2"
}
},
"context":
{
"ip_address": "198.51.100.5",
"location":
{
"domain": "acme",
"id": "T00111AA2",
"name": "Acme",
"type": "workspace"
},
"session_id": 5750000001234,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5_0) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.33.84 Chrome/114.0.5735.134 Electron/25.2.0 Safari/537.36 AppleSilicon Sonic Slack_SSB/4.33.84"
},
"date_create": 1691752039,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U01AA2B2CAA",
"name": "Bob Smith",
"team": "T00111AA2"
}
},
"id": "18ab534a-0000-4100-a123-aa12bb32ff35"
}Guest
{
"action": "guest_created",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U1A1AABCD",
"name": "Jane Miller",
"team": "T02511RD4"
}
},
"context":
{
"ip_address": "198.51.100.5",
"location":
{
"domain": "acme",
"id": "T00111AA2",
"name": "Acme",
"type": "workspace"
},
"session_id": 5750000001234,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1691777609,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "alice@ext.example.com",
"id": "U01AA2B1CAA",
"name": "Alice Brown",
"team": "T00111AA2"
}
},
"id": "18ab534a-0000-4100-a123-aa12bb32ff35"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
-
Target Attribute Context
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "user_profile_updated",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U7A1SSBCD",
"name": "Jane Miller",
"team": "T00111AA2"
}
},
"context":
{
"app":
{
"creator": "U1A2ABCDE",
"id": "A1A4ABCDE5",
"name": "Okta",
"scopes":
[],
"scopes_bot":
[],
"team": "T00111AA2"
},
"ip_address": "198.51.100.5",
"location":
{
"domain": "acme",
"id": "T00111AA2",
"name": "Acme",
"type": "workspace"
},
"session_id": 5750000001234,
"ua": "OKTA Slack Integration"
},
"date_create": 1692023286,
"details":
{
"new_profile":
{
"first_name": "Janet",
"real_name": "Janet Miller"
},
"previous_profile":
{
"first_name": "Jane",
"real_name": "Jane Miller"
}
},
"entity":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U7A1SSBCD",
"name": "Jane Miller",
"team": "T00111AA2"
}
},
"id": "18ab534a-0000-4100-a123-aa12bb32ff35"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "user_deactivated",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U7A1SSBCD",
"name": "Jane Miller",
"team": "T00111AA2"
}
},
"context":
{
"ip_address": "198.51.100.5",
"location":
{
"domain": "acme",
"id": "T00111AA2",
"name": "Acme",
"type": "workspace"
},
"session_id": 5750000001234,
"ua": "OKTA Slack Integration"
},
"date_create": 1691800883,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U05MA2B2CAA",
"name": "Bob Smith",
"team": "T00111AA2"
}
},
"id": "18ab534a-0000-4100-a123-aa12bb32ff35"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Target Group Name
Success
{
"action": "user_added_to_usergroup",
"actor":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U03EABCDE0A",
"name": "John Doe",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.1",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "workspace"
},
"session_id": 5690023232312,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5_0) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.33.84 Chrome/114.0.5735.134 Electron/25.2.0 Safari/537.36"
},
"date_create": 1691766194,
"details":
{
"inviter":
{
"type": "user",
"user":
{
"email": "mallory@example.com",
"id": "A01AAB1A5",
"name": "Mallory Jones",
"team": "A01111TD4"
}
},
"type": "INVITED"
},
"entity":
{
"type": "usergroup",
"usergroup":
{
"id": "S02ABABCDA3",
"name": "Developers"
}
},
"id": "1c0c1a15-5a11-4ac1-97a9-123fafa3f000"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "user_removed_from_usergroup",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U01AB2C34EA",
"name": "Jane Miller",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.2",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "workspace"
},
"session_id": 1231123412345,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1692042606,
"details":
{
"kicker":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U0AA1BBC2AB",
"name": "Bob Smith",
"team": "A01111TD4"
}
},
"type": "KICKED"
},
"entity":
{
"type": "usergroup",
"usergroup":
{
"id": "S01ABABCDA3",
"name": "Developers"
}
},
"id": "fde9d000-a1b2-3cc4-0000-aed1e3123f10"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Assign_role
{
"action": "role_assigned",
"actor":
{
"type": "user",
"user":
{
"email": "Mallory@example.com",
"id": "A012ABCDEFG",
"name": "Mallory Jones",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.5",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "enterprise"
},
"session_id": 5000189189123,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1691650836,
"details":
{
"target_entity": "A01111TD4",
"target_user": "A01B56012"
},
"entity":
{
"role":
{
"id": "Rl0E",
"name": "Message Activity Manager",
"type": "0"
},
"type": "role"
},
"id": "00dba123-63a1-4564-bb11-000dd2140ae0"
}Assign_admin
{
"action": "role_change_to_admin",
"actor":
{
"type": "user",
"user":
{
"email": "alice@example.com",
"id": "A012BCDDAB",
"name": "Alice Brown",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.4",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "workspace"
},
"session_id": 5000109189123,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1692081890,
"details": null,
"entity":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U01AAAB33QT",
"name": "John Doe",
"team": "A01111TD4"
}
},
"id": "a940a000-a0d0-00df-a123-b8b899ca6e31"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "permissions_removed",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U01A2ABCDAB",
"name": "Jane Miller",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.5",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "workspace"
},
"session_id": 5750000001234,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1692096526,
"details":
{
"changed_permissions":
[
"CREATE_PRIVATE_CHANNEL"
],
"target_entity_id": "A01111TD4"
},
"entity":
{
"account_type_role":
{
"id": 1003,
"name": "MULTI_CHANNEL_GUEST"
},
"type": "account_type_role"
},
"id": "036ccefd-0000-abcd-bb11-000dd2140ae0"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Target Username
-
Enrollment Type
Success
{
"action": "pref.two_factor_auth_changed",
"actor":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U01A2ABCDNG",
"name": "John Doe",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.2",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "workspace"
},
"session_id": 1233443505954,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.1 Safari/537.36"
},
"date_create": 1657550802,
"details":
{
"new_value": "TWO_FACTOR_ENABLED",
"previous_value": "TWO_FACTOR_DISABLED"
},
"entity":
{
"type": "workspace",
"workspace":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme"
}
},
"id": "1234f70-0fb0-00b1-00eb-95ab9a123d12"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Target Username
-
Enrollment Type
Success
{
"action": "pref.two_factor_auth_changed",
"actor":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U01A2ABCDNG",
"name": "John Doe",
"team": "A01111TD4"
}
},
"context":
{
"ip_address": "198.51.100.2",
"location":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme",
"type": "workspace"
},
"session_id": 1234443505912,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.1 Safari/537.36"
},
"date_create": 1657550802,
"details":
{
"new_value": "TWO_FACTOR_DISABLED",
"previous_value": "TWO_FACTOR_ENABLED"
},
"entity":
{
"type": "workspace",
"workspace":
{
"domain": "acme",
"id": "A01111TD4",
"name": "Acme"
}
},
"id": "1234f70-0fb0-00b1-00eb-95ab9a123d12"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "team_authorized_ip_range_set",
"actor":
{
"type": "user",
"user":
{
"email": "mallory@example.com",
"id": "U01ABCA1AAD",
"name": "Mallory Jones",
"team": "E0123DTABCDE"
}
},
"context":
{
"ip_address": "198.51.100.4",
"location":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme",
"type": "enterprise"
},
"session_id": 1005842004704,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"date_create": 1693253017,
"details":
{
"ip_ranges":
[
"1.2.3.4/32"
]
},
"entity":
{
"enterprise":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme"
},
"type": "enterprise"
},
"id": "be00a00b-3200-4400-8ab0-000de3868a03"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Change_sso
