Products
Product Details
AppOmni is a cloud-based platform designed to help organizations assess, monitor, and protect their data and configurations within SaaS applications. AppOmni audit logs are collected via the *auditlogs* API, and can be streamed to a Threat Detection event sink. Historical audit logs are also stored for 180 days and can be accessed via the scheduled reports feature. There are currently minor formatting differences between API/Event Sink logs, and the logs retrieved via scheduled reports.
Audit Logs API
To collect events, make a call to the /core/auditlogs endpoint and specify the desired parameters.
References
Event Sink Streaming
Audit logs are delivered to all Threat Detection event sinks.
References
Scheduled Reports
Create a scheduled report of type "AppOmni Audit Logs" to download audit logs.
References
Audit Logs
AppOmni audit logs that provide a record of user activity.
References
Retention Details
Storage Duration: 180 days
Historical audit logs are stored for 180 days.
Latency Details
Duration: Near Real-Time
Historical audit logs are stored for 180 days.
Product Details
Box is a cloud-based content management and file sharing service. It's designed to help organizations store, manage, and collaborate on files and documents. The Box Events API provides an event feed for enterprise events that have been generated within Box across the enterprise. Depending on the specified stream_type, the Events API can provide real-time monitoring or historical querying of events. The admin_logs_streaming stream type provides low latency, real-time access to events as they are processed by Box. Only two weeks of events are available via this stream type. The admin_logs stream type emphasizes completeness over latency, and provides access to events up to one year.
Get Enterprise Events
To collect enterprise events, make a call to the /events API and specify the desired stream_type.
Admin Logs
Box enterprise logs that provide an audit trail of user activity.
References
Retention Details
Storage Duration: 365 Days
Based on the admin_logs stream type.
Latency Details
Duration: Near Real-Time
Based on the admin_logs stream type.
Product Details
GitHub is a cloud-based service that provides a range of services related to version control, software development, and collaboration. The GitHub audit log API provides a feed for events that have been generated across the enterprise. If an organization does not use Enterprise Managed Users, the audit log only includes events related to the enterprise account and the organizations within the enterprise account. If an organization uses Enterprise Managed Users, the audit log also includes user events for managed user accounts. GitHub webhooks provide a way for notifications to be delivered to an external web server whenever certain events occur on GitHub.
Enterprise Audit Events
To collect enterprise events, use the audit log API.
Webhook Events
To collect webhook events, create and configure a webhook(s).
References
Audit Logs
GitHub enterprise audit logs that provide an audit trail of user and system activity.
References
Retention Details
Storage Duration: Infinite
Can be changed by an enterprise admin
Latency Details
Duration: Near Real-Time
Can be changed by an enterprise admin
Webhook Events
GitHub webhook events are delivered whenever certain events occur on GitHub.
References
Retention Details
Storage Duration: N/A
GitHub does not officially retain webhook events. Recent webhook events can be accessed at `https://github.com/<ORGANIZATION>/<REPOSITORY>/settings/hooks`.
Latency Details
Duration: Near Real-Time
GitHub does not officially retain webhook events. Recent webhook events can be accessed at `https://github.com/<ORGANIZATION>/<REPOSITORY>/settings/hooks`.
Product Details
Okta is a cloud-based identity and access management (IAM) platform that provides centralized authentication, management of user identities, and access control to applications and data. The Okta System Log records events related to an organization, such as user logins, password changes, and application access. The System Log can be used to understand platform and user activity, troubleshoot problems, and investigate security incidents. The Okta System Log API is a RESTful API that allows an organization to programmatically access the Okta System Log. The API provides a way to retrieve, filter, and export events.
System Log API
The Okta System Log API provides near real-time, read-only access to an organization's system log.
References
System Log API
The Okta System Log API provides near real-time, read-only access to an organization's system log.
References
Retention Details
Storage Duration: System Log events are retained in Okta for a period of 90 days.
https://support.okta.com/help/s/article/Customer-Data-Retention-Policy?language=en_US
Latency Details
Duration: Near real-time
https://support.okta.com/help/s/article/Customer-Data-Retention-Policy?language=en_US
Product Details
Salesforce is a cloud-based customer relationship management (CRM) platform. It is designed to help organizations manage their customer relationships, sales processes, marketing activities, and more. Salesforce audit logs are collected via objects, namely the SetupAuditTrail object, EventLogFile object, or Real-Time Event Monitoring objects. These objects are accessible via the Salesforce API. Salesforce supports a wide range of APIs, however with regards to audit logs, the primary APIs include the REST API, SOAP API, or Streaming API.
REST API
A REST interface that can be used to access Salesforce data without using the Salesforce user interface
SOAP API
An interface that can be used to access Salesforce data using the SOAP protocol
References
Streaming API
An API that provides a subscription mechanism for receiving events in near real-time
EventLogFile Apex Callout Event Type
Provides details about callouts (external requests) during Apex code execution.
