Products
Overview
The Event Maturity Matrix (EMM) is a comprehensive framework that provides clarity regarding the capabilities and nuances of SaaS audit logging. It is a valuable resource for security practitioners who want to obtain visibility into the different types of user activities that are logged, see real-world examples of SaaS audit logs, and use these insights to guide security monitoring and operational objectives.
Matrix Overview
The SaaS Event Maturity Matrix (EMM) was developed with the defensive security practitioner in mind. As such, the matrix’s overarching theme is to provide context regarding the depth of visibility as it pertains to security monitoring use cases. The Matrix consists of the following concepts:
- Products: represent the different SaaS platforms
- Event Sources: represent the different audit log files / sources that can be queried and collected
- Event Categories: represent the primary, top level categories of SaaS audit logging
- Event Types: represent the different types of activity that is audited, organized by categories
- Event Attributes: represent the individual fields or keys from different event types
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Identity Service Provider Context
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Failure Context
-
Credential Context
Success
{
"action_at": "2023-06-22T19:06:47.149965+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_google",
"log_id": "ad9ddec3-8542-4d5a-b710-67928321abdc",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Failure
{
"action_at": "2023-06-14T21:57:50.583325+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "pmcandrew+test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_failed",
"log_id": "6cbd2dc5-c125-40d1-8dcf-9936abda6c5f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": null
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
User Agent Name
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:48:41.714659+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "bob@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_logout",
"log_id": "49fc4cd2-653e-4261-bb59-25dc6ee7a1c0",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Verification Method
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Verification Flagged
-
Activity Performed
Challenge
{
"action_at": "2023-06-23T20:11:06.106260+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_totp_challenge",
"log_id": "76812b0e-d9b0-4730-b5a1-5d4169743e2e",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-20T14:20:30.626150+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 13148,
"target_user_username": "pmcandrew_test11",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_created",
"log_id": "188fdcf3-143a-49e9-ba80-452b48f42e4f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-15T02:02:19.147946+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.3",
"user_username": "john@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_disabled",
"log_id": "7f75c117-f8f8-4739-bfcf-cac8a728d486",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
-
Enrollment Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-14T22:00:24.705316+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": "TOTP",
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_enabled",
"log_id": "7ed13faf-9e3c-4905-839d-ff44309c2f72",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
-
Enrollment Type
Success
{
"action_at": "2023-06-23T20:12:09.106337+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "+1 856-981-2588",
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_disabled",
"log_id": "34628772-1560-46da-81d0-2371c5cc3106",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T15:51:50.253793+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "True",
"oauth_application_id": null,
"old_value": "False",
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": "Direct Auth Enabled",
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ao_sys_setting_change",
"log_id": "d2c46cde-44f7-43ac-84f5-79b8184c8105",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:21:55.407230+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": 442431,
"policy_name": "EMM Test Policy",
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.1",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "policy_created",
"log_id": "cb89b034-2f3b-4b41-9a34-6fdb289f4a6a",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": 442431,
"service_id": null,
"service_name": null,
"service_type": "box",
"user_id": 3187
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action_at": "2023-06-22T20:05:09.728571+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": null,
"user_ip": null,
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ms_detection_ingestion_disabled",
"log_id": "ea080b00-2cf0-49fe-b1ba-6081f17a66ff",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": 35781,
"service_name": "AppOmni",
"service_type": "box",
"user_id": 3187
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action_at": "2023-07-12T19:07:57.569196+00:00",
"action_data":
{
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"policy_id": 410860,
"policy_name": "Test Salesforce Policy",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "bob@example.com"
},
"action_type": "policy_deleted",
"log_id": "d4b105e8-d29b-436e-947e-52a6be5f58de",
"org_id": 176,
"service_type": "sfdc",
"user_id": 3187
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Audit Logs
AppOmni audit logs that provide a record of user activity.
References
Retention Details
Storage Duration: 180 days
Historical audit logs are stored for 180 days.
Latency Details
Duration: Near Real-Time
Historical audit logs are stored for 180 days.
Product Details
AppOmni is a cloud-based platform designed to help organizations assess, monitor, and protect their data and configurations within SaaS applications. AppOmni audit logs are collected via the *auditlogs* API, and can be streamed to a Threat Detection event sink. Historical audit logs are also stored for 180 days and can be accessed via the scheduled reports feature. There are currently minor formatting differences between API/Event Sink logs, and the logs retrieved via scheduled reports.
Audit Logs API
To collect events, make a call to the /core/auditlogs endpoint and specify the desired parameters.
References
Event Sink Streaming
Audit logs are delivered to all Threat Detection event sinks.
References
Scheduled Reports
Create a scheduled report of type "AppOmni Audit Logs" to download audit logs.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
Session ID
-
IP Address
Unsupported
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T08:28:41-07:00",
"created_by":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "00000000-abcd-1234-ab08-2cfe92d42606",
"event_type": "LOGIN",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Failure
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:08:06-07:00",
"created_by":
{
"id": "2",
"login": "",
"name": "Unknown User",
"type": "user"
},
"event_id": "00000000-abcd-1234-84ee-12298e09cfa9",
"event_type": "FAILED_LOGIN",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"id": "12345648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"type": "event"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:34:43-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-92ad-46f2f69e45cd",
"event_type": "NEW_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "25512345631",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Update
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:29-07:00",
"created_by":
{
"id": "12345648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "00000000-abcd-1234-be64-7fdc0421e478",
"event_type": "EDIT_USER",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:58-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-9c97-5e32f323b9f0",
"event_type": "DELETE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:36-07:00",
"created_by":
{
"id": "18863648385",
"login": "John Doe",
"name": "john@example.com",
"type": "user"
},
"event_id": "00000000-abcd-1234-a8a6-6f5474e5d86d",
"event_type": "GROUP_CREATION",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "my_sample_group"
},
"type": "event"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Update
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:46-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "49d24c58-a0e5-4ec7-9ccd-347827b0afed",
"event_type": "GROUP_EDITED",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"type": "event"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T10:46:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "24ada35a-a9e9-4c67-8fc9-33b5b9f9b52b",
"event_type": "GROUP_DELETION",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"group_id": "15299083860",
"group_name": "a_sample_group"
},
"type": "event"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"action_by": null,
"additional_details":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:24:15-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "f0545aa9-4be4-451e-a8d2-3c56aa257b8a",
"event_type": "GROUP_ADD_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Remove
{
"action_by": null,
"additional_details":
{
"group_id": "9744086129",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:45:45-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "56ae6ebb-7d6c-418e-bdeb-98d067c52af2",
"event_type": "GROUP_REMOVE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add
{
"accessible_by":
{
"id": "25575650631",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"action_by": null,
"additional_details":
{
"collab_id": "44582004179",
"is_performed_by_admin": false,
"role": "Editor",
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:57:12-07:00",
"created_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "15f0f70a-4502-496a-badf-5a0b12e49656",
"event_type": "COLLABORATION_INVITE",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_id": "25575650631",
"user_name": "John Doe"
},
"type": "event"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
Remove
{
"action_by": null,
"additional_details":
{
"collab_id": "44582741378",
"is_performed_by_admin": false,
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:47:09-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "052e68a2-7a29-4694-a77f-fec5713cb26f",
"event_type": "COLLABORATION_REMOVE",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_email": "alice@example.com"
},
"type": "event"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Add
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:27:03-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "7fd655c7-5a4a-4e13-8375-dc08cd2cf8b9",
"event_type": "MULTI_FACTOR_AUTH_ENABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Target Username
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Remove
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:29:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "0bf5e6ad-a068-4770-9979-c7f409eb976b",
"event_type": "MULTI_FACTOR_AUTH_DISABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"type": "event"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create
{
"action_by": null,
"additional_details":
{
"ekm_id": "b87156a9-6aff-4c21-910b-c5f1a8a02afd",
"service_id": "231318",
"service_name": "Multiput Uploads",
"size": 2584,
"version_id": "1319684204015"
},
"created_at": "2023-05-09T11:15:47-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "aeffeb99-f9a5-4243-9d3c-93f862dceec7",
"event_type": "UPLOAD",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"item_id": "1209714644015",
"item_name": "a_sample_file.csv",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Read
{
"action_by": null,
"additional_details":
{
"access_token_identifier": "16c1948d38e23d80203df77a0273928ff0eb50bad8b62fcc6b4fe73e03482a11",
"ekm_id": "fb01c788-3be7-444d-b165-89a52741235f",
"service_id": "553530",
"service_name": "Box Elements (used in Box Web App)",
"size": 2584,
"version_id": "1319684204015"
},
"created_at": "2023-05-09T11:16:00-07:00",
"created_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "80ddc3b3-dd44-4377-9fe7-a634228cc952",
"event_type": "CONTENT_ACCESS",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"item_id": "1209714644015",
"item_name": "a_sample_file.csv",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Update
{
"action_by": null,
"additional_details":
{
"file_hash": "0d012f12345678de3df12345b0b123a59f123456",
"file_path": "/SAMPLE/Reference Documents",
"hash_type": "sha1",
"service_id": "254429",
"service_name": "Box Drive",
"size": 4398971,
"version_id": "1319736874242"
},
"created_at": "2023-05-09T11:30:38-07:00",
"created_by":
{
"id": "12345678124",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "00000000-abcd-1234-8b08-418033e43a4b",
"event_type": "RENAME",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"item_id": "12012345678942",
"item_name": "a_sample_file.pdf",
"item_type": "file",
"owned_by":
{
"id": "12345678124",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"parent":
{
"id": "1234567807873",
"name": "Reference Documents",
"type": "folder"
}
},
"type": "event"
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Delete
{
"action_by": null,
"additional_details":
{
"size": 360705,
"version_id": "1319678729473"
},
"created_at": "2023-05-09T11:15:12-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "9fbcf20f-aeb7-4149-ab8e-3f56cab43337",
"event_type": "DELETE",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"item_id": "1209709863073",
"item_name": "a_sample_file.pdf",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
Result
-
User Type / Role
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Download
{
"action_by": null,
"additional_details":
{
"ekm_id": "5b300b24-36d8-493a-a823-41ac400d284e",
"size": 360705,
"version_id": "1319678729473"
},
"created_at": "2023-05-09T11:14:52-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "f70ed75d-9a96-4aac-aef8-5cce1a5c1eb8",
"event_type": "DOWNLOAD",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"item_id": "1209709863073",
"item_name": "a_sample_report.pdf",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}
Admin Logs
Box enterprise logs that provide an audit trail of user activity.
References
Retention Details
Storage Duration: 365 Days
Based on the admin_logs stream type.
Latency Details
Duration: Near Real-Time
Based on the admin_logs stream type.
Product Details
Box is a cloud-based content management and file sharing service. It's designed to help organizations store, manage, and collaborate on files and documents. The Box Events API provides an event feed for enterprise events that have been generated within Box across the enterprise. Depending on the specified stream_type, the Events API can provide real-time monitoring or historical querying of events. The admin_logs_streaming stream type provides low latency, real-time access to events as they are processed by Box. Only two weeks of events are available via this stream type. The admin_logs stream type emphasizes completeness over latency, and provides access to events up to one year.
Get Enterprise Events
To collect enterprise events, make a call to the /events API and specify the desired stream_type.