{
"action": "pref.sso_setting_changed",
"actor":
{
"type": "user",
"user":
{
"email": "john@example.com",
"id": "U01ABCA1AAA",
"name": "John Doe",
"team": "E0123DTABCDE"
}
},
"context":
{
"ip_address": "198.51.100.1",
"location":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme",
"type": "enterprise"
},
"session_id": 1005842004700,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"date_create": 1693253139,
"details":
{
"new_value": "SSO_REQUIRED",
"previous_value": "SSO_REQUIRED_EXCEPT_GUESTS"
},
"entity":
{
"enterprise":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme"
},
"type": "enterprise"
},
"id": "be00a00b-3200-4400-8ab0-000de3868a00"
}Unapproved_ip
{
"action": "pref.block_file_download_for_unapproved_ip",
"actor":
{
"type": "user",
"user":
{
"email": "alice@example.com",
"id": "U01ABCA1AAB",
"name": "Alice Brown",
"team": "E0123DTABCDE"
}
},
"context":
{
"ip_address": "198.51.100.2",
"location":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme",
"type": "enterprise"
},
"session_id": 1005842004701,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"date_create": 1693253017,
"details":
{
"new_value": true,
"previous_value": false
},
"entity":
{
"enterprise":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme"
},
"type": "enterprise"
},
"id": "be00a00b-3200-4400-8ab0-000de3868a001"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "team_authorized_ip_range_set",
"actor":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U01ABCA1AAC",
"name": "Bob Smith",
"team": "E0123DTABCDE"
}
},
"context":
{
"ip_address": "198.51.100.3",
"location":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme",
"type": "enterprise"
},
"session_id": 1005842004702,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"date_create": 1693253039,
"details":
{
"ip_ranges":
[]
},
"entity":
{
"enterprise":
{
"domain": "acme",
"id": "E0123DTABCDE",
"name": "Acme"
},
"type": "enterprise"
},
"id": "be00a00b-3200-4400-8ab0-000de3868a02"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "app_installed",
"actor":
{
"type": "user",
"user":
{
"email": "mallory@example.com",
"id": "U05ABC123EF",
"name": "Mallory Jones",
"team": "T01234AB5"
}
},
"context":
{
"ip_address": "198.51.100.3",
"location":
{
"domain": "acme",
"id": "T01234AB5",
"name": "Acme",
"type": "workspace"
},
"session_id": 5123453809333,
"ua": "java-http/10.2.10"
},
"date_create": 1692199107,
"details":
{
"is_internal_integration": false,
"is_token_rotation_enabled_app": false
},
"entity":
{
"app":
{
"id": "A01234567AB",
"is_directory_approved": true,
"is_distributed": true,
"is_workflow_app": false,
"name": "Sample App",
"scopes":
[
"channels:read",
"groups:read",
"links:read",
"links:write"
]
},
"type": "app"
},
"id": "51d1abc1-0000-Ae1B-c2d3-65b5b0000a12"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Name
Success
{
"action": "app_scopes_expanded",
"actor":
{
"type": "user",
"user":
{
"email": "mallory@example.com",
"id": "U05ABC123EF",
"name": "Mallory Jones",
"team": "T01234AB5"
}
},
"context":
{
"ip_address": "198.51.100.3",
"location":
{
"domain": "acme",
"id": "T01234AB5",
"name": "Acme",
"type": "enterprise"
},
"session_id": 5123453809333,
"ua": "@slack:web-api/6.8.1 node/18.16.1 linux/5.10.162+"
},
"date_create": 1692192765,
"details":
{
"granular_bot_token": true,
"is_internal_integration": false,
"is_token_rotation_enabled_app": false,
"new_scopes":
[
"app_mentions:read",
"channels:read",
"chat:write",
"chat:write.public",
"commands",
"files:read",
"files:write",
"groups:read",
"im:read",
"im:write",
"links:read",
"links:write",
"mpim:read",
"remote_files:read",
"remote_files:share",
"remote_files:write",
"team:read",
"users:read",
"users:read.email"
],
"previous_scopes":
[
"app_mentions:read",
"channels:read",
"chat:write.public",
"commands",
"files:read",
"files:write",
"groups:read",
"im:read",
"im:write",
"links:read",
"remote_files:read",
"remote_files:share"
]
},
"entity":
{
"app":
{
"id": "A01234567AB",
"is_directory_approved": true,
"is_distributed": true,
"is_workflow_app": false,
"name": "Sample App",
"scopes":
[
"app_mentions:read",
"channels:read",
"chat:write",
"chat:write.public",
"commands",
"files:read",
"files:write",
"groups:read",
"im:read",
"im:write",
"links:read",
"links:write",
"mpim:read",
"remote_files:read",
"remote_files:share",
"remote_files:write",
"team:read",
"users:read",
"users:read.email"
]
},
"type": "app"
},
"id": "51d1abc1-0000-Ae1B-c2d3-65b5b0000a12"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "app_uninstalled",
"actor":
{
"type": "user",
"user":
{
"email": "mallory@example.com",
"id": "U05ABC123EF",
"name": "Mallory Jones",
"team": "T01234AB5"
}
},
"context":
{
"ip_address": "198.51.100.3",
"location":
{
"domain": "acme",
"id": "T01234AB5",
"name": "Acme",
"type": "workspace"
},
"session_id": 5123453809333,
"ua": "sample-api (workflow builder)"
},
"date_create": 1692197604,
"details": null,
"entity":
{
"app":
{
"id": "A01234567AB",
"is_directory_approved": false,
"is_distributed": false,
"is_workflow_app": true,
"name": "Sample App",
"scopes":
[
"bot"
]
},
"type": "app"
},
"id": "51d1abc1-0000-Ae1B-c2d3-65b5b0000a12"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "file_uploaded",
"actor":
{
"type": "user",
"user":
{
"email": "alice@example.com",
"id": "U01ABA99AB1",
"name": "Alice Brown",
"team": "ATBSDEF001"
}
},
"context":
{
"ip_address": "198.51.100.1",
"location":
{
"domain": "acme",
"id": "ATBSDEF001",
"name": "Acme",
"type": "enterprise"
},
"session_id": 5700000123450,
"ua": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
},
"date_create": 1692201912,
"details": null,
"entity":
{
"file":
{
"filetype": "",
"id": "F01N2AAB3CD",
"name": "image.png",
"title": "image.png"
},
"type": "file"
},
"id": "0ab1d7aa-00dc-0ef0-a0b1-0011a55ff12e"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "public_channel_converted_to_private",
"actor":
{
"type": "user",
"user":
{
"email": "jane@example.com",
"id": "U01ABA99AB1",
"name": "Jane Miller",
"team": "ATBSDEF001"
}
},
"context":
{
"ip_address": "198.51.100.4",
"location":
{
"domain": "acme",
"id": "ATBSDEF001",
"name": "Acme",
"type": "enterprise"
},
"session_id": 5700000123454,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
},
"date_create": 1693247607,
"details": null,
"entity":
{
"channel":
{
"id": "C01A2AABC00",
"is_org_shared": false,
"is_shared": false,
"name": "test-channel",
"privacy": "private"
},
"type": "channel"
},
"id": "0ab1d7aa-00dc-0ef0-a0b1-0011a55ff121"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "file_deleted",
"actor":
{
"type": "user",
"user":
{
"email": "bob@example.com",
"id": "U01ABA99AB2",
"name": "Bob Smith",
"team": "ATBSDEF001"
}
},
"context":
{
"ip_address": "198.51.100.2",
"location":
{
"domain": "acme",
"id": "ATBSDEF001",
"name": "Acme",
"type": "enterprise"
},
"session_id": 5700000123451,
"ua": "slack/23.08.20.0.90012549 (Google Pixel 4a; Android 13)"
},
"date_create": 1692202048,
"details": null,
"entity":
{
"file":
{
"filetype": "audio/mp4",
"id": "F01A2AAB3A1",
"name": "audio_clip.m4a",
"title": "Audio Clip.m4a"
},
"type": "file"
},
"id": "0ab1d7aa-00dc-0ef0-a0b1-0011a55ff12a"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
Device/Client Type
-
Resource Metadata
Success
{
"action": "file_downloaded",
"actor":
{
"type": "user",
"user":
{
"email": "mallory@example.com",
"id": "U01ABA99AB3",
"name": "Mallory Jones",
"team": "ATBSDEF001"
}
},
"context":
{
"ip_address": "198.51.100.3",
"location":
{
"domain": "acme",
"id": "ATBSDEF001",
"name": "Acme",
"type": "enterprise"
},
"session_id": 5700000123453,
"ua": "Mozilla/5.0 (Windows NT 10.0.22621; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.33.84 Chrome/114.0.5735.134 Safari/537.36"
},
"date_create": 1692202187,
"details":
{
"url_private": "https://files.slack.com/files/ATBSDEF001-F01A2AABCAA/dataset.xlsx"
},
"entity":
{
"file":
{
"filetype": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"id": "F01A2AABCAA",
"name": "dataset.xlsx",
"title": "dataset.xlsx"
},
"type": "file"
},
"id": "0ab1d7aa-00dc-0ef0-a0b1-0011a55ff12b"
}
Enterprise Audit Logs
Slack enterprise audit logs that provide an audit trail of user and system activity.