References
Retention Details
Storage Duration: 30 Days
N/A
Latency Details
Duration: 3 Hours
N/A
EventLogFile Aura Request Event Type
Provides details of requests to Apex methods from Aura and Lightning web components.
References
Retention Details
Storage Duration: 30 Days
N/A
Latency Details
Duration: 3 Hours
N/A
EventLogFile Login Event
This event source is to track login events in Salesforce.
References
Retention Details
Storage Duration: 1 Day
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
Latency Details
Duration: 3 Hours
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
EventLogFile Logout Event
This event source is to track logout events in Salesforce.
References
Retention Details
Storage Duration: 1 Day
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
Latency Details
Duration: 3 Hours
Available for free with 1 day retention, otherwise requires an add-on subscription for 30 day retention.
EventLogFile SOAP API Event Type
Provides details about a Salesforce org's SOAP API request activity.
References
Retention Details
Storage Duration: 30 Days
N/A
Latency Details
Duration: 3 Hours
N/A
Real-Time Event Monitoring ApiEventStream
Tracks the user-initiated read-only API calls "query()", "queryMore()", and "count()". Captures API requests through SOAP API and Bulk API.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring BulkApiResultEventStore
Tracks when a user downloads the results of a Bulk API request.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring IdentityVerificationEvent
Tracks user identity verification events in a Salesforce org.
References
Retention Details
Storage Duration: 10 Years
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring LightningUriEventStream
Detects when a user creates, accesses, updates, or deletes a record in Lightning Experience only.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring ListViewEventStream
Tracks actions related to list views in Lightning Experience, Salesforce Classic, or the API. For example, the event captures when a user runs or exports a list view.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring LoginEventStream
Tracks login activity of users who log in to Salesforce.
References
Retention Details
Storage Duration: 10 Years
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring LogoutEventStream
A logout event records a successful user logout from the Salesforce user interface.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring ReportEventStream
Tracks report-related actions, such as when a user runs or exports a report.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
Real-Time Event Monitoring UriEventStream
Detects when a user creates, accesses, updates, or deletes a record in Salesforce Classic only.
References
Retention Details
Storage Duration: 6 Months
N/A
Latency Details
Duration: Real-Time
N/A
SetupAuditTrail
The SetupAuditTrail object provides an audit trail of changes to user profiles, permission sets, security settings, custom objects, and other settings.
References
Retention Details
Storage Duration: 180 Days
N/A
Latency Details
Duration: Real-Time
N/A
Product Details
Slack is a cloud-based collaboration platform that facilitates communication between individuals and groups through channels, direct messaging, file sharing, and integrations with third-party applications. The Slack Audit Logs API allows organizations to access and retrieve audit logs related to user activity and security events within their Slack workspaces.
Enterprise Events
Documentation on collecting events from the Audit Logs API
Enterprise Audit Logs
Slack enterprise audit logs that provide an audit trail of user and system activity.
References
Retention Details
Storage Duration: Default 90 days
Can be customized
Latency Details
Duration: Near real-time
Can be customized
Authentication
Events (3)
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Identity Service Provider Context
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Failure Context
-
Credential Context
Success
{
"action_at": "2023-06-22T19:06:47.149965+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_google",
"log_id": "ad9ddec3-8542-4d5a-b710-67928321abdc",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Failure
{
"action_at": "2023-06-14T21:57:50.583325+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "pmcandrew+test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_failed",
"log_id": "6cbd2dc5-c125-40d1-8dcf-9936abda6c5f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": null
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
User Agent Name
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:48:41.714659+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "bob@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_logout",
"log_id": "49fc4cd2-653e-4261-bb59-25dc6ee7a1c0",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Verification Method
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Verification Flagged
-
Activity Performed
Challenge
{
"action_at": "2023-06-23T20:11:06.106260+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_totp_challenge",
"log_id": "76812b0e-d9b0-4730-b5a1-5d4169743e2e",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}Authorization
Events (18)
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-20T14:20:30.626150+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 13148,
"target_user_username": "pmcandrew_test11",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_created",
"log_id": "188fdcf3-143a-49e9-ba80-452b48f42e4f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-15T02:02:19.147946+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.3",
"user_username": "john@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_disabled",
"log_id": "7f75c117-f8f8-4739-bfcf-cac8a728d486",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
-
Enrollment Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-14T22:00:24.705316+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": "TOTP",
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_enabled",
"log_id": "7ed13faf-9e3c-4905-839d-ff44309c2f72",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}Remove Enrollment
ET0021
A MFA enrollment was rmeoved from an account.