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
IP Address
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Unsupported
-
Event ID
-
User ID
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
Success
{
"action": "admin_login",
"description":
{
"device": "123-456-7890",
"factor": "push",
"ip_address": "192.168.10.1",
"primary_auth_method": "Password",
"role": "Owner"
},
"isotimestamp": "2024-05-17T17:24:21+00:00",
"object": null,
"timestamp": 1715966661,
"username": "John Doe"
}Failure
{
"action": "admin_login_error",
"description":
{
"email": "jane.doe@acme.com",
"error": "Invalid password attempt",
"ip_address": "192.168.1.1"
},
"isotimestamp": "2024-05-20T19:23:45+00:00",
"object": null,
"timestamp": 1716233025,
"username": "Jane Doe"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event Code / Type
-
Result
-
Username
-
IP Address
-
Verification Method
-
Verification Flagged
Unsupported
-
Event ID
-
User ID
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Activity Performed
Failure
{
"action": "admin_2fa_error",
"description":
{
"email": "john.smith@example.com",
"error": "Invalid passcode.",
"factor": "sms",
"ip_address": "192.168.10.1"
},
"isotimestamp": "2024-05-21T17:58:04+00:00",
"object": null,
"timestamp": 1716314284,
"username": "Smith, John"
}Flagged
{
"action": "admin_2fa_error",
"description":
{
"email": "joe.smith@example.com",
"error": "Login request reported as fraudulent.",
"factor": "push",
"ip_address": "192.168.1.2"
},
"isotimestamp": "2024-05-23T19:17:28+00:00",
"object": null,
"timestamp": 1716491848,
"username": "Joe Smith"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User Type / Role
-
Target Username
Unsupported
-
Event ID
-
Result
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_create",
"description":
{
"email": "",
"enable_auto_prompt": true,
"notes": "",
"realname": "",
"status": "Active",
"uname": "bbanner@example.com"
},
"isotimestamp": "2024-05-17T17:24:53+00:00",
"object": "bbanner@example.com",
"timestamp": 1715966693,
"username": "Jane Doe"
}Admin
{
"action": "admin_create",
"description":
{
"administrative_units": "",
"email": "bwayne@batman.com",
"hardtoken": null,
"is_temporary_password": false,
"name": "Bruce Wayne",
"phone": null,
"restricted_by_admin_units": false,
"role": "Administrator",
"status": "Pending Activation",
"subaccount_access_tags":
[]
},
"isotimestamp": "2024-05-23T20:16:23+00:00",
"object": "Bruce Wayne",
"timestamp": 1716495383,
"username": "Jane Doe"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
-
Target Attribute Context
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_update",
"description":
{
"email": "tonystark@acme.com",
"realname": "Tony Stark"
},
"isotimestamp": "2024-05-23T19:41:21+00:00",
"object": "tonystark",
"timestamp": 1716493281,
"username": "James Doe"
}Admin
{
"action": "admin_update",
"description":
{
"administrative_units": "",
"restricted_by_admin_units": false,
"role": "Help Desk"
},
"isotimestamp": "2024-05-29T12:54:47+00:00",
"object": "Bruce Banner",
"timestamp": 1716987287,
"username": "John Doe"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User Type / Role
-
Target Username
Unsupported
-
Event ID
-
Result
-
User ID
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_pending_delete",
"description":
{
"status": "Pending Deletion"
},
"isotimestamp": "2024-05-17T17:30:04+00:00",
"object": "sally.smith@example.com",
"timestamp": 1715967004,
"username": "John Doe"
}Admin
{
"action": "admin_delete",
"description":
{
"administrative_units": "",
"email": "bob.smith@example.com",
"hardtoken": null,
"is_temporary_password": false,
"name": "Bob Smith",
"phone": null,
"restricted_by_admin_units": false,
"role": "Administrator",
"status": "Pending Activation",
"subaccount_role": "Administrator"
},
"isotimestamp": "2024-05-23T20:16:36+00:00",
"object": "Bob Smith",
"timestamp": 1716495396,
"username": "Jane Doe"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "group_create",
"description":
{
"_status": "Active",
"administrative_units": "",
"desc": "East coast admin group",
"name": "custom_admin_group_east"
},
"isotimestamp": "2024-05-17T17:31:18+00:00",
"object": "custom_admin_group_east",
"timestamp": 1715967078,
"username": "Jane Doe"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "group_update",
"description":
{
"_status": "Disabled"
},
"isotimestamp": "2024-05-23T19:42:49+00:00",
"object": "custom_group_bypass_users",
"timestamp": 1716493369,
"username": "John Doe"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "group_delete",
"description":
{
"_status": "Disabled",
"administrative_units": "",
"desc": "",
"name": "local_login"
},
"isotimestamp": "2024-05-23T19:43:09+00:00",
"object": "custom_group_west_users",
"timestamp": 1716493389,
"username": "John Doe"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
-
Target Group Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "user_update",
"description":
{
"groups":
[
{
"_status": "Bypass",
"desc": "custom group for bypass users",
"name": "custom_group_user_bypass"
}
]
},
"isotimestamp": "2024-05-23T19:43:23+00:00",
"object": "Mary Smith",
"timestamp": 1716493403,
"username": "Jane Doe"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"action": "user_update",
"description":
{
"groups":
[
null
]
},
"isotimestamp": "2024-05-23T19:43:42+00:00",
"object": "Steve Smith",
"timestamp": 1716493422,
"username": "Jane Doe"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
User Agent Name
-
Target Username
-
Enrollment Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"action": "webauthncredential_create",
"description":
{
"authenticator_type": "Security key",
"browser": "Chrome",
"browser_version": "125.0.0.0",
"credential_name": "Security key",
"os": "Mac OS X",
"os_version": "10.15.7",
"owner_id": "DURTAOK2HW7ORVKHXQDU",
"owner_name": "luke.skywalker@republic.com",
"owner_type": "user",
"passwordless_authorized": false,
"transport_types": "nfc,usb",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
},
"isotimestamp": "2024-05-17T17:36:03+00:00",
"object": "WAB9XG0DD12N34EQDGTP",
"timestamp": 1715967363,
"username": "Jane Doe"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Target Username
-
Enrollment Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
User
{
"action": "user_update",
"description": "{\"phones\": \"\"}",
"isotimestamp": "2024-05-28T17:17:58+00:00",
"object": "bob.smith@acme.com",
"timestamp": 1716916678,
"username": "John Doe"
}Admin
{
"action": "admin_update",
"description": "{\"phone\": null}",
"isotimestamp": "2024-05-28T17:18:45+00:00",
"object": "Bruce Banner",
"timestamp": 1716916725,
"username": "Jane Doe"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"action": "cloudsso_add_saml_authsource",
"description": null,
"isotimestamp": "2024-05-29T15:03:35+00:00",
"object": null,
"timestamp": 1716995015,
"username": "John Doe"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"action": "updated_risk_profile",
"description":
{
"applications": "Admin API",
"countries": "Ascension, Afghanistan, Albania, Algeria, Antigua and Barbuda",
"groups": "",
"ips": "192.168.100.10",
"net_blocks": "",
"non_authentication_events":
{
"bypass_status_enablement": "Always"
}
},
"isotimestamp": "2024-05-29T14:34:59+00:00",
"object": null,
"timestamp": 1716993299,
"username": "Jane Doe"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "policy_delete",
"description":
{
"admin_email": "jane.doe@example.com",
"anonymous_ip_policy": "Deny access",
"browser_max_ood_days": 30,
"chrome_remediation": "notify and allow",
"edge_remediation": "notify and allow",
"enroll_policy": "Require Enrollment",
"firefox_remediation": "notify and allow",
"ie_remediation": "notify and allow",
"mobile_chrome_remediation": "notify and allow",
"mobile_edge_remediation": "notify and allow",
"mobile_firefox_remediation": "notify and allow",
"mobile_safari_remediation": "notify and allow",
"name": "TEST POLICY",
"other_browsers_remediation": "notify and allow",
"pretty_trusted_devices": "",
"safari_remediation": "block all"
},
"isotimestamp": "2024-05-29T14:49:14+00:00",
"object": "TEST POLICY",
"timestamp": 1716994154,
"username": "Jane Doe"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Integration / App Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "integration_create",
"description":
{
"greeting": "",
"group_access": "",
"missing_web_referer_policy": "deny",
"name": "Salesforce - Single Sign-On",
"networks_for_api_access": "",
"notes": "",
"offline_auth_enabled": 0,
"offline_max_attempts": 0,
"offline_max_days": 0,
"os_logon_pwl_enabled": false,
"raw_type": "sso-salesforce",
"self_service_allowed": false,
"type": "Salesforce - Single Sign-On",
"username_normalization_policy": "None"
},
"isotimestamp": "2024-05-21T15:49:00+00:00",
"object": "Salesforce - Single Sign-On",
"timestamp": 1716306540,
"username": "Jane Doe"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Configuration / Setting Name
-
Integration / App Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"action": "integration_update",
"description":
{
"adminapi_admins": true,
"adminapi_info": true,
"adminapi_read_log": true,
"adminapi_read_resource": true,
"adminapi_settings": true
},
"isotimestamp": "2024-05-24T18:51:14+00:00",
"object": "Admin API",
"timestamp": 1716576674,
"username": "John Doe"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Integration / App Name
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "integration_delete",
"description":
{
"greeting": "",
"group_access": "",
"missing_web_referer_policy": "deny",
"name": "Workday - Single Sign-On",
"networks_for_api_access": "",
"notes": "",
"offline_auth_enabled": 0,
"offline_max_attempts": 0,
"offline_max_days": 0,
"os_logon_pwl_enabled": false,
"raw_type": "sso-workday",
"self_service_allowed": false,
"type": "Workday - Single Sign-On",
"username_normalization_policy": "None"
},
"isotimestamp": "2024-05-21T15:52:12+00:00",
"object": "Workday - Single Sign-On",
"timestamp": 1716306732,
"username": "Jane Doe"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "administrative_unit_create",
"description":
{
"Administrators": "No assignments",
"Applications": "No assignments",
"Description": "",
"Groups": "No assignments",
"Name": "Test Admin Unit",
"Restricted by applications": "True",
"Restricted by groups": "True"
},
"isotimestamp": "2024-05-29T15:55:42+00:00",
"object": "Test Admin Unit",
"timestamp": 1716998142,
"username": "John Doe"
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "custom_messaging_update",
"description":
{
"help_links":
[],
"help_text_by_locale":
{
"en_US": "This is a custom Help Desk Message"
}
},
"isotimestamp": "2024-05-29T16:04:19+00:00",
"object": null,
"timestamp": 1716998659,
"username": "John Doe"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event Code / Type
-
Username
-
Resource Name
-
Resource Type
Unsupported
-
Event ID
-
Result
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"action": "phone_delete",
"description":
{
"extension": "",
"number": "+11234567890",
"platform": "Generic Smartphone",
"pname": "",
"postdelay": null,
"predelay": null,
"type": "Mobile"
},
"isotimestamp": "2024-05-28T17:17:58+00:00",
"object": "123-456-6789",
"timestamp": 1716916678,
"username": "Jane Doe"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Duo Administrator Logs
Provides an audit trail of administrative actions taken within the Duo Security platform.
References
Retention Details
Storage Duration: Configurable
Administrator logs are stored based on the log retention interval setting. If no custom log retention interval has been specified, Administrator logs can be retrieved from the time the account was initially created, reference https://help.duo.com/s/article/2990?language=en_US
Latency Details
Duration: Near real-time
Administrator logs are stored based on the log retention interval setting. If no custom log retention interval has been specified, Administrator logs can be retrieved from the time the account was initially created, reference https://help.duo.com/s/article/2990?language=en_US
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Result
-
Username
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Unsupported
-
Event ID
-
Event Code / Type
-
User ID
-
User Type / Role
-
Session ID
Success
{
"access_device":
{
"browser": "Chrome",
"browser_version": "125.0.6422.61",
"flash_version": "uninstalled",
"java_version": "uninstalled",
"os": "Mac OS X",
"os_version": "14.5.0",
"trusted_endpoint_status": "unknown"
},
"alias": "",
"device": "123-456-7890",
"email": "",
"factor": "Verified Duo Push",
"integration": "Salesforce - Single Sign-On",
"ip": "192.168.10.1",
"isotimestamp": "2024-05-21T18:09:57.825584+00:00",
"location":
{
"city": "San Francisco",
"country": "US",
"state": "California"
},
"new_enrollment": false,
"ood_software": null,
"reason": "Push answered with correct verification code",
"result": "SUCCESS",
"timestamp": 1716314997,
"username": "Bruce Wayne"
}Failure
{
"access_device":
{
"browser": "Chrome",
"browser_version": "125.0.6422.61",
"flash_version": "uninstalled",
"java_version": "uninstalled",
"os": "Mac OS X",
"os_version": "14.5.0",
"trusted_endpoint_status": "unknown"
},
"alias": "",
"device": "123-456-7890",
"email": "",
"factor": "Verified Duo Push",
"integration": "Duo Central",
"ip": "192.168.10.1",
"isotimestamp": "2024-05-21T18:08:48.081423+00:00",
"location":
{
"city": "San Francisco",
"country": "US",
"state": "California"
},
"new_enrollment": false,
"ood_software": null,
"reason": "User entered incorrect verification code",
"result": "FAILURE",
"timestamp": 1716314928,
"username": "Tony Stark"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Group Name
Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Duo Authentication Logs
Provides an audit trail of authentication activity within the Duo Security platform.
References
Retention Details
Storage Duration: 180 days
Maximum retention of 180 days, even if the log retention interval is set to a value greater than 180 days, reference https://help.duo.com/s/article/2990?language=en_US
Latency Details
Duration: Near real-time
Maximum retention of 180 days, even if the log retention interval is set to a value greater than 180 days, reference https://help.duo.com/s/article/2990?language=en_US
Product Details
Duo is a cloud-based security platform which provides multi-factor authentication, identity and device verification, and single sign-on to company resources. The Duo Admin API provides programmatic access to the Duo platform. The Admin API can be used to to manage users, tokens, bypass codes, and retrieve audit logs.