References
Retention Details
Storage Duration: Default 90 days
Can be customized
Latency Details
Duration: Near real-time
Can be customized
Product Details
Slack is a cloud-based collaboration platform that facilitates communication between individuals and groups through channels, direct messaging, file sharing, and integrations with third-party applications. The Slack Audit Logs API allows organizations to access and retrieve audit logs related to user activity and security events within their Slack workspaces.
Enterprise Events
Documentation on collecting events from the Audit Logs API
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
IP Address
-
Device/Client Type
-
Credential Context
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Failure Context
-
Identity Service Provider Context
Success
{
"CLIENT_IP": "12.3.4.56",
"CONNECTION": null,
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EVENT_ID": "53754033158915655",
"EVENT_TIMESTAMP": "1717764280.813000",
"EVENT_TYPE": "LOGIN",
"FIRST_AUTHENTICATION_FACTOR": "PASSWORD",
"IS_SUCCESS": "YES",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "JDBC_DRIVER",
"REPORTED_CLIENT_VERSION": "3.14.1",
"SECOND_AUTHENTICATION_FACTOR": null,
"USER_NAME": "bruce-wayne"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
IP Address
-
Device/Client Type
-
Verification Method
-
Verification Flagged
Unsupported
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Activity Performed
Success
{
"CLIENT_IP": "12.3.4.56",
"CONNECTION": null,
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EVENT_ID": "12042414114134585",
"EVENT_TIMESTAMP": "1717633886.401000",
"EVENT_TYPE": "LOGIN",
"FIRST_AUTHENTICATION_FACTOR": "SAML2_ASSERTION",
"IS_SUCCESS": "YES",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "SNOWFLAKE_UI",
"REPORTED_CLIENT_VERSION": "20240605173119",
"SECOND_AUTHENTICATION_FACTOR": "DUO_PASSCODE",
"USER_NAME": "bruce-wayne"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Login History
This Account Usage view can be used to query login attempts by Snowflake users within the last 365 days (1 year).
References
Retention Details
Storage Duration: 365 days
No comments
Latency Details
Duration: up to 120 minutes
No comments
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Username
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "90",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "29",
"CREDITS_USED_CLOUD_SERVICES": "3.9999999999999998e-06",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717698436.337000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "1",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "15c1fa5cbdce6f6c0cd15c1fac1fac1fa",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d553-0000-83bf-0000-151118855e511e",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "15c1fa5cb15c1fa5cb15c1fa5cb",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "CREATE USER IF NOT EXISTS bruce-wayne DEFAULT_ROLE \u003d bruce-wayne-role RSA_PUBLIC_KEY <redacted>",
"QUERY_TYPE": "CREATE_USER",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "471516516265151",
"START_TIME": "1717698436.307000",
"TOTAL_ELAPSED_TIME": "30",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "5",
"WAREHOUSE_NAME": "BATMAN_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Username
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "90",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "29",
"CREDITS_USED_CLOUD_SERVICES": "3.9999999999999998e-06",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717698436.337000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "1",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "15c1fa5cbdce6f6c0cd15c1fac1fac1fa",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d553-0000-83bf-0000-151118855e511e",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "15c1fa5cb15c1fa5cb15c1fa5cb",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "SHOW USERS LIKE 'bruce-wayne'",
"QUERY_TYPE": "SHOW",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "471516516265151",
"START_TIME": "1717698436.307000",
"TOTAL_ELAPSED_TIME": "30",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "5",
"WAREHOUSE_NAME": "BATMAN_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Username
-
Target Attribute Context
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "27",
"CREDITS_USED_CLOUD_SERVICES": "1.0000000000000001e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717071413.029000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "38",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "39eabc39eabc39eabc39eabc39eabc",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4ac80-0000-83bf-0000-15165sdc5151",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "39eabc39eabc39eabc39eabc39eabc",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "ALTER USER bruce-wayne SET RSA_PUBLIC_KEY <redacted>;",
"QUERY_TYPE": "ALTER_USER",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "47121871234566",
"START_TIME": "1717071412.964000",
"TOTAL_ELAPSED_TIME": "65",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "10",
"WAREHOUSE_NAME": "BATMAN_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "515",
"CREDITS_USED_CLOUD_SERVICES": "8.7999999999999998e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717685383.600000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "59",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "d55b6367d55b6367d55b6367d55b6367",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "44ed5de-0002-3f81-0001-44ed5de44ed5dee",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "d55b6367d55b6367d55b6367d55b6367",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "DROP USER THE_RIZZLER;",
"QUERY_TYPE": "DROP_USER",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "37937453123456",
"START_TIME": "1717685383.026000",
"TOTAL_ELAPSED_TIME": "574",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN@wayneenerprises.org",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Role Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "56",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "44",
"CREDITS_USED_CLOUD_SERVICES": "9.0000000000000002e-06",
"DATABASE_ID": "5",
"DATABASE_NAME": "GOTHAM_VILLAINS",
"END_TIME": "1717774231.234000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "19",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4da42-0509-r73t-0068-2j9d9v97eb",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "CREATE ROLE IF NOT EXISTS GEN1_VILLAINS;",
"QUERY_TYPE": "CREATE_ROLE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": "21231",
"SCHEMA_NAME": "PUBLIC",
"SECONDARY_ROLE_STATS": "{\"roleNames\":[\"ALL\"],\"roleCount\":5,\"roleIds\":[65165172,66515276,4545415,516511637,16418111122]}",
"SESSION_ID": "29322881123456789",
"START_TIME": "1717774231.171000",
"TOTAL_ELAPSED_TIME": "63",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "350",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Role Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "56",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "44",
"CREDITS_USED_CLOUD_SERVICES": "9.0000000000000002e-06",
"DATABASE_ID": "5",
"DATABASE_NAME": "GOTHAM_VILLAINS",
"END_TIME": "1717774231.234000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "19",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4da42-0509-r73t-0068-2j9d9v97eb",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "SHOW ROLE LIKE 'GEN1_VILLAINS';",
"QUERY_TYPE": "SHOW",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": "21231",
"SCHEMA_NAME": "PUBLIC",
"SECONDARY_ROLE_STATS": "{\"roleNames\":[\"ALL\"],\"roleCount\":5,\"roleIds\":[65165172,66515276,4545415,516511637,16418111122]}",
"SESSION_ID": "29322881123456789",
"START_TIME": "1717774231.171000",
"TOTAL_ELAPSED_TIME": "63",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "350",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Attribute Context
-
Target Role Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "29",
"CREDITS_USED_CLOUD_SERVICES": "6.0000000000000002e-06",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717310018.697000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "13",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "1ed33b51ed33b51ed33b51ed33b51ed33b5563",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4bc09-5759-e717-002f-5fg5151g61d5f2",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "1ed33b51ed33b51ed33b51ed33b51ed33b5563",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "ALTER ROLE GEN1_VILLAINS SET\n COMMENT \u003d \u0027Role which will allow the creation\n and usage of schemas for the Villains\n database. \u0027\n ;",