Remove Enrollment
ET0021
A MFA enrollment was rmeoved from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Enrollment Type
Success
{
"action_at": "2023-06-23T20:12:09.106337+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "+1 856-981-2588",
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_disabled",
"log_id": "34628772-1560-46da-81d0-2371c5cc3106",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}System Audit
Events (8)
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T15:51:50.253793+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "True",
"oauth_application_id": null,
"old_value": "False",
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": "Direct Auth Enabled",
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ao_sys_setting_change",
"log_id": "d2c46cde-44f7-43ac-84f5-79b8184c8105",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:21:55.407230+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": 442431,
"policy_name": "EMM Test Policy",
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.1",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "policy_created",
"log_id": "cb89b034-2f3b-4b41-9a34-6fdb289f4a6a",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": 442431,
"service_id": null,
"service_name": null,
"service_type": "box",
"user_id": 3187
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:05:09.728571+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": null,
"user_ip": null,
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ms_detection_ingestion_disabled",
"log_id": "ea080b00-2cf0-49fe-b1ba-6081f17a66ff",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": 35781,
"service_name": "AppOmni",
"service_type": "box",
"user_id": 3187
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-07-12T19:07:57.569196+00:00",
"action_data":
{
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"policy_id": 410860,
"policy_name": "Test Salesforce Policy",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "bob@example.com"
},
"action_type": "policy_deleted",
"log_id": "d4b105e8-d29b-436e-947e-52a6be5f58de",
"org_id": 176,
"service_type": "sfdc",
"user_id": 3187
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Authentication
Events (3)
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T08:28:41-07:00",
"created_by":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "00000000-abcd-1234-ab08-2cfe92d42606",
"event_type": "LOGIN",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Failure
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:08:06-07:00",
"created_by":
{
"id": "2",
"login": "",
"name": "Unknown User",
"type": "user"
},
"event_id": "00000000-abcd-1234-84ee-12298e09cfa9",
"event_type": "FAILED_LOGIN",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"id": "12345648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"type": "event"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:34:43-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-92ad-46f2f69e45cd",
"event_type": "NEW_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "25512345631",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Update
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:29-07:00",
"created_by":
{
"id": "12345648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "00000000-abcd-1234-be64-7fdc0421e478",
"event_type": "EDIT_USER",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:58-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-9c97-5e32f323b9f0",
"event_type": "DELETE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:36-07:00",
"created_by":
{
"id": "18863648385",
"login": "John Doe",
"name": "john@example.com",
"type": "user"
},
"event_id": "00000000-abcd-1234-a8a6-6f5474e5d86d",
"event_type": "GROUP_CREATION",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "my_sample_group"
},
"type": "event"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Update
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:46-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "49d24c58-a0e5-4ec7-9ccd-347827b0afed",
"event_type": "GROUP_EDITED",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"type": "event"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T10:46:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "24ada35a-a9e9-4c67-8fc9-33b5b9f9b52b",
"event_type": "GROUP_DELETION",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"group_id": "15299083860",
"group_name": "a_sample_group"
},
"type": "event"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"action_by": null,
"additional_details":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:24:15-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "f0545aa9-4be4-451e-a8d2-3c56aa257b8a",
"event_type": "GROUP_ADD_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Remove
{
"action_by": null,
"additional_details":
{
"group_id": "9744086129",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:45:45-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "56ae6ebb-7d6c-418e-bdeb-98d067c52af2",
"event_type": "GROUP_REMOVE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"accessible_by":
{
"id": "25575650631",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"action_by": null,
"additional_details":
{
"collab_id": "44582004179",
"is_performed_by_admin": false,
"role": "Editor",
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:57:12-07:00",
"created_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "15f0f70a-4502-496a-badf-5a0b12e49656",
"event_type": "COLLABORATION_INVITE",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_id": "25575650631",
"user_name": "John Doe"
},
"type": "event"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
Remove
{
"action_by": null,
"additional_details":
{
"collab_id": "44582741378",
"is_performed_by_admin": false,
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:47:09-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "052e68a2-7a29-4694-a77f-fec5713cb26f",
"event_type": "COLLABORATION_REMOVE",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_email": "alice@example.com"
},
"type": "event"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Add
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:27:03-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "7fd655c7-5a4a-4e13-8375-dc08cd2cf8b9",
"event_type": "MULTI_FACTOR_AUTH_ENABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Remove Enrollment
ET0021
A MFA enrollment was rmeoved from an account.
Remove Enrollment
ET0021
A MFA enrollment was rmeoved from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Remove
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:29:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "0bf5e6ad-a068-4770-9979-c7f409eb976b",
"event_type": "MULTI_FACTOR_AUTH_DISABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"type": "event"
}System Audit
Events (8)
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details":
{
"ekm_id": "b87156a9-6aff-4c21-910b-c5f1a8a02afd",
"service_id": "231318",
"service_name": "Multiput Uploads",
"size": 2584,
"version_id": "1319684204015"
},
"created_at": "2023-05-09T11:15:47-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "aeffeb99-f9a5-4243-9d3c-93f862dceec7",
"event_type": "UPLOAD",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"item_id": "1209714644015",
"item_name": "a_sample_file.csv",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
- Event ID