Duo Admin API
The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Credential Context
-
Identity Service Provider Context
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
Device/Client Type
-
Failure Context
Success
{
"@timestamp": 1685981286101,
"_document_id": "mdvjC2kuRvXW_3Gkg7ni7Q",
"action": "org.sso_response",
"actor": "john.doe",
"actor_id": 12345678,
"actor_location": {
"country_code": "US"
},
"created_at": 1685981286101,
"issuer": "https://accounts.google.com/o/saml2?idpid=C02abcd01",
"operation_type": "authentication",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.1 Safari/537.36"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686001364120,
"_document_id": "FLl6thHIizqa55S1P1tjIA",
"action": "team.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"created_at": 1686001364120,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"team": "acme-inc/approvers",
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"user_id": 95659676
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
-
Target Attribute Context
Success
{
"@timestamp": 1694792374166,
"_document_id": "JLMgkpYMkGmRiukmKjn4CQ",
"action": "team.rename",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1694792374166,
"name": "Acme_Devs",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"team": "acme-inc/devs",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1714145080936,
"_document_id": "alg4QbCba1UhZA2VFJSTxQ",
"action": "team.destroy",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_is_bot": false,
"actor_location":
{
"country_code": "US"
},
"business": "acme-inc",
"business_id": 1234000,
"created_at": 1714145080936,
"external_identity_nameid": "john@example.com",
"external_identity_username": null,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"team": "acme-inc/approvers",
"user_agent": "Mozilla/5.0 (Macintosh Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686151363489,
"_document_id": "rLVAJb3ZtiugVygHs84Agw",
"action": "org.add_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686151363489,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"permission": "read",
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_id": 98490879
}Success
{
"@timestamp": 1686159261336,
"_document_id": "8s0hw2CW8Y44_rjiM9yNkw",
"action": "repo.add_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686159261336,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"permission": "admin",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0",
"user_id": 24304531,
"visibility": "private"
}Success
{
"@timestamp": 1686096308885,
"_document_id": "SwDxpQo4Gs5NMybfaD9mig",
"action": "team.add_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686096308885,
"hashed_token": "mZp8g+OGBjSnsxiRSjcYhBTpoXi5BfdF2q8F1+kPW4M=",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"team": "acme-inc/approvers",
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "alice.brown",
"user_agent": "python-requests/2.25.1",
"user_id": 87766365
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
User Agent Name
-
Device/Client Type
Success
{
"@timestamp": 1685999458723,
"_document_id": "7IscVOcqIFzcj5OSXLDtig",
"action": "org.remove_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1685999458723,
"hashed_token": "zQVfYwWXODOOEd4WcNdcJCBfPDJBrFXRGvmX25Q7ZjU=",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"token_id": 47105702648,
"user": "alice.brown",
"user_agent": "PyGithub/Python",
"user_id": 1234567
}Success
{
"@timestamp": 1686096006218,
"_document_id": "Pm9_xkuRvV-rrHd2Tjk0Tw",
"action": "repo.remove_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686096006218,
"hashed_token": "mZp8g+OGBjSnsxiRSjcYhBTpoXi5BfdF2q8F1+kLW4M=",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "alice.brown",
"user_agent": "python-requests/2.25.1",
"user_id": 116757057,
"visibility": "internal"
}Success
{
"@timestamp": 1685998981304,
"_document_id": "XQwkRXOV8tJYCbbgk9d6TQ",
"action": "team.remove_member",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1685998981304,
"hashed_token": "zQVfYwWXODOOEd4WcNdcJCBfPDJBrFXRGvmX25Q7ZjU=",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"team": "acme-inc/approvers",
"token_id": 57105909618,
"user": "alice.brown",
"user_agent": "PyGithub/Python",
"user_id": 110431782
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686215687636,
"_document_id": "TrmGicxMRvbKCHwf3vmJdD",
"action": "team.update_repository_permission",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686215687636,
"hashed_token": "mZp8g+OGBjSnsxiRAjcYhBTpoXi5BfdF2d8F1+kLW4M=",
"new_repo_base_role": null,
"new_repo_permission": "maintain",
"old_permissions": {
"admin": true,
"maintain": true,
"pull": true,
"push": true,
"triage": true
},
"old_repo_base_role": null,
"old_repo_permission": "admin",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 641582886,
"team": "acme-inc/dev-leads",
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "gh-automate-prod",
"user_agent": "python-requests/2.25.0",
"user_id": 92325258
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686215687636,
"_document_id": "TrmGicxMRvbKCHwb3vmJdQ",
"action": "team.update_repository_permission",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686215687636,
"hashed_token": "mZp8g+OGBjSnsxiRSjcYhBTpoXi5BfdF2q8F1+kLW4M=",
"new_repo_base_role": null,
"new_repo_permission": "maintain",
"old_permissions": {
"admin": true,
"maintain": true,
"pull": true,
"push": true,
"triage": true
},
"old_repo_base_role": null,
"old_repo_permission": "admin",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 641582886,
"team": "acme-inc/dev-leads",
"token_id": 720527199,
"token_scopes": "admin:enterprise,admin:gpg_key,admin:org,admin:org_hook,admin:public_key,admin:repo_hook,delete:packages,delete_repo,gist,notifications,project,repo,user,workflow,write:discussion,write:packages",
"user": "gh-automate-prod",
"user_agent": "python-requests/2.25.0",
"user_id": 92325258
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686011086644,
"_document_id": "RxxlJ0MRNMQR8olkdIgPvQ",
"action": "private_repository_forking.enable",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"created_at": 1686011086644,
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 649922249,
"user": "john.doe",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"user_id": 12345678
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686158250381,
"_document_id": "_I3yfAxtGRuNaaiuffqtvA",
"action": "hook.config_changed",
"active": true,
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"config": {
"content_type": "json",
"insecure_ssl": "0",
"url": "https://webhook.acme.com/deliver/fghij"
},
"config_was": {
"content_type": "json",
"insecure_ssl": "0",
"url": "https://webhook.acme.com/deliver/abcde"
},
"created_at": 1686158250381,
"events": [
"deployment",
"pull_request",
"push"
],
"hook_id": 418200273,
"name": "webhook",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 649951183,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686246022669,
"_document_id": "Ko2tnAiduqWy3KZSsh1nGA",
"action": "repo.change_merge_setting",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686246022669,
"hashed_token": "WQH64WU0ciJ0EBQcMlkneYRFGeQoW6FocQt8NYpNy5c=",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 651188699,
"token_id": 1139584588,
"token_scopes": "admin:repo_hook,delete_repo,repo",
"user_agent": "octokit.js/2.0.10 octokit-core.js/4.1.0 Node.js/16.20.0 (linux; x64)",
"visibility": "private"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686093901098,
"_document_id": "-hMpj-RFDXOlc43Zf9woMw",
"action": "integration.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686093901098,
"integration": "Acme: integration 001",
"name": "Acme: integration 001",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Integration / App Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1689093550092,
"_document_id": "IrAm5tty1DHWLJG7uRCusA",
"action": "integration.destroy",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 120,
"created_at": 1689093550092,
"integration": "Acme: integration 1",
"name": "Acme: integration 1",
"operation_type": "remove",
"org": "acme",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686078595170,
"_document_id": "sMyjmd8KUm6uTtRwQJ1hsw",
"action": "hook.create",
"active": true,
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"config": {
"content_type": "json",
"insecure_ssl": "0",
"secret": "********",
"url": "https://us-west-2.webhooks.aws/trigger"
},
"created_at": 1686078595170,
"events": [
"push"
],
"hashed_token": "DfeiN4v7CaRl56/VnmeKJ3+U9G9A1/zW9IFvFB3r268=",
"hook_id": 418227875,
"name": "webhook",
"oauth_application": null,
"oauth_application_id": null,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "Personal access token (classic)",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"token_id": 610414153,
"token_scopes": "admin:repo_hook,repo",
"user_agent": "AWS CodePipeline"
}Success
{
"@timestamp": 1686078898897,
"_document_id": "Dn-NJGInb1qGinKSmx-Hhg",
"action": "pull_request.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686078898897,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1381374259,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/example-repo/pull/64",
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_id": 105299763
}Success
{
"@timestamp": 1686163479794,
"_document_id": "HxMMNJg2Ek8AJoNUGZ_6Yw",
"action": "pull_request_review.submit",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686163479794,
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1383147660,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/dice-instl-reset-password-ui/pull/159",
"repo": "acme-inc/example-repo",
"repo_id": 343699946,
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686079082576,
"_document_id": "GohZoGvnLxIsTepkIgnPuA",
"action": "pull_request_review_comment.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686079082576,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686077942218,
"_document_id": "Mgash4pqBYVy5lV3xeohLg",
"action": "repo.create",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686077942218,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"visibility": "private"
}Success
{
"@timestamp": 1685772210579,
"_document_id": "CyTAhfqvaaz5kqONoaJ1hg",
"action": "repo.create_actions_secret",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1685772210579,
"key": "ACME_TOKEN",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"visibility": null
}Success
{
"@timestamp": 1686078701893,
"_document_id": "RDSIX6X7F8WlXCkyaBqtOA",
"action": "workflows.created_workflow_run",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686078701893,
"event": "pull_request",
"hashed_token": "nfd4LqkxPUWZZgY4Gw0ouzqnR6Vil/6QVSKnIeDsKjk=",
"head_branch": "master-1",
"head_sha": "39c3ffd3a48a3b8e1dd17329724f503e508a5d71",
"name": "ci-pr",
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"run_number": 5754,
"started_at": "2023-06-06T19:11:41.000Z",
"token_id": 57189181686,
"trigger_id": 1380004667,
"user_agent": "launch/production",
"workflow_id": 36840124,
"workflow_run_id": 5192442613
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686141043334,
"_document_id": "1Ed3MPt5rEKAbpW-k9jKVQ",
"action": "pull_request.create_review_request",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686141043334,
"operation_type": "create",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1382584132,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/example-repo/pull/4298",
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user": "alice.brown",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"user_id": 89937142
}Success
{
"@timestamp": 1686134016077,
"_document_id": "rRDqrkWAyr4etNHVBN2MdQ",
"action": "pull_request_review_comment.update",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686134016077,
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686092778658,
"_document_id": "ySsAv7blcNhEhRvlw2cnbQ",
"action": "repo.rename",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686092778658,
"old_name": "copy-s3-objects",
"operation_type": "modify",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15",
"visibility": "private"
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
Success
{
"@timestamp": 1686089206322,
"_document_id": "4qrOaf_n_cB0BEUfoTXeyw",
"action": "hook.destroy",
"active": true,
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"config": {
"content_type": "form",
"insecure_ssl": "0"
},
"created_at": 1686089206322,
"events": [],
"hook_id": 418246386,
"name": "webhook",
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686092779312,
"_document_id": "2AAQbnEVxg_qkh4S5XcQDg",
"action": "pull_request_review.delete",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686092779312,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"pull_request_id": 1376005422,
"pull_request_title": "Release 2345",
"pull_request_url": "https://github.com/acme-inc/example-repo/pull/965",
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686093347760,
"_document_id": "4cV9xbCwSP5t5IT1TXEY1A",
"action": "pull_request_review_comment.delete",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686093347760,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}Success
{
"@timestamp": 1686163467515,
"_document_id": "1V2e_uoTEqkgh4EIgIq28g",
"action": "repo.destroy",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686163467515,
"operation_type": "remove",
"org": "acme-inc",
"org_id": 1234000,
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"visibility": "private"
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
Device/Client Type
-
Resource Metadata
Success
{
"@timestamp": 1686153022502,
"_document_id": "TaE7QBpn7eLwzy62M2_I8g",
"action": "repo.download_zip",
"actor": "john.doe",
"actor_id": 12345678,
"actor_ip": "198.51.100.1",
"actor_location": {
"country_code": "US"
},
"business": "acme",
"business_id": 1122,
"created_at": 1686153022502,
"hashed_token": "wEEhJjHXoWXUrZ2RjPughm1z3SFJBMM1P7ezCwNHUtM=",
"operation_type": "access",
"org": "acme-inc",
"org_id": 1234000,
"programmatic_access_type": "GitHub App server-to-server token",
"public_repo": false,
"repo": "acme-inc/example-repo",
"repo_id": 100056789,
"token_id": 57266916082,
"user_agent": "AWS CodeStar Connections",
"visibility": "internal"
}
Audit Logs
GitHub enterprise audit logs that provide an audit trail of user and system activity.