"QUERY_TYPE": "ALTER_ROLE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "1327056921651651",
"START_TIME": "1717310018.655000",
"TOTAL_ELAPSED_TIME": "42",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "1717309941535000000",
"USER_NAME": "BWAYNE@wayneenterprises.org",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Role Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "65",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "37",
"CREDITS_USED_CLOUD_SERVICES": "1.1e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717763466.606000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "33",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "9eb3a1c55a7c89eb3a1c55a7c89eb3",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d98f-0002-55ge-0000-c5165v07e1c9ea",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "9eb3a1c55a7c89eb3a1c55a7c89eb3",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "DROP ROLE\tGEN1_VILLAINS\t;",
"QUERY_TYPE": "DROP_ROLE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "218979017654987",
"START_TIME": "1717763466.536000",
"TOTAL_ELAPSED_TIME": "70",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Permission Name
-
Target Resource Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "19",
"CREDITS_USED_CLOUD_SERVICES": "7.9999999999999996e-06",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1716999270.704000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "36",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "fdac6a14c32fdac6a14c32fda",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4a7ce-0000-66gh-0000-65165115a3bda",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "fdac6a14c32fdac6a14c32fda",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "grant ownership on database VILLIANS_DB to role GOTHAM_ADMINS_ROLE copy current grants;",
"QUERY_TYPE": "GRANT",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "47121867651652",
"START_TIME": "1716999270.649000",
"TOTAL_ELAPSED_TIME": "55",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "1",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Permission Name
-
Target Resource Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "33",
"CREDITS_USED_CLOUD_SERVICES": "1.2999999999999999e-05",
"DATABASE_ID": "42",
"DATABASE_NAME": "VILLAINS_DB",
"END_TIME": "1717740555.193000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "49",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d811-0509-5f55-0068-2d034deb8633",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "gotham_metrics",
"QUERY_TEXT": "revoke REFERENCES on VILLAINS_DB.metadata from BRUCE_WAYNE_ROLE;",
"QUERY_TYPE": "REVOKE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "ALFRED_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[\"ALL\"],\"roleCount\":4,\"roleIds\":[6321300,1516583209,174715153,1747651161]}",
"SESSION_ID": "2932288165432153",
"START_TIME": "1717740555.111000",
"TOTAL_ELAPSED_TIME": "82",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "97",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Target Username
-
Enrollment Type
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "15",
"CREDITS_USED_CLOUD_SERVICES": "3.0000000000000001e-06",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717514614.922000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "8",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4c95b-0000-83c0-1250-045151d18c90e",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "2fdac6a14c32fdac6a14c32fdac6a14c3",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "alter user bruce_wayne set DISABLE_MFA = true",
"QUERY_TYPE": "ALTER_USER",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "BRUCE_WAYNE_ROLE",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "4712199844410",
"START_TIME": "1717514614.899000",
"TOTAL_ELAPSED_TIME": "23",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "1",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "53",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "33",
"CREDITS_USED_CLOUD_SERVICES": "9.0000000000000002e-06",
"DATABASE_ID": "42",
"DATABASE_NAME": "WAYNE_DB",
"END_TIME": "1717510863.492000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "30",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "e36a8208cce536a8208cce5453f1165e1b7f09ca",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4c91d-4444-83bf-0000-566815187b52",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "e36a8208cce536a8208cce5453f1165e1b7f09ca",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "CREATE SECURITY INTEGRATION OAUTH_INTEGRATION\n TYPE \u003d oauth\n ENABLED \u003d true\n OAUTH_CLIENT \u003d custom\n OAUTH_CLIENT_TYPE\u003d \u0027CONFIDENTIAL\u0027\n OAUTH_REDIRECT_URI \u003d \u0027https://okta.io/redirect/tmp\u0027\n OAUTH_ISSUE_REFRESH_TOKENS \u003d true\n OAUTH_REFRESH_TOKEN_VALIDITY \u003d 259200 // 3 days\n BLOCKED_ROLES_LIST \u003d (\n \u0027SYSADMIN\u0027, \u0027ACCOUNTADMIN\u0027, \u0027SECURITYADMIN\u0027\n )\n PRE_AUTHORIZED_ROLES_LIST \u003d (\u0027OKTA_ROLE\u0027);",
"QUERY_TYPE": "CREATE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.19.1",
"ROLE_NAME": "ACCOUNTADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": "34",
"SCHEMA_NAME": "INFO_SCHEMA",
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "471219059845",
"START_TIME": "1717510863.429000",
"TOTAL_ELAPSED_TIME": "63",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "1",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "39",
"CREDITS_USED_CLOUD_SERVICES": "3.1000000000000001e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717685508.792000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "168",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d47b-0045-3f94-0071-5451651a1de7a2a",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "SHOW DELEGATED AUTHORIZATIONS TO SECURITY INTEGRATION OAUTH_INTEGRATION",
"QUERY_TYPE": "SHOW",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "379374534157826",
"START_TIME": "1717685508.585000",
"TOTAL_ELAPSED_TIME": "207",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "BRUCE_WAYN@wayneenterprises.org",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "39",
"CREDITS_USED_CLOUD_SERVICES": "3.1000000000000001e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717685508.792000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "168",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d47b-0045-3f94-0071-5451651a1de7a2a",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "ALTER SECURITY INTEGRATION APPOMNI SET NETWORK_POLICY \u003d \u0027CLOUD_ACCESS_POLICY\u0027;",
"QUERY_TYPE": "ALTER",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "379374534157826",
"START_TIME": "1717685508.585000",
"TOTAL_ELAPSED_TIME": "207",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "BRUCE_WAYN@wayneenterprises.org",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "39",
"CREDITS_USED_CLOUD_SERVICES": "3.1000000000000001e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717685508.792000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "168",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d47b-0045-3f94-0071-5451651a1de7a2a",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "DROP SECURITY INTEGRATION OAUTH_INTEGRATION",
"QUERY_TYPE": "SHOW",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "379374534157826",
"START_TIME": "1717685508.585000",
"TOTAL_ELAPSED_TIME": "207",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "BRUCE_WAYN@wayneenterprises.org",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Integration / App Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "51",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "62",
"CREDITS_USED_CLOUD_SERVICES": "9.0000000000000002e-06",
"DATABASE_ID": "42",
"DATABASE_NAME": "WAYNE_DB",
"END_TIME": "1717439033.854000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "1",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "16c6efc6efc6efc6efc6efc6ef466a4e7",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4c65d-0504-e717-0000-15894ac5e9c2",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "16c6efc6efc6efc6efc6efc6ef466a4e7",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "s3_integration",
"QUERY_TEXT": "CREATE STORAGE INTEGRATION IF NOT EXISTS S3\n TYPE \u003d external_stage\n STORAGE_PROVIDER \u003d \u0027S3\u0027\n ENABLED \u003d true\n STORAGE_AWS_ROLE_ARN \u003d \u0027arn:aws:iam::1234567890:role/gotham-snowflake-iam-role\u0027\n STORAGE_ALLOWED_LOCATIONS \u003d (\"s3://wayne/villians/\", \"s3://gotham/police/\")\n COMMENT\u003d\u0027Allow Snowflake access to S3.\u0027\n;",