References
Retention Details
Storage Duration: Infinite
Can be changed by an enterprise admin
Latency Details
Duration: Near Real-Time
Can be changed by an enterprise admin
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Attribute Context
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "member",
"action": "edited",
"changes": {
"permission": {
"from": "admin",
"to": "maintain"
}
},
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2019-05-06T23:02:11Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme-inc",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme-inc",
"updated_at": "2023-09-18T18:37:11Z",
"website_url": ""
},
"installation": {
"id": 36327543,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc1NDM="
},
"member": {
"avatar_url": "https://avatars.githubusercontent.com/u/125585944?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 125585944,
"login": "john.doe",
"node_id": "U_kgDOB3xKGA",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/57419047?v=4",
"description": "Technology products that deliver great experiences.",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 57419047,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU3NDE5MDQ3",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"repository": {
"allow_forking": false,
"archive_url": "https://api.github.com/repos/acme/acme-search-service/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/acme/acme-search-service/assignees{/user}",
"blobs_url": "https://api.github.com/repos/acme/acme-search-service/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/acme/acme-search-service/branches{/branch}",
"clone_url": "https://github.com/acme/acme-search-service.git",
"collaborators_url": "https://api.github.com/repos/acme/acme-search-service/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/acme/acme-search-service/comments{/number}",
"commits_url": "https://api.github.com/repos/acme/acme-search-service/commits{/sha}",
"compare_url": "https://api.github.com/repos/acme/acme-search-service/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/acme/acme-search-service/contents/{+path}",
"contributors_url": "https://api.github.com/repos/acme/acme-search-service/contributors",
"created_at": "2023-03-06T18:27:33Z",
"default_branch": "develop",
"deployments_url": "https://api.github.com/repos/acme/acme-search-service/deployments",
"description": "This repository has code for hosting associate search process endpoints",
"disabled": false,
"downloads_url": "https://api.github.com/repos/acme/acme-search-service/downloads",
"events_url": "https://api.github.com/repos/acme/acme-search-service/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/acme/acme-search-service/forks",
"full_name": "acme/acme-search-service",
"git_commits_url": "https://api.github.com/repos/acme/acme-search-service/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/acme/acme-search-service/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/acme/acme-search-service/git/tags{/sha}",
"git_url": "git://github.com/acme/acme-search-service.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_projects": true,
"has_wiki": true,
"homepage": "",
"hooks_url": "https://api.github.com/repos/acme/acme-search-service/hooks",
"html_url": "https://github.com/acme/acme-search-service",
"id": 610418220,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/acme/acme-search-service/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/acme/acme-search-service/issues/events{/number}",
"issues_url": "https://api.github.com/repos/acme/acme-search-service/issues{/number}",
"keys_url": "https://api.github.com/repos/acme/acme-search-service/keys{/key_id}",
"labels_url": "https://api.github.com/repos/acme/acme-search-service/labels{/name}",
"language": "Python",
"languages_url": "https://api.github.com/repos/acme/acme-search-service/languages",
"license": null,
"merges_url": "https://api.github.com/repos/acme/acme-search-service/merges",
"milestones_url": "https://api.github.com/repos/acme/acme-search-service/milestones{/number}",
"mirror_url": null,
"name": "acme-search-service",
"node_id": "R_kgDOJGI-LA",
"notifications_url": "https://api.github.com/repos/acme/acme-search-service/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/57419047?v=4",
"events_url": "https://api.github.com/users/acme/events{/privacy}",
"followers_url": "https://api.github.com/users/acme/followers",
"following_url": "https://api.github.com/users/acme/following{/other_user}",
"gists_url": "https://api.github.com/users/acme/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme",
"id": 57419047,
"login": "acme",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU3NDE5MDQ3",
"organizations_url": "https://api.github.com/users/acme/orgs",
"received_events_url": "https://api.github.com/users/acme/received_events",
"repos_url": "https://api.github.com/users/acme/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/acme"
},
"private": true,
"pulls_url": "https://api.github.com/repos/acme/acme-search-service/pulls{/number}",
"pushed_at": "2023-05-08T16:25:35Z",
"releases_url": "https://api.github.com/repos/acme/acme-search-service/releases{/id}",
"size": 65114,
"ssh_url": "git@github.com:acme/acme-search-service.git",
"stargazers_count": 1,
"stargazers_url": "https://api.github.com/repos/acme/acme-search-service/stargazers",
"statuses_url": "https://api.github.com/repos/acme/acme-search-service/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/acme/acme-search-service/subscribers",
"subscription_url": "https://api.github.com/repos/acme/acme-search-service/subscription",
"svn_url": "https://github.com/acme/acme-search-service",
"tags_url": "https://api.github.com/repos/acme/acme-search-service/tags",
"teams_url": "https://api.github.com/repos/acme/acme-search-service/teams",
"topics": [
"aa00003030"
],
"trees_url": "https://api.github.com/repos/acme/acme-search-service/git/trees{/sha}",
"updated_at": "2023-03-31T15:19:08Z",
"url": "https://api.github.com/repos/acme/acme-search-service",
"visibility": "private",
"watchers": 1,
"watchers_count": 1,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/124079944?v=4",
"events_url": "https://api.github.com/users/acme-bot/events{/privacy}",
"followers_url": "https://api.github.com/users/acme-bot/followers",
"following_url": "https://api.github.com/users/acme-bot/following{/other_user}",
"gists_url": "https://api.github.com/users/acme-bot/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme-bot",
"id": 124079944,
"login": "acme-bot",
"node_id": "U_kgDOB2VPSA",
"organizations_url": "https://api.github.com/users/acme-bot/orgs",
"received_events_url": "https://api.github.com/users/acme-bot/received_events",
"repos_url": "https://api.github.com/users/acme-bot/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme-bot/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme-bot/subscriptions",
"type": "User",
"url": "https://api.github.com/users/acme-bot"
}
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "team",
"action": "created",
"installation": {
"id": 20061973,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMjAwNjE5NzM="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/57452020",
"description": null,
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 10001234,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU3NDUyMDI4",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/64659350",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 64659356,
"login": "john.doe",
"node_id": "MDQ6VXNlcjY0NjU5MzU2",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"team": {
"description": "",
"html_url": "https://github.com/orgs/acme-inc/teams/python-dev-team",
"id": 8035041,
"members_url": "https://api.github.com/organizations/10001234/team/8035041/members{/member}",
"name": "python-dev-team",
"node_id": "T_kwDOA2yl_M4Aeprh",
"notification_setting": "notifications_enabled",
"parent": null,
"permission": "pull",
"privacy": "closed",
"repositories_url": "https://api.github.com/organizations/10001234/team/8035041/repos",
"slug": "python-dev-team",
"url": "https://api.github.com/organizations/10001234/team/8035041"
}
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "team",
"action": "edited",
"changes": {
"description": {
"from": "Acme devs"
}
},
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806770",
"description": "Acme, Inc.",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/114508650",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 114508655,
"login": "john.doe",
"node_id": "U_kgDOBtNDbw",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"team": {
"description": "Acme Dev Team",
"html_url": "https://github.com/orgs/acme/teams/acme-devs",
"id": 100123,
"members_url": "https://api.github.com/organizations/52806779/team/100123/members{/member}",
"name": "acme-devs",
"node_id": "T_kwDOAyXEe84AbHIq",
"notification_setting": "notifications_enabled",
"parent": null,
"permission": "pull",
"privacy": "closed",
"repositories_url": "https://api.github.com/organizations/52806779/team/100123/repos",
"slug": "acme-devs",
"url": "https://api.github.com/organizations/52806779/team/100123"
}
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "team",
"action": "deleted",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/2070",
"created_at": "2020-01-23T22:48:48Z",
"description": null,
"html_url": "https://github.com/enterprises/acme-inc",
"id": 2077,
"name": "Acme",
"node_id": "MDEwOkVudGVycHJpc2UyMDc3",
"slug": "acme-inc",
"updated_at": "2023-02-28T01:36:46Z",
"website_url": null
},
"installation": {
"id": 11045851,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMTEwNDU4NTE="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/123456",
"description": "",
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 123456,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjM2MjQ2MA==",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/74208070",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 74208074,
"login": "john.doe",
"node_id": "MDQ6VXNlcjc0MjA4MDc0",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
},
"team": {
"description": "",
"html_url": "https://github.com/orgs/acme-inc/teams/repo-admin",
"id": 7304304,
"members_url": "https://api.github.com/organizations/123456/team/7304304/members{/member}",
"name": "repo-admin",
"node_id": "T_kwDOAAWH3M4Ab3Rw",
"notification_setting": "notifications_enabled",
"parent": null,
"permission": "pull",
"privacy": "closed",
"repositories_url": "https://api.github.com/organizations/123456/team/7304304/repos",
"slug": "repo-admin",
"url": "https://api.github.com/organizations/123456/team/7304304"
}
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "organization",
"action": "member_added",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme-inc",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme-inc",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"membership": {
"organization_url": "https://api.github.com/orgs/acme",
"role": "member",
"state": "pending",
"url": "https://api.github.com/orgs/acme/memberships/john.doe",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/132913314?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 132913314,
"login": "john.doe",
"node_id": "U_kgDOB-wYog",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806770",
"description": "Sample repo",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/92325258?v=4",
"events_url": "https://api.github.com/users/gh-automate/events{/privacy}",
"followers_url": "https://api.github.com/users/gh-automate/followers",
"following_url": "https://api.github.com/users/gh-automate/following{/other_user}",
"gists_url": "https://api.github.com/users/gh-automate/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/gh-automate",
"id": 92325258,
"login": "gh-automate",
"node_id": "U_kgDOBYDFig",
"organizations_url": "https://api.github.com/users/gh-automate/orgs",
"received_events_url": "https://api.github.com/users/gh-automate/received_events",
"repos_url": "https://api.github.com/users/gh-automate/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/gh-automate/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/gh-automate/subscriptions",
"type": "User",
"url": "https://api.github.com/users/gh-automate"
}
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Group Name
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "organization",
"action": "member_removed",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"membership": {
"organization_url": "https://api.github.com/orgs/acme",
"role": "unaffiliated",
"state": "inactive",
"url": "https://api.github.com/orgs/acme/memberships/john.doe",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/127213976?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 127213976,
"login": "john.doe",
"node_id": "U_kgDOB5UhmA",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806779?v=4",
"description": "Acme",
"events_url": "https://api.github.com/orgs/acme/events",
"hooks_url": "https://api.github.com/orgs/acme/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme/issues",
"login": "acme",