"QUERY_TYPE": "CREATE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": "12345",
"SCHEMA_NAME": "APPS",
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "13270565487958470",
"START_TIME": "1717439033.791000",
"TOTAL_ELAPSED_TIME": "63",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17174394544441000000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "2442",
"WAREHOUSE_NAME": "VILLIAN_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Integration / App Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "51",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "62",
"CREDITS_USED_CLOUD_SERVICES": "9.0000000000000002e-06",
"DATABASE_ID": "42",
"DATABASE_NAME": "WAYNE_DB",
"END_TIME": "1717439033.854000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "1",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "16c6efc6efc6efc6efc6efc6ef466a4e7",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4c65d-0504-e717-0000-15894ac5e9c2",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "16c6efc6efc6efc6efc6efc6ef466a4e7",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "s3_integration",
"QUERY_TEXT": "DESCRIBE STORAGE INTEGRATION S3",
"QUERY_TYPE": "DESCRIBE",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": "12345",
"SCHEMA_NAME": "APPS",
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "13270565487958470",
"START_TIME": "1717439033.791000",
"TOTAL_ELAPSED_TIME": "63",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17174394544441000000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "2442",
"WAREHOUSE_NAME": "VILLIAN_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Configuration / Setting Name
-
Integration / App Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "51",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "62",
"CREDITS_USED_CLOUD_SERVICES": "9.0000000000000002e-06",
"DATABASE_ID": "42",
"DATABASE_NAME": "WAYNE_DB",
"END_TIME": "1717439033.854000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "1",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "16c6efc6efc6efc6efc6efc6ef466a4e7",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4c65d-0504-e717-0000-15894ac5e9c2",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "16c6efc6efc6efc6efc6efc6ef466a4e7",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "s3_integration",
"QUERY_TEXT": "ALTER STORAGE INTEGRATION S3\n TYPE \u003d external_stage\n STORAGE_PROVIDER \u003d \u0027S3\u0027\n ENABLED \u003d true\n STORAGE_AWS_ROLE_ARN \u003d \u0027arn:aws:iam::1234567890:role/gotham-snowflake-iam-role\u0027\n STORAGE_ALLOWED_LOCATIONS \u003d (\"s3://wayne/villains/\", \"s3://gotham/police/\")\n COMMENT\u003d\u0027Allow Snowflake access to S3.\u0027\n;",
"QUERY_TYPE": "ALTER",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": "12345",
"SCHEMA_NAME": "APPS",
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "13270565487958470",
"START_TIME": "1717439033.791000",
"TOTAL_ELAPSED_TIME": "63",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17174394544441000000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "2442",
"WAREHOUSE_NAME": "VILLIAN_WAREHOUSE",
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": "STANDARD"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Integration / App Name
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "0",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "0",
"BYTES_WRITTEN_TO_RESULT": "36",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": null,
"COMPILATION_TIME": "39",
"CREDITS_USED_CLOUD_SERVICES": "3.1000000000000001e-05",
"DATABASE_ID": null,
"DATABASE_NAME": null,
"END_TIME": "1717685508.792000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "168",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "0",
"PARTITIONS_TOTAL": "0",
"PERCENTAGE_SCANNED_FROM_CACHE": "0",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d47b-0045-3f94-0071-5451651a1de7a2a",
"QUERY_LOAD_PERCENT": null,
"QUERY_PARAMETERIZED_HASH": "c575eb2d1cbc575eb2d1cba8c654911a91eb",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "DROP STORAGE INTEGRATION S3",
"QUERY_TYPE": "SHOW",
"QUEUED_OVERLOAD_TIME": "0",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "0",
"ROWS_PRODUCED": null,
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\"roleNames\":[],\"roleCount\":0,\"roleIds\":[]}",
"SESSION_ID": "379374534157826",
"START_TIME": "1717685508.585000",
"TOTAL_ELAPSED_TIME": "207",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "0",
"USER_NAME": "BRUCE_WAYN@wayneenterprises.org",
"WAREHOUSE_ID": null,
"WAREHOUSE_NAME": null,
"WAREHOUSE_SIZE": null,
"WAREHOUSE_TYPE": null
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "28160",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "25088",
"BYTES_WRITTEN_TO_RESULT": "27",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": "1",
"COMPILATION_TIME": "38",
"CREDITS_USED_CLOUD_SERVICES": "2.5999999999999998e-05",
"DATABASE_ID": "42",
"DATABASE_NAME": "VILLAIN_DB",
"END_TIME": "1717680343.697000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "623",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "2",
"PARTITIONS_TOTAL": "175",
"PERCENTAGE_SCANNED_FROM_CACHE": "0.50909090909090904",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d425-0509-54fd-0068-2d034e5caba3",
"QUERY_LOAD_PERCENT": "100",
"QUERY_PARAMETERIZED_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "INSERT INTO ...",
"QUERY_TYPE": "INSERT",
"QUEUED_OVERLOAD_TIME": "451",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "306",
"ROWS_PRODUCED": "578",
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\" roleNames \":[\" ALL \"],\" roleCount \":3,\" roleIds \":[6865490,17465841737,11459846222574]}",
"SESSION_ID": "293228816254855",
"START_TIME": "1717680342.585000",
"TOTAL_ELAPSED_TIME": "1112",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17176803484581100000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "42",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": "X-Small",
"WAREHOUSE_TYPE": "STANDARD"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "28160",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "25088",
"BYTES_WRITTEN_TO_RESULT": "27",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": "1",
"COMPILATION_TIME": "38",
"CREDITS_USED_CLOUD_SERVICES": "2.5999999999999998e-05",
"DATABASE_ID": "42",
"DATABASE_NAME": "VILLAIN_DB",
"END_TIME": "1717680343.697000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "623",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "2",
"PARTITIONS_TOTAL": "175",
"PERCENTAGE_SCANNED_FROM_CACHE": "0.50909090909090904",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d425-0509-54fd-0068-2d034e5caba3",
"QUERY_LOAD_PERCENT": "100",
"QUERY_PARAMETERIZED_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "SELECT ...",
"QUERY_TYPE": "SELECT",
"QUEUED_OVERLOAD_TIME": "451",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "306",
"ROWS_PRODUCED": "578",
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\" roleNames \":[\" ALL \"],\" roleCount \":3,\" roleIds \":[6865490,17465841737,11459846222574]}",
"SESSION_ID": "293228816254855",
"START_TIME": "1717680342.585000",
"TOTAL_ELAPSED_TIME": "1112",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17176803484581100000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "42",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": "X-Small",
"WAREHOUSE_TYPE": "STANDARD"
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "28160",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "25088",
"BYTES_WRITTEN_TO_RESULT": "27",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": "1",
"COMPILATION_TIME": "38",
"CREDITS_USED_CLOUD_SERVICES": "2.5999999999999998e-05",
"DATABASE_ID": "42",
"DATABASE_NAME": "VILLAIN_DB",
"END_TIME": "1717680343.697000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "623",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "2",
"PARTITIONS_TOTAL": "175",
"PERCENTAGE_SCANNED_FROM_CACHE": "0.50909090909090904",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d425-0509-54fd-0068-2d034e5caba3",
"QUERY_LOAD_PERCENT": "100",
"QUERY_PARAMETERIZED_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "INSERT INTO ...",
"QUERY_TYPE": "INSERT",
"QUEUED_OVERLOAD_TIME": "451",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "306",
"ROWS_PRODUCED": "578",
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\" roleNames \":[\" ALL \"],\" roleCount \":3,\" roleIds \":[6865490,17465841737,11459846222574]}",
"SESSION_ID": "293228816254855",
"START_TIME": "1717680342.585000",
"TOTAL_ELAPSED_TIME": "1112",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17176803484581100000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "42",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": "X-Small",
"WAREHOUSE_TYPE": "STANDARD"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "28160",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "25088",
"BYTES_WRITTEN_TO_RESULT": "27",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": "1",
"COMPILATION_TIME": "38",
"CREDITS_USED_CLOUD_SERVICES": "2.5999999999999998e-05",
"DATABASE_ID": "42",
"DATABASE_NAME": "VILLAIN_DB",
"END_TIME": "1717680343.697000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "623",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "2",
"PARTITIONS_TOTAL": "175",
"PERCENTAGE_SCANNED_FROM_CACHE": "0.50909090909090904",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d425-0509-54fd-0068-2d034e5caba3",
"QUERY_LOAD_PERCENT": "100",
"QUERY_PARAMETERIZED_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "DROP ...",
"QUERY_TYPE": "DROP",
"QUEUED_OVERLOAD_TIME": "451",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "306",
"ROWS_PRODUCED": "578",
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\" roleNames \":[\" ALL \"],\" roleCount \":3,\" roleIds \":[6865490,17465841737,11459846222574]}",
"SESSION_ID": "293228816254855",
"START_TIME": "1717680342.585000",
"TOTAL_ELAPSED_TIME": "1112",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17176803484581100000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "42",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": "X-Small",
"WAREHOUSE_TYPE": "STANDARD"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"BYTES_DELETED": "0",
"BYTES_READ_FROM_RESULT": "0",
"BYTES_SCANNED": "28160",
"BYTES_SENT_OVER_THE_NETWORK": "0",
"BYTES_SPILLED_TO_LOCAL_STORAGE": "0",
"BYTES_SPILLED_TO_REMOTE_STORAGE": "0",
"BYTES_WRITTEN": "25088",
"BYTES_WRITTEN_TO_RESULT": "27",
"CHILD_QUERIES_WAIT_TIME": "0",
"CLUSTER_NUMBER": "1",
"COMPILATION_TIME": "38",
"CREDITS_USED_CLOUD_SERVICES": "2.5999999999999998e-05",
"DATABASE_ID": "42",
"DATABASE_NAME": "VILLAIN_DB",
"END_TIME": "1717680343.697000",
"ERROR_CODE": null,
"ERROR_MESSAGE": null,
"EXECUTION_STATUS": "SUCCESS",
"EXECUTION_TIME": "623",
"EXTERNAL_FUNCTION_TOTAL_INVOCATIONS": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_BYTES": "0",
"EXTERNAL_FUNCTION_TOTAL_SENT_ROWS": "0",
"FAULT_HANDLING_TIME": null,
"INBOUND_DATA_TRANSFER_BYTES": "0",
"INBOUND_DATA_TRANSFER_CLOUD": null,
"INBOUND_DATA_TRANSFER_REGION": null,
"IS_CLIENT_GENERATED_STATEMENT": "false",
"LIST_EXTERNAL_FILES_TIME": "0",
"OUTBOUND_DATA_TRANSFER_BYTES": "0",
"OUTBOUND_DATA_TRANSFER_CLOUD": null,
"OUTBOUND_DATA_TRANSFER_REGION": null,
"PARTITIONS_SCANNED": "2",
"PARTITIONS_TOTAL": "175",
"PERCENTAGE_SCANNED_FROM_CACHE": "0.50909090909090904",
"QUERY_ACCELERATION_BYTES_SCANNED": "0",
"QUERY_ACCELERATION_PARTITIONS_SCANNED": "0",
"QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR": "0",
"QUERY_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_HASH_VERSION": "2",
"QUERY_ID": "01b4d425-0509-54fd-0068-2d034e5caba3",
"QUERY_LOAD_PERCENT": "100",
"QUERY_PARAMETERIZED_HASH": "2f2f45df35df4535df4535df45f9bc9d",
"QUERY_PARAMETERIZED_HASH_VERSION": "1",
"QUERY_RETRY_CAUSE": null,
"QUERY_RETRY_TIME": null,
"QUERY_TAG": "",
"QUERY_TEXT": "GET ...",
"QUERY_TYPE": "GET_FILES",
"QUEUED_OVERLOAD_TIME": "451",
"QUEUED_PROVISIONING_TIME": "0",
"QUEUED_REPAIR_TIME": "0",
"RELEASE_VERSION": "8.21.1",
"ROLE_NAME": "WAYNE_ADMIN",
"ROLE_TYPE": "ROLE",
"ROWS_DELETED": "0",
"ROWS_INSERTED": "306",
"ROWS_PRODUCED": "578",
"ROWS_UNLOADED": "0",
"ROWS_UPDATED": "0",
"ROWS_WRITTEN_TO_RESULT": "1",
"SCHEMA_ID": null,
"SCHEMA_NAME": null,
"SECONDARY_ROLE_STATS": "{\" roleNames \":[\" ALL \"],\" roleCount \":3,\" roleIds \":[6865490,17465841737,11459846222574]}",
"SESSION_ID": "293228816254855",
"START_TIME": "1717680342.585000",
"TOTAL_ELAPSED_TIME": "1112",
"TRANSACTION_BLOCKED_TIME": "0",
"TRANSACTION_ID": "17176803484581100000",
"USER_NAME": "ALFRED_ADMIN",
"WAREHOUSE_ID": "42",
"WAREHOUSE_NAME": "GOTHAM_WAREHOUSE",
"WAREHOUSE_SIZE": "X-Small",
"WAREHOUSE_TYPE": "STANDARD"
}Query History
This Account Usage view can be used to query Snowflake query history by various dimensions (time range, session, user, warehouse, etc.) within the last 365 days (1 year).
References
Retention Details
Storage Duration: 365 days
No comments
Latency Details
Duration: up to 45 minutes
No comments
Product Details
Snowflake is a cloud-based Software as a Service (SaaS) platform that provides data warehousing, data lake, data sharing, and data integration services to customers. It stores a wide variety of data types, including structured and semi-structured data, enabling organizations to perform complex data analytics and gain insights from their data.
Login History
References
Query History
References
Session History
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
IP Address
-
User Agent Name
-
Failure Context
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Credential Context
-
Identity Service Provider Context
Success
{
"browser": "Chrome 124.0.0.0",
"id": "6145782847",
"on_behalf_of": null,
"platform": "Intel Mac OS X 10.15.7",
"source_ip": "8.8.8.8",
"status": "Success",
"timestamp": "2024-05-07T21:01:27Z",
"type": "User Login",
"user_name": "bbunny@acme.com",
"vault_id": "123456"
}Failure
{
"browser": "Unknown",
"id": "6151724407",
"on_behalf_of": null,
"platform": "Unknown",
"source_ip": "8.8.8.8",
"status": "Password Change Required",
"timestamp": "2024-05-08T21:17:23Z",
"type": "User Login",
"user_name": "granny@acme.com",
"vault_id": null
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
IP Address
-
User Agent Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"browser": "Chrome 124.0.0.0",
"id": "6145624385",
"on_behalf_of": null,
"platform": "Intel Mac OS X 10.15.7",
"source_ip": "8.8.8.8",
"status": "Success",
"timestamp": "2024-05-07T20:18:07Z",
"type": "User Logout",
"user_name": "bbunny@acme.com",
"vault_id": "123456"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Username
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Create",
"capacity": null,
"event_description": "User : example_firstname example_lastname created",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "123188",
"item": "User : example_firstname example_lastname",
"new_value": null,
"object_label": "User",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "20107255",
"task_name": null,
"timestamp": "2024-05-07T23:19:06Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Username
-
Target Attribute Context
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit",
"capacity": null,
"event_description": "\"Email\" changed from \"example_user_123@appomni.com\" to \"changed_email@appomni.com\"",
"field_name": "Email",
"full_name": "Bugs Bunny",
"id": "123193",
"item": "User : example_firstname example_lastname",
"new_value": "changed_email@appomni.com",
"object_label": "User",
"old_value": "example_user_123@appomni.com",
"on_behalf_of": null,
"reason": null,
"record_id": "20107255",
"task_name": null,
"timestamp": "2024-05-07T23:19:35Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Create",
"event_description": "Group \"example_group_123\" created",
"field_name": "groupName",
"full_name": "Bugs Bunny",
"id": "726727",
"item": "example_group_123",
"new_value": "example_group_123",
"old_value": null,
"on_behalf_of": null,
"timestamp": "2024-05-07T23:21:12Z",
"user_id": "13648907",
"user_name": "bbunny@acme.com"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit",
"event_description": "Group description set to \"new_description\"",
"field_name": "groupDescr",
"full_name": "Bugs Bunny",
"id": "726729",
"item": "example_group_123",
"new_value": "new_description",
"old_value": null,
"on_behalf_of": null,
"timestamp": "2024-05-07T23:21:28Z",
"user_id": "13648907",
"user_name": "bbunny@acme.com"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Delete",
"event_description": "Group \"example_group_123\" deleted",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "726731",
"item": "example_group_123",
"new_value": null,
"old_value": null,
"on_behalf_of": null,
"timestamp": "2024-05-07T23:21:49Z",
"user_id": "13648907",
"user_name": "bbunny@acme.com"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit_ListProperty",