"members_url": "https://api.github.com/orgs/acme/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme/repos",
"url": "https://api.github.com/orgs/acme"
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/92325258?v=4",
"events_url": "https://api.github.com/users/gh-automate/events{/privacy}",
"followers_url": "https://api.github.com/users/gh-automate/followers",
"following_url": "https://api.github.com/users/gh-automate/following{/other_user}",
"gists_url": "https://api.github.com/users/gh-automate/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/gh-automate",
"id": 92325258,
"login": "gh-automate",
"node_id": "U_kgDOBYDFig",
"organizations_url": "https://api.github.com/users/gh-automate/orgs",
"received_events_url": "https://api.github.com/users/gh-automate/received_events",
"repos_url": "https://api.github.com/users/gh-automate/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/gh-automate/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/gh-automate/subscriptions",
"type": "User",
"url": "https://api.github.com/users/gh-automate"
}
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Configuration / Setting Value
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Resource Name
-
Resource Type
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "repository",
"action": "created",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2019-05-06T23:02:11Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327745,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc3NDU="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/55462088?v=4",
"description": "Sample repo",
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 55462088,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaSrhdGlvbjU1NDYyMDg5",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"repository": {
"allow_forking": false,
"archive_url": "https://api.github.com/repos/acme-inc/sample-repo/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/acme-inc/sample-repo/assignees{/user}",
"blobs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/acme-inc/sample-repo/branches{/branch}",
"clone_url": "https://github.com/acme-inc/sample-repo.git",
"collaborators_url": "https://api.github.com/repos/acme-inc/sample-repo/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/acme-inc/sample-repo/comments{/number}",
"commits_url": "https://api.github.com/repos/acme-inc/sample-repo/commits{/sha}",
"compare_url": "https://api.github.com/repos/acme-inc/sample-repo/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/acme-inc/sample-repo/contents/{+path}",
"contributors_url": "https://api.github.com/repos/acme-inc/sample-repo/contributors",
"created_at": "2021-10-31T01:45:00Z",
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/acme-inc/sample-repo/deployments",
"description": null,
"disabled": false,
"downloads_url": "https://api.github.com/repos/acme-inc/sample-repo/downloads",
"events_url": "https://api.github.com/repos/acme-inc/sample-repo/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/acme-inc/sample-repo/forks",
"full_name": "acme-inc/sample-repo",
"git_commits_url": "https://api.github.com/repos/acme-inc/sample-repo/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/acme-inc/sample-repo/git/tags{/sha}",
"git_url": "git://github.com/acme-inc/sample-repo.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_projects": true,
"has_wiki": true,
"homepage": null,
"hooks_url": "https://api.github.com/repos/acme-inc/sample-repo/hooks",
"html_url": "https://github.com/acme-inc/sample-repo",
"id": 651592972,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/events{/number}",
"issues_url": "https://api.github.com/repos/acme-inc/sample-repo/issues{/number}",
"keys_url": "https://api.github.com/repos/acme-inc/sample-repo/keys{/key_id}",
"labels_url": "https://api.github.com/repos/acme-inc/sample-repo/labels{/name}",
"language": null,
"languages_url": "https://api.github.com/repos/acme-inc/sample-repo/languages",
"license": null,
"merges_url": "https://api.github.com/repos/acme-inc/sample-repo/merges",
"milestones_url": "https://api.github.com/repos/acme-inc/sample-repo/milestones{/number}",
"mirror_url": null,
"name": "sample-repo",
"node_id": "R_kgDOJtaFDA",
"notifications_url": "https://api.github.com/repos/acme-inc/sample-repo/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/55462080",
"events_url": "https://api.github.com/users/acme-inc/events{/privacy}",
"followers_url": "https://api.github.com/users/acme-inc/followers",
"following_url": "https://api.github.com/users/acme-inc/following{/other_user}",
"gists_url": "https://api.github.com/users/acme-inc/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme-inc",
"id": 55462088,
"login": "acme-inc",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU1NDYyMDg4",
"organizations_url": "https://api.github.com/users/acme-inc/orgs",
"received_events_url": "https://api.github.com/users/acme-inc/received_events",
"repos_url": "https://api.github.com/users/acme-inc/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme-inc/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme-inc/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/acme-inc"
},
"private": true,
"pulls_url": "https://api.github.com/repos/acme-inc/sample-repo/pulls{/number}",
"pushed_at": "2023-06-09T15:30:00Z",
"releases_url": "https://api.github.com/repos/acme-inc/sample-repo/releases{/id}",
"size": 0,
"ssh_url": "git@github.com:acme-inc/sample-repo.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/acme-inc/sample-repo/stargazers",
"statuses_url": "https://api.github.com/repos/acme-inc/sample-repo/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/acme-inc/sample-repo/subscribers",
"subscription_url": "https://api.github.com/repos/acme-inc/sample-repo/subscription",
"svn_url": "https://github.com/acme-inc/sample-repo",
"tags_url": "https://api.github.com/repos/acme-inc/sample-repo/tags",
"teams_url": "https://api.github.com/repos/acme-inc/sample-repo/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/acme-inc/sample-repo/git/trees{/sha}",
"updated_at": "2023-06-09T15:30:00Z",
"url": "https://api.github.com/repos/acme-inc/sample-repo",
"visibility": "private",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/126112697?v=4",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 126112697,
"login": "john.doe",
"node_id": "U_kgDOB4RTuQ",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Resource Name
-
Resource Type
Unsupported
-
Timestamp
-
Event ID
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"X-GitHub-Event": "repository",
"action": "deleted",
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/120?v=4",
"created_at": "2021-10-31T01:45:00Z",
"description": "Enterprise Account",
"html_url": "https://github.com/enterprises/acme",
"id": 120,
"name": "Acme, Inc. (Enterprise)",
"node_id": "MDEwOkVudGVycHJpc2UxMjA=",
"slug": "acme",
"updated_at": "2022-06-27T18:53:26Z",
"website_url": ""
},
"installation": {
"id": 36327988,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMzYzMjc5ODg="
},
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806770",
"description": "Sample repo",
"events_url": "https://api.github.com/orgs/acme-inc/events",
"hooks_url": "https://api.github.com/orgs/acme-inc/hooks",
"id": 52806779,
"issues_url": "https://api.github.com/orgs/acme-inc/issues",
"login": "acme-inc",
"members_url": "https://api.github.com/orgs/acme-inc/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"public_members_url": "https://api.github.com/orgs/acme-inc/public_members{/member}",
"repos_url": "https://api.github.com/orgs/acme-inc/repos",
"url": "https://api.github.com/orgs/acme-inc"
},
"repository": {
"allow_forking": false,
"archive_url": "https://api.github.com/repos/acme-inc/sample-repo/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/acme-inc/sample-repo/assignees{/user}",
"blobs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/acme-inc/sample-repo/branches{/branch}",
"clone_url": "https://github.com/acme-inc/sample-repo.git",
"collaborators_url": "https://api.github.com/repos/acme-inc/sample-repo/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/acme-inc/sample-repo/comments{/number}",
"commits_url": "https://api.github.com/repos/acme-inc/sample-repo/commits{/sha}",
"compare_url": "https://api.github.com/repos/acme-inc/sample-repo/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/acme-inc/sample-repo/contents/{+path}",
"contributors_url": "https://api.github.com/repos/acme-inc/sample-repo/contributors",
"created_at": "2021-10-31T01:45:00Z",
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/acme-inc/sample-repo/deployments",
"description": null,
"disabled": true,
"downloads_url": "https://api.github.com/repos/acme-inc/sample-repo/downloads",
"events_url": "https://api.github.com/repos/acme-inc/sample-repo/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/acme-inc/sample-repo/forks",
"full_name": "acme-inc/sample-repo",
"git_commits_url": "https://api.github.com/repos/acme-inc/sample-repo/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/acme-inc/sample-repo/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/acme-inc/sample-repo/git/tags{/sha}",
"git_url": "git://github.com/acme-inc/sample-repo.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_projects": true,
"has_wiki": true,
"homepage": null,
"hooks_url": "https://api.github.com/repos/acme-inc/sample-repo/hooks",
"html_url": "https://github.com/acme-inc/sample-repo",
"id": 621910567,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/acme-inc/sample-repo/issues/events{/number}",
"issues_url": "https://api.github.com/repos/acme-inc/sample-repo/issues{/number}",
"keys_url": "https://api.github.com/repos/acme-inc/sample-repo/keys{/key_id}",
"labels_url": "https://api.github.com/repos/acme-inc/sample-repo/labels{/name}",
"language": null,
"languages_url": "https://api.github.com/repos/acme-inc/sample-repo/languages",
"license": null,
"merges_url": "https://api.github.com/repos/acme-inc/sample-repo/merges",
"milestones_url": "https://api.github.com/repos/acme-inc/sample-repo/milestones{/number}",
"mirror_url": null,
"name": "sample-repo",
"node_id": "R_kgDOJRGaJw",
"notifications_url": "https://api.github.com/repos/acme-inc/sample-repo/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/52806779?v=4",
"events_url": "https://api.github.com/users/acme-inc/events{/privacy}",
"followers_url": "https://api.github.com/users/acme-inc/followers",
"following_url": "https://api.github.com/users/acme-inc/following{/other_user}",
"gists_url": "https://api.github.com/users/acme-inc/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/acme-inc",
"id": 52806779,
"login": "acme-inc",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODA2Nzc5",
"organizations_url": "https://api.github.com/users/acme-inc/orgs",
"received_events_url": "https://api.github.com/users/acme-inc/received_events",
"repos_url": "https://api.github.com/users/acme-inc/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/acme-inc/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/acme-inc/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/acme-inc"
},
"private": true,
"pulls_url": "https://api.github.com/repos/acme-inc/sample-repo/pulls{/number}",
"pushed_at": "2023-03-31T16:50:57Z",
"releases_url": "https://api.github.com/repos/acme-inc/sample-repo/releases{/id}",
"size": 0,
"ssh_url": "git@github.com:acme-inc/sample-repo.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/acme-inc/sample-repo/stargazers",
"statuses_url": "https://api.github.com/repos/acme-inc/sample-repo/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/acme-inc/sample-repo/subscribers",
"subscription_url": "https://api.github.com/repos/acme-inc/sample-repo/subscription",
"svn_url": "https://github.com/acme-inc/sample-repo",
"tags_url": "https://api.github.com/repos/acme-inc/sample-repo/tags",
"teams_url": "https://api.github.com/repos/acme-inc/sample-repo/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/acme-inc/sample-repo/git/trees{/sha}",
"updated_at": "2023-06-07T18:45:54Z",
"url": "https://api.github.com/repos/acme-inc/sample-repo",
"visibility": "private",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/19332120",
"events_url": "https://api.github.com/users/john.doe/events{/privacy}",
"followers_url": "https://api.github.com/users/john.doe/followers",
"following_url": "https://api.github.com/users/john.doe/following{/other_user}",
"gists_url": "https://api.github.com/users/john.doe/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/john.doe",
"id": 19332128,
"login": "john.doe",
"node_id": "MDQ6VXNlcjE5MzMyMTI4",
"organizations_url": "https://api.github.com/users/john.doe/orgs",
"received_events_url": "https://api.github.com/users/john.doe/received_events",
"repos_url": "https://api.github.com/users/john.doe/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/john.doe/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/john.doe/subscriptions",
"type": "User",
"url": "https://api.github.com/users/john.doe"
}
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Webhook Events
GitHub webhook events are delivered whenever certain events occur on GitHub.