"event_description": "\"jdoe@acme.com\" was added to the \"Report Administrators\" group",
"field_name": "groupMember",
"full_name": "Bugs Bunny",
"id": "726692",
"item": "Report Administrators",
"new_value": "jdoe@acme.com",
"old_value": null,
"on_behalf_of": null,
"timestamp": "2024-05-07T22:20:50Z",
"user_id": "13648907",
"user_name": "bbunny@acme.com"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit_ListProperty",
"event_description": "\"example_user_123@acme.com\" was removed from the \"External Inspectors\" group",
"field_name": "groupMember",
"full_name": "System",
"id": "726721",
"item": "External Inspectors",
"new_value": null,
"old_value": "example_user_123@acme.com",
"on_behalf_of": null,
"timestamp": "2024-05-07T23:20:35Z",
"user_id": "1",
"user_name": "System"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Role Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Create",
"capacity": null,
"event_description": "Application Role : example_new_role created",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "123212",
"item": "Application Role : example_new_role",
"new_value": null,
"object_label": "Application Role",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "0AR00000000P001",
"task_name": null,
"timestamp": "2024-05-08T20:24:13Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Attribute Context
-
Target Role Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit",
"capacity": null,
"event_description": "\"Permission Set\" changed from \"Central Monitor\" to \"Clinical App Administrator Actions\"",
"field_name": "Permission Set",
"full_name": "Bugs Bunny",
"id": "123221",
"item": "Application Role : example_new_role_123",
"new_value": "Clinical App Administrator Actions",
"object_label": "Application Role",
"old_value": "Central Monitor",
"on_behalf_of": null,
"reason": null,
"record_id": "0AR00000000Q001",
"task_name": null,
"timestamp": "2024-05-08T21:16:31Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Target Role Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Delete",
"capacity": null,
"event_description": "Application Role : example_new_role deleted",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "123214",
"item": "Application Role : example_new_role",
"new_value": null,
"object_label": "Application Role",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "0AR00000000P001",
"task_name": null,
"timestamp": "2024-05-08T20:24:33Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit",
"event_description": "Security profile for \"jdoe@acme.com\" was changed from \"System Administrator\" to \"Vault Owner\"",
"field_name": "securityProfile",
"full_name": "Paul Bunyan",
"id": "731223",
"item": "jdoe@acme.com (John Doe)",
"new_value": "Vault Owner",
"old_value": "System Administrator",
"on_behalf_of": null,
"timestamp": "2024-05-10T13:53:39Z",
"user_id": "13796477",
"user_name": "pbunyan@acme.com"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "RemovePermission",
"event_description": "Permission \"Admin > Configuration > Pages > Edit\" removed from permission set \"example_permission_set\"",
"field_name": "Admin > Configuration > Pages > Edit",
"full_name": "Bugs Bunny",
"id": "726747",
"item": "Permission Set \"example_permission_set\"",
"new_value": null,
"old_value": null,
"on_behalf_of": null,
"timestamp": "2024-05-08T23:03:03Z",
"user_id": "13648907",
"user_name": "bbunny@acme.com"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Integration / App Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Create",
"capacity": null,
"event_description": "Connection Client : example_external_connection created",
"field_name": null,
"full_name": "System",
"id": "123225",
"item": "Connection Client : example_external_connection",
"new_value": null,
"object_label": "Connection Client",
"old_value": null,
"on_behalf_of": "bbunny@acme.com",
"reason": null,
"record_id": "V8M00000000E001",
"task_name": null,
"timestamp": "2024-05-09T18:23:21Z",
"user_name": "System",
"verdict": null,
"workflow_name": null
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Integration / App Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"action": "Edit",
"capacity": null,
"event_description": "\"URL\" set to \"https://appomni.test_url.com\" ",
"field_name": "URL",
"full_name": "Bugs Bunny",
"id": "123226",
"item": "Connection : External : example_external_connection",
"new_value": "https://appomni.test_url.com",
"object_label": "Connection",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "V1F00000000L001",
"task_name": null,
"timestamp": "2024-05-09T18:42:23Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Integration / App Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Delete",
"capacity": null,
"event_description": "Connection : External : example_external_connection deleted",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "123232",
"item": "Connection : External : example_external_connection",
"new_value": null,
"object_label": "Connection",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "V1F00000000L001",
"task_name": null,
"timestamp": "2024-05-09T18:50:15Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Create",
"capacity": null,
"event_description": "Study : example_study_1337 created",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "123244",
"item": "Study : example_study_1337",
"new_value": null,
"object_label": "Study",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "0ST000000006002",
"task_name": null,
"timestamp": "2024-05-09T20:18:54Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Resource Name
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Type
Success
{
"action": "GetDocumentVersion",
"doc_id": "102",
"document_url": "/ui/#doc_info/102/0/1",
"event_description": "Viewed Document",
"field_name": null,
"full_name": "John Doe",
"id": "729",
"item": "VV-TMF-12345",
"job_instance_id": null,
"new_value": null,
"old_value": null,
"on_behalf_of": null,
"signature_meaning": null,
"task_name": null,
"timestamp": "2024-05-14T21:37:10Z",
"user_name": "jdoe@acme.com",
"version": "0.1",
"view_license": null,
"workflow_name": null
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Edit",
"capacity": null,
"event_description": "\"Subject Status\" changed from \"Started Treatment\" to \"Started Follow Up\"",
"field_name": "Subject Status",
"full_name": "Bugs Bunny",
"id": "123243",
"item": "Subject : example_subject_id",
"new_value": "Started Follow Up",
"object_label": "Subject",
"old_value": "Started Treatment",
"on_behalf_of": null,
"reason": null,
"record_id": "OPB000000001002",
"task_name": null,
"timestamp": "2024-05-09T19:59:52Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "Delete",
"capacity": null,
"event_description": "Study : example_study_1337 deleted",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "123245",
"item": "Study : example_study_1337",
"new_value": null,
"object_label": "Study",
"old_value": null,
"on_behalf_of": null,
"reason": null,
"record_id": "0ST000000006002",
"task_name": null,
"timestamp": "2024-05-09T20:19:06Z",
"user_name": "bbunny@acme.com",
"verdict": null,
"workflow_name": null
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
Resource Metadata
Unsupported
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Success
{
"action": "Download",
"doc_id": "101",
"document_url": "/ui/#doc_info/101/0/1",
"event_description": "Document downloaded",
"field_name": null,
"full_name": "Bugs Bunny",
"id": "650",
"item": "VV-TMF-00017",
"job_instance_id": null,
"new_value": null,
"old_value": null,
"on_behalf_of": null,
"signature_meaning": null,
"task_name": null,
"timestamp": "2024-05-07T19:24:09Z",
"user_name": "bbunny@acme.com",
"version": "0.1",
"view_license": null,
"workflow_name": null
}
Retrieve Audit Details API
The Veeva Vault Retrieve Audit Details API provides near real-time, read-only access to an organization's audit log.
References
Retention Details
Storage Duration: 30 days
N/A
Latency Details
Duration: Near real-time
N/A
Product Details
Veeva Vault is a true cloud enterprise content management platform and suite of applications specifically built for life sciences. Veeva Vault audit events record logs related to an documents, objects, logins, and systems. The Events can be used to understand platform and user activity, troubleshoot problems, and investigate security incidents. The Veeva Vault Retrieve Audit Details API allows an organization to programmatically access the Veeva Vault audit logs. The API provides a way to retrieve, filter, and export events.