References
Retention Details
Storage Duration: N/A
GitHub does not officially retain webhook events. Recent webhook events can be accessed at `https://github.com/<ORGANIZATION>/<REPOSITORY>/settings/hooks`.
Latency Details
Duration: Near Real-Time
GitHub does not officially retain webhook events. Recent webhook events can be accessed at `https://github.com/<ORGANIZATION>/<REPOSITORY>/settings/hooks`.
Product Details
GitHub is a cloud-based service that provides a range of services related to version control, software development, and collaboration. The GitHub audit log API provides a feed for events that have been generated across the enterprise. If an organization does not use Enterprise Managed Users, the audit log only includes events related to the enterprise account and the organizations within the enterprise account. If an organization uses Enterprise Managed Users, the audit log also includes user events for managed user accounts. GitHub webhooks provide a way for notifications to be delivered to an external web server whenever certain events occur on GitHub.
Enterprise Audit Events
To collect enterprise events, use the audit log API.
Webhook Events
To collect webhook events, create and configure a webhook(s).
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
IP Address
-
Failure Context
-
Credential Context
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Identity Service Provider Context
Success
{
"kind": "admin#reports#activity",
"id": {
"applicationName": "login",
"customerId": "C03nyz48b",
"time": "2023-10-04T17:05:18.707Z",
"uniqueQualifier": "-8053599687898373773"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpogfhr6664Y4wU0J6c8Yw/T8TMuJvnXTPKpwK263SLxaXX-EA\"",
"actor": {
"email": "egrt@test.com",
"profileId": "10206845645323004074611"
},
"ipAddress": "211.150.189.540",
"event": {
"type": "login",
"name": "login_success",
"parameters": [
{
"name": "login_type",
"value": "reauth"
},
{
"name": "login_challenge_method",
"multiValue": [
"none"
]
},
{
"name": "is_suspicious",
"boolValue": false
}
]
}
}
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"email": "tlsdfr@test.com",
"profileId": "10906988138484515654"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCsdfsdfsdf0J6c8Yw/g9-7HZArWTv3ua4W8l_UrML6aj4\"",
"event": {
"type": "login",
"name": "logout",
"parameters": [
{
"name": "login_type",
"value": "google_password"
}
]
},
"id": {
"time": "2023-10-04T16:44:09.155Z",
"uniqueQualifier": "-2936062481883257414",
"applicationName": "login",
"customerId": "C03nyz48b"
},
"ipAddress": "117.92.113.444",
"kind": "admin#reports#activity"
}MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
IP Address
-
Verification Method
-
Verification Flagged
-
Activity Performed
Unsupported
-
User Type / Role
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"ipAddress": "38.62.201.104",
"event": {
"type": "login",
"name": "login_success",
"parameters": [
{
"name": "login_type",
"value": "google_password"
},
{
"name": "login_challenge_method",
"multiValue": [
"password",
"google_authenticator"
]
},
{
"name": "is_suspicious",
"boolValue": false
}
]
},
"kind": "admin#reports#activity",
"id": {
"applicationName": "login",
"customerId": "C1567gg8b",
"time": "2023-10-04T17:00:38.873Z",
"uniqueQualifier": "-288098944121678920"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpo6zAdUtM4hgihb7gw/-PaydDWGhijb567DzxG3-Q\"",
"actor": {
"email": "dfggg@test.com",
"profileId": "1081510555451515508623"
}
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T17:27:02.768Z",
"uniqueQualifier": "-3314472940692087673",
"applicationName": "admin",
"customerId": "C02rtjjj7y"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnwwpo6zAd3g53g55U0J6c8Yw/5pzih88L6fo0NupRAuuLv2Ar5M\"",
"actor": {
"email": "test@test.com",
"profileId": "111620519819984096",
"callerType": "USER"
},
"ipAddress": "42.130.180.122",
"event": {
"type": "USER_SETTINGS",
"name": "CREATE_USER",
"parameters": [
{
"value": "test2@test.com",
"name": "USER_EMAIL"
}
]
}
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
-
Target Attribute Context
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"event": {
"type": "LICENSES_SETTINGS",
"name": "USER_LICENSE_REVOKE",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
},
{
"value": "Cloud Identity Premium",
"name": "PRODUCT_NAME"
},
{
"name": "OLD_VALUE",
"value": "Cloud Identity Premium"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T17:12:20.110Z",
"uniqueQualifier": "-7032755160008235805",
"applicationName": "admin",
"customerId": "C52egrg2wc"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpo6ze8herg98hJ6c8Yw/jgqx0-DnGyAy2VkAPVBcOFCT3-Q\"",
"actor": {
"callerType": "USER",
"email": "test2@test2.com",
"profileId": "1169451581811976442"
},
"ipAddress": "34.64.200.101"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T17:26:56.224Z",
"uniqueQualifier": "54041277512397100",
"applicationName": "admin",
"customerId": "C2f8cunnf"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgerfe5t5g0J6c8Yw/jWiJ6tV0iybyuoS8eKnls3m4HkY\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "11111118126984096"
},
"ipAddress": "42.100.140.172",
"event": {
"name": "DELETE_USER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
}
],
"type": "USER_SETTINGS"
}
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"profileId": "1122063181981927490212",
"callerType": "USER",
"email": "test@test.com"
},
"ipAddress": "59.87.51.187",
"event": {
"name": "CREATE_GROUP",
"parameters": [
{
"name": "GROUP_EMAIL",
"value": "test2@test.com"
}
],
"type": "GROUP_SETTINGS"
},
"kind": "admin#reports#activity",
"id": {
"customerId": "C03cdidn3",
"time": "2023-10-04T16:19:08.748Z",
"uniqueQualifier": "-7965913039404370824",
"applicationName": "admin"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgnpo6ref454w4t3f6c8Yw/D6SAzt5ZDFR6eWcnRdAnF1gCQGo\""
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T14:33:20.949Z",
"uniqueQualifier": "-7981887426606302427",
"applicationName": "admin",
"customerId": "C03huyf5"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi887ghvuhbu77byv55c8Yw/b20Viygiyu7bUjyhpl56kx-M0\"",
"actor": {
"profileId": "154848611551817490212",
"callerType": "USER",
"email": "test@test.com"
},
"event": {
"name": "CHANGE_GROUP_SETTING",
"parameters": [
{
"name": "SETTING_NAME",
"value": "WHO_CAN_DISCOVER_GROUP"
},
{
"name": "GROUP_EMAIL",
"value": "test2@test.com"
},
{
"name": "OLD_VALUE",
"value": "ALL_IN_DOMAIN_CAN_DISCOVER"
},
{
"value": "ALL_MEMBERS_CAN_DISCOVER",
"name": "NEW_VALUE"
}
],
"type": "GROUP_SETTINGS"
}
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"profileId": "117158165166014059",
"callerType": "USER",
"email": "test@test.com"
},
"ipAddress": "154.109.108.92",
"event": {
"type": "GROUP_SETTINGS",
"name": "DELETE_GROUP",
"parameters": [
{
"name": "GROUP_EMAIL",
"value": "test-group@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-09T22:12:29.027Z",
"uniqueQualifier": "-8638445205597242715",
"applicationName": "admin",
"customerId": "C03hrryy3"
},
"etag": "\"rQ3qpTrpjMdfg4544rG#GEGrY4w55c8Yw/rpsdsSCER8_5--B_QCoUl8YBEHycL8\""
}
Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"event": {
"type": "GROUP_SETTINGS",
"name": "ADD_GROUP_MEMBER",
"parameters": [
{
"value": "test@test.com",
"name": "USER_EMAIL"
},
{
"name": "GROUP_EMAIL",
"value": "test-group@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-04T18:24:54.690Z",
"uniqueQualifier": "-6798022200064344802",
"applicationName": "admin",
"customerId": "C00zibi7"
},
"etag": "\"rQ3qpTrpjMqlOD9Fifgh8f1fghf81gh4wU0J6c8Yw/MjJkdF51dfg5np52vLSY2l-gM\"",
"actor": {
"callerType": "USER",
"email": "testa@test.com",
"profileId": "10248166192532690543"
},
"ipAddress": "34.100.985.103"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"profileId": "10295165132690543",
"callerType": "USER",
"email": "testa@test.com"
},
"ipAddress": "34.90.206.115",
"event": {
"type": "GROUP_SETTINGS",
"name": "REMOVE_GROUP_MEMBER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
},
{
"name": "GROUP_EMAIL",
"value": "test@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"uniqueQualifier": "-7875301117743978886",
"applicationName": "admin",
"customerId": "C00znhgfh",
"time": "2023-10-04T18:24:58.074Z"
},
"etag": "\"rQ345lOD9Fi6Z65145556c8Yw/MFIFIW4tg4g51dg5157HWa1Lwss5Cr6g\""
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Role Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-17T23:13:13.915Z",
"uniqueQualifier": "-7017303223676593170",
"applicationName": "admin",
"customerId": "Ckkd8hc"
},
"etag": "\"jc94nIMyBsgegergergergOA9OLU9Ps/8q7ergergergergergeAca075m_AUp4pA\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "1169519165745888518"
},
"ipAddress": "164.220.241.143",
"event": {
"name": "CREATE_ROLE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "New Admin"
},
{
"name": "ROLE_ID",
"value": "84898198181155903"
}
],
"type": "DELEGATED_ADMIN_SETTINGS"
}
}
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Attribute Context
-
Target Role Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-17T23:13:13.915Z",
"uniqueQualifier": "-7017303223676593170",
"applicationName": "admin",
"customerId": "Ckkd8hc"
},
"etag": "\"jc94nIMyBsgegergergergOA9OLU9Ps/8q7ergergergergergeAca075m_AUp4pA\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "1169519165745888518"
},
"ipAddress": "164.220.241.143",
"event": {
"name": "UPDATE_ROLE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "New Admin"
},
{
"name": "ROLE_ID",
"value": "84898198181155903"
}
],
"type": "DELEGATED_ADMIN_SETTINGS"
}
}
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Role Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-17T23:13:13.915Z",
"uniqueQualifier": "-7017303223676593170",
"applicationName": "admin",
"customerId": "Ckkd8hc"
},
"etag": "\"jc94nIMyBsgegergergergOA9OLU9Ps/8q7ergergergergergeAca075m_AUp4pA\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "1169519165745888518"
},
"ipAddress": "164.220.241.143",
"event": {
"name": "DELETE_ROLE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "New Admin"
},
{
"name": "ROLE_ID",
"value": "84898198181155903"
}
],
"type": "DELEGATED_ADMIN_SETTINGS"
}
}
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"id": {
"time": "2023-10-10T20:59:40.904Z",
"uniqueQualifier": "-7549838176766410754",
"applicationName": "admin",
"customerId": "C13bsdvd4"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCgdfgdf4wU0J6c8Yw/9MRxYfzAnE9dVdfgdfgdfgORupSE\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10782284568708731702"
},
"ipAddress": "125.215.53.31",
"event": {
"type": "DELEGATED_ADMIN_SETTINGS",
"name": "ADD_PRIVILEGE",
"parameters": [
{
"name": "ROLE_NAME",
"value": "Test Role"
},
{
"name": "ROLE_ID",
"value": "43792651651651557"
},
{
"name": "PRIVILEGE_NAME",
"value": "Alert Center;APPS_INCIDENTS_FULL_ACCESS"
}
]
},
"kind": "admin#reports#activity"
}
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Permission Name
-
Target Resource Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Success
{
"ipAddress": "19.20.200.21",
"event": {
"type": "USER_SETTINGS",
"name": "SECURITY_KEY_REGISTERED_FOR_USER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test@test.com"
}
]
},
"kind": "admin#reports#activity",
"id": {
"applicationName": "admin",
"customerId": "C03nyzrf3",
"time": "2023-10-03T23:11:59.995Z",
"uniqueQualifier": "-6330457545647588246"
},
"etag": "\"rQ3qpTrpjMqlOD9Fi6ZCef34f34f36c8Yw/3t4sr-Fc34f34fgC0do\"",
"actor": {
"profileId": "11290751345894345842",
"callerType": "USER",
"email": "test@test.com"
}
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Target Username
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Enrollment Type
Success
{
"actor": {
"email": "test@test.com",
"profileId": "221195616515142",
"callerType": "USER"
},
"ipAddress": "9.10.100.22",
"event": {
"parameters": [
{
"value": "test@test.com",
"name": "USER_EMAIL"
}
],
"type": "USER_SETTINGS",
"name": "REVOKE_SECURITY_KEY"
},
"kind": "admin#reports#activity",
"id": {
"applicationName": "admin",
"customerId": "C03ihi7vv",
"time": "2023-10-03T22:33:48.843Z",
"uniqueQualifier": "-7457679779333247500"
},
"etag": "\"rQ3qpTrp45g35log5yh5btM4Y4wU0J6c8Yw/Njl5tg5tg5ergai-Mk\""
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"email": "test@test.com",
"profileId": "185459392577373"
},
"event": {
"type": "SECURITY_SETTINGS",
"name": "CHANGE_CAA_APP_ASSIGNMENTS",
"parameters": [
{
"name": "APPLICATION_NAME",
"value": "PLUS"
},
{
"name": "CAA_ASSIGNMENTS_OLD",
"multiValue": [
"device_policy_high"
]
},
{
"name": "CAA_ASSIGNMENTS_NEW",
"multiValue": [
"device_policy_medium"
]
},
{
"name": "CAA_ENFORCEMENT_ENDPOINTS_OLD",
"value": "CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS"
},
{
"name": "CAA_ENFORCEMENT_ENDPOINTS_NEW",
"value": "CAA_WEB_VERSION_AND_1P_OAUTH_CLIENTS"
},
{
"name": "TARGET_ENTITY_TYPE",
"value": "GROUP"
},
{
"name": "TARGET_ENTITY_NAME",
"value": "test-group@test.com"
},
{
"name": "MODE",
"value": "MONITOR"
}
]
},
"kind": "admin#reports#activity",
"id": {
"uniqueQualifier": "-8357743806993103819",
"applicationName": "admin",
"customerId": "C07811bh",
"time": "2023-10-03T21:26:36.365Z"
},
"etag": "\"rQ3qpTrpjMqlryth5yh5yh5yh5J6c8Yw/0g3r6h6hHHU8fvg5zE\""
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"uniqueQualifier": "-5992544593425859742",
"applicationName": "admin",
"customerId": "C00ntyhtyhty",
"time": "2023-10-12T15:59:23.551Z"
},
"etag": "\"jc94nIMfgrtgrthrthrtXqUGGHrthrt9OLU9Ps/EN0CkgUCOrthrthrth5CvTHwbLE\"",
"actor": {
"profileId": "105905796516511368150",
"callerType": "USER",
"email": "test@test.com"
},
"event": {
"type": "DOMAIN_SETTINGS",
"name": "ADD_APPLICATION",
"parameters": [
{
"name": "APP_ID",
"value": "4265846946440"
},
{
"name": "APPLICATION_NAME",
"value": "TestApplication"
},
{
"name": "APPLICATION_ENABLED",
"value": "false"
}
]
}
}
Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"id": {
"time": "2023-10-04T16:37:47.039Z",
"uniqueQualifier": "-7371635294043122777",
"applicationName": "admin",
"customerId": "C02wayb7g"
},
"etag": "\"rQ3qpTrpjMqlOD9Firtrth56Y4wU0J6c8Yw/TmNY5656h6hhH4-rjrEGWN7Ko\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "11726318198115861321"
},
"ipAddress": "2500:1700:69d1:13f:5555:a5a3:fc15:c189",
"event": {
"type": "APPLICATION_SETTINGS",
"name": "CHANGE_APPLICATION_SETTING",
"parameters": [
{
"name": "APPLICATION_NAME",
"value": "Google Workspace Marketplace"
},
{
"name": "ORG_UNIT_NAME",
"value": "testdomain.com"
},
{
"value": "Allowlist app_access",
"name": "SETTING_NAME"
},
{
"name": "OLD_VALUE",
"value": "[app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"9999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n]"
},
{
"name": "NEW_VALUE",
"value": "[app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"9999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"99999999\"\n}\nallowed: true\n, app_access_id {\n app_access_type {\n type_enum: WEB\n }\n client_id: \"999999999\"\n}\nallowed: true\n]"
}
]
},
"kind": "admin#reports#activity"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Result
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"event": {
"type": "DOMAIN_SETTINGS",
"name": "REMOVE_APPLICATION",
"parameters": [
{
"name": "APP_ID",
"value": "10284841265"
},
{
"name": "APPLICATION_NAME",
"value": "TESTApplication"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-12T16:40:07.644Z",
"uniqueQualifier": "-9185053452471991843",
"applicationName": "admin",
"customerId": "C0ijnijn9"
},
"etag": "\"jc94nIMyBF33ertgrhrthHOA9OLU9Ps/9CWrthretherthrTdaKCiZzGNsYU\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "105905798198198168150"
}
}
Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "105951899444368150"
},
"ipAddress": "211.62.43.159",
"event": {
"name": "CREATE_SAML2_SERVICE_PROVIDER_CONFIG",
"parameters": [
{
"name": "SAML2_SERVICE_PROVIDER_ENTITY_ID",
"value": "https://test.com/sso/"
},
{
"name": "SAML2_SERVICE_PROVIDER_NAME",
"value": "BigCorp"
}
],
"type": "SAML2_SERVICE_PROVIDER_CONFIG_SETTINGS"
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-12T15:59:23.557Z",
"uniqueQualifier": "-7078025062376461990",
"applicationName": "admin",
"customerId": "C004knnh7y"
},
"etag": "\"jc94nIMyBF33rgergergergH0EHOA9OLU9Ps/JergergergereWa6e8Ij7s\""
}
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"ipAddress": "113.213.81.31",
"event": {
"type": "EMAIL_SETTINGS",
"name": "CHANGE_EMAIL_SETTING",
"parameters": [
{
"name": "SETTING_NAME",
"value": "NUMBER_OF_EMAIL_IMAGE_URL_WHITELIST_PATTERNS"
},
{
"name": "ORG_UNIT_NAME",
"value": "TestOrg"
},
{
"name": "OLD_VALUE",
"value": "15"
},
{
"name": "NEW_VALUE",
"value": "16"
}
]
},
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-13T13:20:21.544Z",
"uniqueQualifier": "-7278920505284409591",
"applicationName": "admin",
"customerId": "C00jhhdbdn3"
},
"etag": "\"jc94nIMyBF33sdsdgefefbe0EHOA9OLU9Ps/iRevefvefvefvCgiwiS_XwN7wc\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10785165158808731702"
}
}
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"id": {
"uniqueQualifier": "-7002522530705235178",
"applicationName": "admin",
"customerId": "C08njnjknv",
"time": "2023-10-16T09:48:53.629Z"
},
"etag": "\"jc94nIMyBFdfggbrtbEHOA9OLU9Ps/6AY_7_Kbx--X_ArtbrtbrtbGBo0\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10355165165102363077"
},
"ipAddress": "fdc3:e723:ac4:10:14:9d12:af8:4c35",
"event": {
"type": "USER_SETTINGS",
"name": "DELETE_2SV_SCRATCH_CODES",
"parameters": [
{
"name": "USER_EMAIL",
"value": "test2@test.com"
}
]
},
"kind": "admin#reports#activity"
}
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
Resource Name
-
Resource Type
-
Resource Metadata
Unsupported
-
Result
-
Session ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-10-15T23:35:01.493Z",
"uniqueQualifier": "-5681301083801866672",
"applicationName": "drive",
"customerId": "C07hbjkkbjkj"
},
"etag": "\"jc94nIMyBF33504pdfefgegegGH0EHOA9erg6Y7Yn5ugkRL-3ergergcdimwc\"",
"actor": {
"profileId": "1095156489815781956899",
"email": "test@test.com"
},
"ipAddress": "2601:1700:39d1:8yt2:74df:5a1f:15ec:fc79",
"event": {
"type": "access",
"name": "download",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "billable",
"boolValue": true
},
{
"name": "owner_is_shared_drive",
"boolValue": false
},
{
"name": "owner",
"value": "test@test.com"
},
{
"name": "doc_id",
"value": "1tml8KIcsdwgewrg8jejg_jdid88"
},
{
"name": "doc_type",
"value": "txt"
},
{
"boolValue": false,
"name": "is_encrypted"
},
{
"value": "cooldoc.txt",
"name": "doc_title"
},
{
"name": "visibility",
"value": "shared_externally"
},
{
"name": "originating_app_id",
"value": "9471519811803"
},
{
"name": "actor_is_collaborator_account",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": false
}
]
}
}
Workspace Activity Audit
The activity audit log provides log events for actions occurring with your Google Workspace deployment.
References
Retention Details
Storage Duration: Typically 6 months
Service dependant - see https://support.google.com/a/answer/7061566?hl=en
Latency Details
Duration: Near real time up to a couple hours
Service dependant - see https://support.google.com/a/answer/7061566?hl=en
Product Details
Google Workspace (formerly GSuite) provides audit logging for all business plans to help admins and security teams monitor activities in their instance. Google Workspace offers a single stream of data for collection with the ability to filter the services in Google Workspace you intend to collect. Google Workspace also offers an Alert Center API to help admins and security teams monitor alerts generated by Google.
Google Workspace Activity Report
Activity reports list information for activities in a specific Google Workspace application or service.