Retrieve Audit Details API
The Veeva Vault Retrieve Audit Details API provides near real-time, read-only access to an organization's audit log.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Username
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-15T12:09:31.763Z",
"sessionId": "495269",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Create Workday Account: Jane Doe",
"id": "3f2a87a1ee011000ad21051bbfb90000"
},
"taskDisplayName": "Create Workday Account",
"taskId": "dc2fbbfc446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Username
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"activityAction": "READ",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-24T14:32:40.272Z",
"sessionId": "dd7803",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "john.doe / John Doe",
"id": "597a5fe0e5b41000a873c5e87aa10000"
},
"taskDisplayName": "View Workday Account",
"taskId": "dc347228446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Username
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Attribute Context
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-22T12:06:18.499Z",
"sessionId": "208afc",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Edit Workday Account: jane.doe@acme.com / Jane Doe",
"id": "3b45e1da2b3e1000ad425682b5ab0000"
},
"taskDisplayName": "Edit Workday Account",
"taskId": "6c148253fc8b1000027f9a8ba31c000e",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-22T11:17:40.737Z",
"sessionId": "b4dc5b",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Custom HR Admin Group",
"id": "3b45e1da2b3e1000aa9b045a187d0000"
},
"taskDisplayName": "Create Security Group",
"taskId": "dc3318ce446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"activityAction": "READ",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T15:57:47.459Z",
"sessionId": "692dd8",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Bank Administrator",
"id": "6143bf1db22e10d1657fff8287342718"
},
"taskDisplayName": "View Security Group",
"taskId": "dc331496446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Attribute Context
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T15:59:18.710Z",
"sessionId": "692dd8",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Finance Administrator",
"id": "6143bf1db22e10d1657fff8287342718"
},
"taskDisplayName": "Edit User-Based Security Group",
"taskId": "dc4d3ce0446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Group Name
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T16:00:31.986Z",
"sessionId": "692dd8",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "",
"id": "dfbf16403554012375dee2ebd7cb0000"
},
"taskDisplayName": "Delete Security Group",
"taskId": "dc33157c446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Username
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T16:09:37.206Z",
"sessionId": "692dd8",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Compensation System",
"id": "1d1b0ad99fb64daa863027571269e158"
},
"taskDisplayName": "Assign Users to User-Based Security Group",
"taskId": "dc49b84a446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Username
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T16:09:37.206Z",
"sessionId": "692dd8",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Benefits Administrator",
"id": "1d1b0ad99fb64daa863027571269e158"
},
"taskDisplayName": "Assign Users to User-Based Security Group",
"taskId": "dc49b84a446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Role Name
Success
{
"activityAction": "READ",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T17:05:55.030Z",
"sessionId": "d025f2",
"systemAccount": "test.user@acme.com",
"taskDisplayName": "Role Assignment Permissions",
"taskId": "dc3f2f4c446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Attribute Context
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-29T16:12:45.263Z",
"sessionId": "692dd8",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Accountant",
"id": "b54cec1213ff4f6e8a3567998124a7a2"
},
"taskDisplayName": "Edit Role Assignment Permissions",
"taskId": "dc4cf668446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Resource Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Permission Name
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-25T17:45:31.612Z",
"sessionId": "a6259b",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Calendar Download Access",
"id": "89e47473254c0103772956e0ca441800"
},
"taskDisplayName": "Edit Domain Security Policy Permissions",
"taskId": "dc30feea446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Target Resource Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Permission Name
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-22T19:18:56.858Z",
"sessionId": "8413e1",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Create and Manage Surveys",
"id": "860b38cc4831013d6b1850dfb58c8200"
},
"taskDisplayName": "Edit Permissions",
"taskId": "dc32592a446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Username
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-15T23:06:03.915Z",
"sessionId": "67b7bc",
"systemAccount": "test.user@acme.com",
"taskDisplayName": "Set up Authenticator App",
"taskId": "383bb6086e1a100011635fc295a60095",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Target Username
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-03-27T15:22:28.183Z",
"sessionId": "92dc7b",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "One Time Passcode - Email",
"id": "8b2c9ed03ecb1049073f1d6487120000"
},
"taskDisplayName": "Edit One Time Passcode - Email Setup",
"taskId": "cab913dced9810001e63901c892a0017",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Configuration / Setting Value
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-18T17:04:59.204Z",
"sessionId": "efc2ba",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Self-Service: Benefits and Pay Hub",
"id": "fb58ac88f9ba1001a8a5835b27aa0000"
},
"taskDisplayName": "Create Security Policy for Domain",
"taskId": "dc31d018446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"activityAction": "READ",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-18T17:01:25.414Z",
"sessionId": "5ced74",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "acme_workday_tenant",
"id": "acc14cefb22b44e18d96ac71fc35f6a0"
},
"taskDisplayName": "Tenant Setup - Security",
"taskId": "29f477f31172498f83fba6e51c59930e",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-18T17:04:18.829Z",
"sessionId": "5ced74",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "One Time Passcode - SMS",
"id": "ab2cb4ac47b401c761847989a2551700"
},
"taskDisplayName": "Edit One Time Passcode - SMS Setup",
"taskId": "cdc5d309f37910000296e685317a0120",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Configuration / Setting Value
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-18T17:46:17.353Z",
"sessionId": "5ced74",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "acme_workday_tenant",
"id": "acc14cefb22b44e18d96ac71fc35f6a0"
},
"taskDisplayName": "Edit Tenant Setup - Security",
"taskId": "35382c414f3140e9bc738121e6f6f68f",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-12T17:48:40.298Z",
"sessionId": "a6894b",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "3rd Party Integration to Workday",
"id": "a98bc7f71d0010020844f80994580000"
},
"taskDisplayName": "Register API Client for Integrations",
"taskId": "564682b1f8824efd87254fc5d6ffb5a4",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Integration / App Name
Success
{
"activityAction": "READ",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-24T16:45:01.996Z",
"sessionId": "23f3c4",
"systemAccount": "test.user@acme.com",
"taskDisplayName": "Register API Client for Integrations",
"taskId": "564682b1f8824efd87254fc5d6ffb5a4",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
}Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-10T18:36:53.137Z",
"sessionId": "9b4f58",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "EIB - Put Compensation Plans",
"id": "caeae0ba9a4a10015f280519f6be0000"
},
"taskDisplayName": "Edit Integration System",
"taskId": "82c4467dd1cf4ee89d12712e1709cca4",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Resource Type
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-15T18:58:53.582Z",
"sessionId": "a0ce77",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Expense Report: EXP-20240-123",
"id": "a4b2226134119000c4478784348b0000"
},
"taskDisplayName": "Create Expense Report",
"taskId": "dc306b10446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Resource Type
Success
{
"activityAction": "READ",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-16T15:20:25.595Z",
"sessionId": "7bfc6f",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Expense Payments - John Doe",
"id": "4a7ccee4655d1009b82f55cf259b0002"
},
"taskDisplayName": "Change Election",
"taskId": "b73c880a358640fdae5c86aa21daa427",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Resource Type
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-16T15:00:22.436Z",
"sessionId": "7bfc6f",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "Custom Payroll Report",
"id": "3786a181dce445298a877f501322f72b"
},
"taskDisplayName": "Edit Custom Report",
"taskId": "dc2fb94a446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Resource Name
-
Resource Type
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-16T14:58:10.665Z",
"sessionId": "7bfc6f",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "",
"id": "4fd998fc9a861001120eb5ebf89c0000"
},
"taskDisplayName": "Delete Custom Report",
"taskId": "dc2fc08e446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Result
-
Username
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Resource Name
Unsupported
-
Event ID
-
Event Code / Type
-
User ID
-
User Type / Role
-
IP Geolocation / ASN
-
Resource Type
-
Resource Metadata
Success
{
"activityAction": "WRITE",
"deviceType": "Desktop",
"ipAddress": "192.168.0.1",
"requestTime": "2024-04-16T14:58:10.665Z",
"sessionId": "7bfc6f",
"systemAccount": "test.user@acme.com",
"target":
{
"descriptor": "",
"id": "4fd998fc9a861001120eb5ebf89c0000"
},
"taskDisplayName": "Delete Custom Report",
"taskId": "dc2fc08e446c11de98360015c5e6daf6",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
}
User Activity Logs
Workday user activity logs provide an audit trail of user activity over a certain time period.
References
Retention Details
Storage Duration: 30 days
By default, the User Activity Logging REST API retains log entries for 30 days.
Latency Details
Duration: Near real-time
By default, the User Activity Logging REST API retains log entries for 30 days.
Product Details
Workday is a cloud-based enterprise resource planning (ERP) platform that offers financial management, human resources management, and workforce planning. The User Activity Logging REST API enables organizations to retrieve an audit trail for Workday user activities.
User Activity Logs
Documentation on collecting events from the User Activity Logging REST API