References
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
-
Identity Service Provider Context
Unsupported
-
Result
-
IP Geolocation / ASN
-
Failure Context
-
Credential Context
Success
{
"CreationTime":"2024-05-01T17:24:06",
"Id":"0e523898-a3ab-4ba8-9c33-a6cc38050b03",
"Operation":"UserLoggedIn",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":15,
"ResultStatus":"Success",
"UserKey":"1a3b0ad5-eda1-4f48-b877-3b002e5d85b5",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"198.51.100.1",
"ObjectId":"00000002-0000-0ff1-ce00-000000000000",
"UserId":"example@test.onmicrosoft.comm",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"ResultStatusDetail",
"Value":"Success"
},{
"Name":"UserAgent",
"Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0"
},{
"Name":"RequestType",
"Value":"OAuth2:Authorize"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":0
},{
"ID":"example@test.onmicrosoft.com",
"Type":5
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ActorIpAddress":"198.51.100.1",
"InterSystemsId":"fb9e8227-8661-b935-9245-caaa4dafbab5",
"IntraSystemId":"0e523898-a3ab-4ba8-9c33-a6cc38050b03",
"SupportTicketId":"",
"Target":[{
"ID":"00000002-0000-0ff1-ce00-000000000000",
"Type":0
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ApplicationId":"00000002-0000-0ff1-ce00-000000000000",
"DeviceProperties":[{
"Name":"OS",
"Value":"Windows10"
},{
"Name":"BrowserType",
"Value":"Firefox"
},{
"Name":"SessionId",
"Value":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}],
"ErrorNumber":"0"
}Failure
{
"CreationTime":"2024-05-02T02:15:53",
"Id":"514d0006-6b28-446c-8f7c-e85271a31200",
"Operation":"UserLoginFailed",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":15,
"ResultStatus":"Success",
"UserKey":"1a3b0ad5-eda1-4f48-b877-3b002e5d85b5",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"198.51.100.1",
"ObjectId":"00000003-0000-0000-c000-000000000000",
"UserId":"Not Available",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"ResultStatusDetail",
"Value":"Success"
},{
"Name":"UserAgent",
"Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0"
},{
"Name":"RequestType",
"Value":"SAS:BeginAuth"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":0
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ActorIpAddress":"198.51.100.1",
"InterSystemsId":"cb18cf68-7234-4c40-8092-532f41063417",
"IntraSystemId":"514d0006-6b28-446c-8f7c-e85271a31200",
"SupportTicketId":"",
"Target":[{
"ID":"00000003-0000-0000-c000-000000000000",
"Type":0
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ApplicationId":"19db86c3-b2b9-44cc-b339-36da233a3be2",
"DeviceProperties":[{
"Name":"OS",
"Value":"Windows"
},{
"Name":"BrowserType",
"Value":"Firefox"
}],
"ErrorNumber":"50074",
"LogonError":"UserStrongAuthClientAuthNRequiredInterrupt"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Session ID
-
IP Geolocation / ASN
-
Verification Method
-
Verification Flagged
-
Activity Performed
Success
{
"CreationTime":"2024-05-01T03:59:39",
"Id":"ffdb8af6-ce7e-4218-93f8-79024f7e3300",
"Operation":"UserLoggedIn",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":15,
"ResultStatus":"Success",
"UserKey":"1a3b0ad5-eda1-4f48-b877-3b002e5d85b5",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ClientIP":"198.51.100.1",
"ObjectId":"00000002-0000-0000-c000-000000000000",
"UserId":"Not Available",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"ResultStatusDetail",
"Value":"Success"
},{
"Name":"UserAgent",
"Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0"
},{
"Name":"RequestType",
"Value":"SAS:BeginAuth"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":0
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ActorIpAddress":"198.51.100.1",
"InterSystemsId":"82fd1a94-4b4e-4b6e-ab01-ae97923206d6",
"IntraSystemId":"ffdb8af6-ce7e-4218-93f8-79024f7e3300",
"SupportTicketId":"",
"Target":[{
"ID":"00000002-0000-0000-c000-000000000000",
"Type":0
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"ApplicationId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"DeviceProperties":[{
"Name":"OS",
"Value":"Windows"
},{
"Name":"BrowserType",
"Value":"Firefox"
}],
"ErrorNumber":"0"
}Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:29:10",
"Id":"d17a8564-4f63-4792-a063-4ecf01e1b7a1",
"Operation":"Add user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"AccountEnabled",
"NewValue":"[\r\n true\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"Test User 10\"\r\n]",
"OldValue":"[]"
},{
"Name":"MailNickname",
"NewValue":"[\r\n \"TestUser10\"\r\n]",
"OldValue":"[]"
},{
"Name":"StsRefreshTokensValidFrom",
"NewValue":"[\r\n \"2024-05-01T21:29:10Z\"\r\n]",
"OldValue":"[]"
},{
"Name":"UserPrincipalName",
"NewValue":"[\r\n \"TestUser10@test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"UserType",
"NewValue":"[\r\n \"Member\"\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"AccountEnabled, DisplayName, MailNickname, StsRefreshTokensValidFrom, UserPrincipalName, UserType",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"8134ebac-1bab-411b-a547-b1610cf84a8f",
"IntraSystemId":"8004de8c-eb2b-4c14-b55a-2525ccedaa82",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Target Attribute Context
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T19:03:01",
"Id":"7df508c4-a9a3-4c58-b39f-a6ef3c171d41",
"Operation":"Update user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"example@test.onmicrosoft.com",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"UserType\":\"Member\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"Included Updated Properties",
"NewValue":"",
"OldValue":""
},{
"Name":"TargetId.UserType",
"NewValue":"Member",
"OldValue":""
},{
"Name":"ActorId.ServicePrincipalNames",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
},{
"Name":"SPN",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
}],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"627e042e-637b-4a2a-9c65-ac00b2d08906",
"IntraSystemId":"c434b12d-544d-4db1-90cd-21a79a9a8c0a",
"SupportTicketId":"",
"Target":[{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:34:00",
"Id":"d168a319-f0e6-4fff-900f-447a4f624d9d",
"Operation":"Delete user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"0c1966ef97c24558a7fd962fba9dcbc4test15@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"Is Hard Deleted",
"NewValue":"False",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"171ad712-02d9-4f5e-b7dd-40aa612bf7a9",
"IntraSystemId":"5e05f73f-ea8c-4e94-8149-9a7e9abf4031",
"SupportTicketId":"",
"Target":[{
"ID":"User_0c1966ef-97c2-4558-a7fd-962fba9dcbc4",
"Type":2
},{
"ID":"0c1966ef-97c2-4558-a7fd-962fba9dcbc4",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"0c1966ef97c24558a7fd962fba9dcbc4test15@test.onmicrosoft.com",
"Type":5
},{
"ID":"10032003546DB13C",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T16:25:27",
"Id":"dadb97b5-59e0-40e8-9d39-0be9bbcf584b",
"Operation":"Add group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"Description",
"NewValue":"[\r\n \"This is a test distribution group\"\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"Test Group\"\r\n]",
"OldValue":"[]"
},{
"Name":"Mail",
"NewValue":"[\r\n \"testdistro@test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"MailEnabled",
"NewValue":"[\r\n true\r\n]",
"OldValue":"[]"
},{
"Name":"MailNickname",
"NewValue":"[\r\n \"testdistro\"\r\n]",
"OldValue":"[]"
},{
"Name":"ProxyAddresses",
"NewValue":"[\r\n \"SMTP:testdistro@test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"RenewedDateTime",
"NewValue":"[\r\n \"2024-05-01T16:25:27Z\"\r\n]",
"OldValue":"[]"
},{
"Name":"SecurityEnabled",
"NewValue":"[\r\n false\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"Description, DisplayName, Mail, MailEnabled, MailNickname, ProxyAddresses, RenewedDateTime, SecurityEnabled",
"OldValue":""
},{
"Name":"ActorId.ServicePrincipalNames",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
},{
"Name":"SPN",
"NewValue":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"OldValue":""
}],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"cd44d8b8-42a5-4b68-b11f-bd6e7f028c72",
"IntraSystemId":"89114104-c53a-4f24-8211-c4019169bc6c",
"SupportTicketId":"",
"Target":[{
"ID":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"Group",
"Type":2
},{
"ID":"Test Group",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"CreationTime":"2024-05-01T16:26:29",
"Id":"469d7f6a-494e-42ef-aebd-195301726b0c",
"Operation":"Update group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"GroupType\":\"\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"DisplayName",
"NewValue":"[\r\n \"Test Group 24\"\r\n]",
"OldValue":"[\r\n \"Test Group\"\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"DisplayName",
"OldValue":""
},{
"Name":"TargetId.GroupType",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"f8cfcb03-97fa-44a2-a4eb-71b05660c65f",
"IntraSystemId":"badb759f-7b05-4eec-b6b7-efa5cf84cf0d",
"SupportTicketId":"",
"Target":[{
"ID":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"Group",
"Type":2
},{
"ID":"Test Group 24",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T16:26:51",
"Id":"1bcdf6d9-d41e-408a-ad70-0a2ec1e040d2",
"Operation":"Delete group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"UserId":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"Microsoft Substrate Management",
"Type":1
},{
"ID":"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41",
"Type":2
},{
"ID":"ServicePrincipal_ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ac1c885a-da2e-446e-9f3f-544e5f988861",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"ce7facf0-60d9-4594-9536-02839e0633bb",
"IntraSystemId":"495208b4-932d-4768-9d16-6d9f059b5494",
"SupportTicketId":"",
"Target":[{
"ID":"Group_d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"d81ef556-a18c-4c2f-9f41-ccf90321c181",
"Type":2
},{
"ID":"Group",
"Type":2
},{
"ID":"Test Group 24",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Device/Client Type
-
Target Username
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
Success
{
"CreationTime":"2024-05-01T05:10:05",
"Id":"d74b2827-73e9-4ca4-8d9e-882f11a1f354",
"Operation":"Add member to group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"AlexW@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"O365AdminPortal\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"Group.ObjectID",
"NewValue":"a86f3642-1b11-468d-aaa3-8398902bd512",
"OldValue":""
},{
"Name":"Group.DisplayName",
"NewValue":"Test Group 100",
"OldValue":""
},{
"Name":"Group.WellKnownObjectName",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"Microsoft Office 365 Portal",
"Type":1
},{
"ID":"00000006-0000-0ff1-ce00-000000000000",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"771df599-2929-4f34-aeec-0d0d22d2df64",
"IntraSystemId":"ce463e56-df50-4961-bff1-6f1da69da656",
"SupportTicketId":"",
"Target":[{
"ID":"User_1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"AlexW@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320024DBC18D8",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Username
-
Target Group Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T05:27:56",
"Id":"1ab6721e-1557-4138-8417-15378b431bda",
"Operation":"Remove member from group.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"AlexW@test.onmicrosoft.com",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"O365AdminPortal\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Group"
}],
"ModifiedProperties":[{
"Name":"Group.ObjectID",
"NewValue":"",
"OldValue":"a86f3642-1b11-468d-aaa3-8398902bd512"
},{
"Name":"Group.DisplayName",
"NewValue":"",
"OldValue":"Test Group 100"
},{
"Name":"Group.WellKnownObjectName",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"Microsoft Office 365 Portal",
"Type":1
},{
"ID":"00000006-0000-0ff1-ce00-000000000000",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"d1887bb8-a1ed-4647-b3da-44ac87659630",
"IntraSystemId":"c5f0fcf1-7a94-4d63-96fe-f5bf859d068e",
"SupportTicketId":"",
"Target":[{
"ID":"User_1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"1eae91ef-20b6-4c9e-94ad-85f8dfa8eb18",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"AlexW@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320024DBC18D8",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Role Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:35:05",
"Id":"414a577a-6bcc-489d-a3c3-6919423134b1",
"Operation":"Add role definition.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"RoleDefinition"
}],
"ModifiedProperties":[{
"Name":"AssignableScopes",
"NewValue":"[\r\n {\r\n \"Type\": \"Tenant\",\r\n \"Id\": null,\r\n \"IsSelfScope\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"New Test Role\"\r\n]",
"OldValue":"[]"
},{
"Name":"GrantedPermissions",
"NewValue":"[\r\n {\r\n \"Actions\": [\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Delete\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Read\",\r\n \"ReadPropertySet\": \"Owners\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n }\r\n ],\r\n \"Condition\": null,\r\n \"ScopeConstraints\": [],\r\n \"IsPrivileged\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"AssignableScopes, DisplayName, GrantedPermissions",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"17247e48-1e4d-416b-8aa0-55d44ab09716",
"IntraSystemId":"5d368745-fbc5-403d-84ca-6eda100ad00d",
"SupportTicketId":"",
"Target":[{
"ID":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"Other",
"Type":2
},{
"ID":"New Test Role",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Attribute Context
-
Target Role Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:35:59",
"Id":"c7a002e8-8dbd-43a7-8c64-8de5910f49ff",
"Operation":"Update role definition.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"RoleDefinition"
}],
"ModifiedProperties":[{
"Name":"GrantedPermissions",
"NewValue":"[\r\n {\r\n \"Actions\": [\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Delete\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Read\",\r\n \"ReadPropertySet\": \"Owners\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"ApplicationMyOrganization\",\r\n \"TaskType\": \"Update\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"Basic\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"ApplicationMyOrganization\",\r\n \"TaskType\": \"Update\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"Credentials\",\r\n \"TaskTypeSubsetName\": null\r\n }\r\n ],\r\n \"Condition\": null,\r\n \"ScopeConstraints\": [],\r\n \"IsPrivileged\": true\r\n }\r\n]",
"OldValue":"[\r\n {\r\n \"Actions\": [\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Delete\",\r\n \"ReadPropertySet\": \"None\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n },\r\n {\r\n \"ResourceCategory\": \"AadDirectory\",\r\n \"ResourceType\": \"PolicyApplicationConfiguration\",\r\n \"TaskType\": \"Read\",\r\n \"ReadPropertySet\": \"Owners\",\r\n \"WritePropertySet\": \"None\",\r\n \"TaskTypeSubsetName\": null\r\n }\r\n ],\r\n \"Condition\": null,\r\n \"ScopeConstraints\": [],\r\n \"IsPrivileged\": false\r\n }\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"GrantedPermissions",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"38e57fdb-584e-4c9e-a68d-2b1eca4fae68",
"IntraSystemId":"9b6be5d3-e88b-430f-8eb6-29b3b742800e",
"SupportTicketId":"",
"Target":[{
"ID":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"Other",
"Type":2
},{
"ID":"New Test Role",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Target Role Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:36:10",
"Id":"f377408a-4cde-46ae-a658-f0042cc3f652",
"Operation":"Delete role definition.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"RoleDefinition"
}],
"ModifiedProperties":[{
"Name":"Included Updated Properties",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"d68f7c29-5a2c-43e4-a113-51b6bd72d0ea",
"IntraSystemId":"9b6be5d3-e88b-430f-8eb6-29b3b7428016",
"SupportTicketId":"",
"Target":[{
"ID":"RoleDefinition_176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"176137b7-85e6-4dd9-9f65-3c1ce26fa1c3",
"Type":2
},{
"ID":"Other",
"Type":2
},{
"ID":"New Test Role",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Permission Name
-
Target Resource Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:31:15",
"Id":"87025648-8434-4b73-a311-9eb82a0845fd",
"Operation":"Add member to role.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Role"
}],
"ModifiedProperties":[{
"Name":"Role.ObjectID",
"NewValue":"025dfbe5-67e0-44ce-9718-7cce87afdc00",
"OldValue":""
},{
"Name":"Role.DisplayName",
"NewValue":"Application Developer",
"OldValue":""
},{
"Name":"Role.TemplateId",
"NewValue":"cf1c38e5-3621-4004-a7cb-879624dced7c",
"OldValue":""
},{
"Name":"Role.WellKnownObjectName",
"NewValue":"ApplicationDevelopers",
"OldValue":""
}],
"Actor":[{
"ID":"MS-PIM",
"Type":1
},{
"ID":"01fc33a7-78ba-4d2f-a4b7-768e336e890e",
"Type":2
},{
"ID":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"da951f55-bdae-488a-8c47-ef670c358b09",
"IntraSystemId":"302d6a09-2d3d-49d1-9549-3966d6b649a2",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Permission Name
-
Target Resource Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:31:15",
"Id":"b6973e19-e37e-4b03-b077-0a1d2de71106",
"Operation":"Remove member from role.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Role"
}],
"ModifiedProperties":[{
"Name":"Role.ObjectID",
"NewValue":"",
"OldValue":"025dfbe5-67e0-44ce-9718-7cce87afdc00"
},{
"Name":"Role.DisplayName",
"NewValue":"",
"OldValue":"Application Developer"
},{
"Name":"Role.TemplateId",
"NewValue":"",
"OldValue":"cf1c38e5-3621-4004-a7cb-879624dced7c"
},{
"Name":"Role.WellKnownObjectName",
"NewValue":"",
"OldValue":"ApplicationDevelopers"
}],
"Actor":[{
"ID":"MS-PIM",
"Type":1
},{
"ID":"01fc33a7-78ba-4d2f-a4b7-768e336e890e",
"Type":2
},{
"ID":"ServicePrincipal_09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"09eaff3d-53e5-4fbe-9752-92c8505c97cd",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"31800963-cabe-47e6-8500-68ed16ffdfa7",
"IntraSystemId":"302d6a09-2d3d-49d1-9549-3966d6b649a2",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Enrollment Type
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-02T01:47:58",
"Id":"d13709bc-1139-4afe-996c-40d28014186b",
"Operation":"Update user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"TestUser10@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"UserType\":\"Member\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"StrongAuthenticationUserDetails",
"NewValue":"[\r\n {\r\n \"PhoneNumber\": \"+1 1234567891\",\r\n \"AlternativePhoneNumber\": null,\r\n \"Email\": null,\r\n \"VoiceOnlyPhoneNumber\": null\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"StrongAuthenticationUserDetails",
"OldValue":""
},{
"Name":"TargetId.UserType",
"NewValue":"Member",
"OldValue":""
}],
"Actor":[{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
},{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"5ee3f9c0-16e7-464b-af39-8cac70d274e0",
"IntraSystemId":"cb5af41a-7779-45c4-b9fb-258f78a3dadf",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Target Username
-
Enrollment Type
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-02T02:16:16",
"Id":"0ec7c8b7-77cb-4aa4-bee9-834e4dc9491a",
"Operation":"Update user.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"TestUser10@test.onmicrosoft.com",
"UserId":"ServicePrincipal_14de7e5c-d71d-4803-afd0-4cbc978b0d84",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"UserType\":\"Member\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"User"
}],
"ModifiedProperties":[{
"Name":"StrongAuthenticationPhoneAppDetail",
"NewValue":"[]",
"OldValue":"[\r\n {\r\n \"DeviceName\": \"iPhone 12 Pro\",\r\n \"DeviceToken\": \"apns2-f5f9da4aa265ab5f8f45948763d0fc07d560e25fa2f7452706d82bfe1eee0d0b\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.8.7\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"780c65ef-b4d2-4c09-a84f-fc8ee722c6fe\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 2,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-02T01:46:51.1234035Z\",\r\n \"AuthenticatorFlavor\": null,\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"StrongAuthenticationPhoneAppDetail",
"OldValue":""
},{
"Name":"TargetId.UserType",
"NewValue":"Member",
"OldValue":""
}],
"Actor":[{
"ID":"Azure MFA StrongAuthenticationService",
"Type":1
},{
"ID":"b5a60e17-278b-4c92-a4e2-b9262e66bb28",
"Type":2
},{
"ID":"ServicePrincipal_14de7e5c-d71d-4803-afd0-4cbc978b0d84",
"Type":2
},{
"ID":"14de7e5c-d71d-4803-afd0-4cbc978b0d84",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"6bc227a7-2e1d-4108-be7d-afab72e4887d",
"IntraSystemId":"8d98157b-5aec-459d-a4fd-39773a9b0b7d",
"SupportTicketId":"",
"Target":[{
"ID":"User_74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"74a66a67-9799-4620-a338-3b4a0b06045e",
"Type":2
},{
"ID":"User",
"Type":2
},{
"ID":"TestUser10@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320037B121E64",
"Type":3
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:41:34",
"Id":"b1fe6046-32f3-4464-9769-1fedc9122000",
"Operation":"Add policy.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Policy"
}],
"ModifiedProperties":[{
"Name":"DisplayName",
"NewValue":"[\r\n \"Default Policy\"\r\n]",
"OldValue":"[]"
},{
"Name":"PolicyType",
"NewValue":"[\r\n \"ConditionalAccessPolicy\"\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"DisplayName, PolicyType",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"1392787e-f8a4-44f1-bc52-40f5c542b317",
"IntraSystemId":"0d381482-0e74-49eb-9a16-edf059158785",
"SupportTicketId":"",
"Target":[{
"ID":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"Policy",
"Type":2
},{
"ID":"Default Policy",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Configuration / Setting Name
-
Configuration / Setting Value
-
Previous Configuration / Setting Value
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:41:53",
"Id":"5bf46a0b-5c14-468e-9b1f-bbb861d60411",
"Operation":"Update policy.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Policy"
}],
"ModifiedProperties":[{
"Name":"Included Updated Properties",
"NewValue":"",
"OldValue":""
}],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"59e475aa-49be-4608-b3c2-4163f5a4285f",
"IntraSystemId":"198cceb4-2226-451c-bccf-7500fd31da79",
"SupportTicketId":"",
"Target":[{
"ID":"Policy_b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"b2711e15-d574-4d4f-ad0a-2628e64dad97",
"Type":2
},{
"ID":"Policy",
"Type":2
},{
"ID":"Default Policy",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
User Agent Name
-
Configuration / Setting Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"CreationTime":"2024-05-01T21:42:17",
"Id":"f26d627b-40b0-42d6-9ab1-97de7ec000d6",
"Operation":"Delete policy.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Policy_673e6616-0786-46cb-bd95-118b7cf949a6",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Policy"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"fcb00c2e-c2ec-49c8-80fe-34131490dd8b",
"IntraSystemId":"5c9e3a73-f101-4ccb-8358-fdc8c4e206b2",
"SupportTicketId":"",
"Target":[{
"ID":"Policy_673e6616-0786-46cb-bd95-118b7cf949a6",
"Type":2
},{
"ID":"673e6616-0786-46cb-bd95-118b7cf949a6",
"Type":2
},{
"ID":"Policy",
"Type":2
},{
"ID":"Test CAP",
"Type":1
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:43:37",
"Id":"2f2af1ba-6d5f-40d2-863e-5263bb46a62c",
"Operation":"Add application.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"UserId":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"AppId\":\"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Application"
}],
"ModifiedProperties":[{
"Name":"AppAddress",
"NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://sso.services.box.net/sp/ACS.saml2\",\r\n \"ReplyAddressClientType\": 0,\r\n \"ReplyAddressIndex\": null,\r\n \"IsReplyAddressDefault\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"AppId",
"NewValue":"[\r\n \"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"\r\n]",
"OldValue":"[]"
},{
"Name":"AvailableToOtherTenants",
"NewValue":"[\r\n false\r\n]",
"OldValue":"[]"
},{
"Name":"DisplayName",
"NewValue":"[\r\n \"Box\"\r\n]",
"OldValue":"[]"
},{
"Name":"Entitlement",
"NewValue":"[\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e5bf6e42-3702-45c6-b19e-e0113417b6ad\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"Access Box\",\r\n \"Description\": \"Allow the application to access Box on behalf of the signed-in user.\",\r\n \"Definition\": null,\r\n \"ClaimValue\": \"user_impersonation\",\r\n \"ResourceScopeType\": 1,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": \"Access Box\",\r\n \"UserConsentDescription\": \"Allow the application to access Box on your behalf.\",\r\n \"DirectAccessGrantTypes\": [],\r\n \"ImpersonationAccessGrantTypes\": [\r\n {\r\n \"Impersonator\": 29,\r\n \"Impersonated\": 20\r\n }\r\n ],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n }\r\n]",
"OldValue":"[]"
},{
"Name":"PublicClient",
"NewValue":"[\r\n false\r\n]",
"OldValue":"[]"
},{
"Name":"WwwHomepage",
"NewValue":"[\r\n \"https://sso.services.box.net/sp/ACS.saml2?metadata=box|ISV9.1|primary|z\"\r\n]",
"OldValue":"[]"
},{
"Name":"PublisherDomain",
"NewValue":"[\r\n \"test.onmicrosoft.com\"\r\n]",
"OldValue":"[]"
},{
"Name":"Included Updated Properties",
"NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage, PublisherDomain",
"OldValue":""
}],
"Actor":[{
"ID":"AAD App Management",
"Type":1
},{
"ID":"f0ae4899-d877-4d3c-ae25-679e38eea492",
"Type":2
},{
"ID":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"ceb1bc66-ebc1-4cee-ac1c-c79573942636",
"IntraSystemId":"00000000-0000-0000-0000-000000000000",
"SupportTicketId":"",
"Target":[{
"ID":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"Application",
"Type":2
},{
"ID":"Box",
"Type":1
},{
"ID":"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12",
"Type":2
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
-
Integration / App Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:43:39",
"Id":"86732c26-5672-4756-acad-6d336ecaea71",
"Operation":"Update application.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"Not Available",
"UserType":4,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"UserId":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"AppId\":\"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Application"
}],
"ModifiedProperties":[{
"Name":"Entitlement",
"NewValue":"[\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e5bf6e42-3702-45c6-b19e-e0113417b6ad\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"Access Box\",\r\n \"Description\": \"Allow the application to access Box on behalf of the signed-in user.\",\r\n \"Definition\": null,\r\n \"ClaimValue\": \"user_impersonation\",\r\n \"ResourceScopeType\": 1,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": \"Access Box\",\r\n \"UserConsentDescription\": \"Allow the application to access Box on your behalf.\",\r\n \"DirectAccessGrantTypes\": [],\r\n \"ImpersonationAccessGrantTypes\": [\r\n {\r\n \"Impersonator\": 29,\r\n \"Impersonated\": 20\r\n }\r\n ],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n },\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e18f0405-fdec-4ae8-a8a0-d8edb98b061f\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"User\",\r\n \"Description\": \"User\",\r\n \"Definition\": null,\r\n \"ClaimValue\": null,\r\n \"ResourceScopeType\": 0,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": null,\r\n \"UserConsentDescription\": null,\r\n \"DirectAccessGrantTypes\": [\r\n 20\r\n ],\r\n \"ImpersonationAccessGrantTypes\": [],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n },\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"ef7437e6-4f94-4a0a-a110-a439eb2aa8f7\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"msiam_access\",\r\n \"Description\": \"msiam_access\",\r\n \"Definition\": null,\r\n \"ClaimValue\": null,\r\n \"ResourceScopeType\": 0,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": null,\r\n \"UserConsentDescription\": null,\r\n \"DirectAccessGrantTypes\": [\r\n 20\r\n ],\r\n \"ImpersonationAccessGrantTypes\": [],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n }\r\n]",
"OldValue":"[\r\n {\r\n \"EntitlementEncodingVersion\": 2,\r\n \"EntitlementId\": \"e5bf6e42-3702-45c6-b19e-e0113417b6ad\",\r\n \"IsDisabled\": false,\r\n \"Origin\": 0,\r\n \"Name\": \"Access Box\",\r\n \"Description\": \"Allow the application to access Box on behalf of the signed-in user.\",\r\n \"Definition\": null,\r\n \"ClaimValue\": \"user_impersonation\",\r\n \"ResourceScopeType\": 1,\r\n \"IsPrivate\": false,\r\n \"UserConsentDisplayName\": \"Access Box\",\r\n \"UserConsentDescription\": \"Allow the application to access Box on your behalf.\",\r\n \"DirectAccessGrantTypes\": [],\r\n \"ImpersonationAccessGrantTypes\": [\r\n {\r\n \"Impersonator\": 29,\r\n \"Impersonated\": 20\r\n }\r\n ],\r\n \"EntitlementCategory\": 0,\r\n \"DependentMicrosoftGraphPermissions\": [],\r\n \"IsPreauthzOnlyDirectAccessGrant\": false,\r\n \"IsPreauthzOnlyImpersonationGrant\": false\r\n }\r\n]"
},{
"Name":"Included Updated Properties",
"NewValue":"Entitlement",
"OldValue":""
}],
"Actor":[{
"ID":"AAD App Management",
"Type":1
},{
"ID":"f0ae4899-d877-4d3c-ae25-679e38eea492",
"Type":2
},{
"ID":"ServicePrincipal_4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"4f990b57-c537-4671-b080-8b6ffd9aded7",
"Type":2
},{
"ID":"ServicePrincipal",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"6a768b60-62e7-4e3b-b49b-8713093979c7",
"IntraSystemId":"00000000-0000-0000-0000-000000000000",
"SupportTicketId":"",
"Target":[{
"ID":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"Application",
"Type":2
},{
"ID":"Box",
"Type":1
},{
"ID":"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12",
"Type":2
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Integration / App Name
Unsupported
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T21:45:46",
"Id":"dc3a6b43-7cbf-4e35-8cc0-0ac7622aedcb",
"Operation":"Delete application.",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":8,
"ResultStatus":"Success",
"UserKey":"100320015ED2DA21@test.onmicrosoft.com",
"UserType":0,
"Version":1,
"Workload":"AzureActiveDirectory",
"ObjectId":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"UserId":"example@test.onmicrosoft.com",
"AzureActiveDirectoryEventType":1,
"ExtendedProperties":[{
"Name":"additionalDetails",
"Value":"{\"AppId\":\"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12\"}"
},{
"Name":"extendedAuditEventCategory",
"Value":"Application"
}],
"ModifiedProperties":[],
"Actor":[{
"ID":"example@test.onmicrosoft.com",
"Type":5
},{
"ID":"100320015ED2DA21",
"Type":3
},{
"ID":"74658136-14ec-4630-ad9b-26e160ff0fc6",
"Type":2
},{
"ID":"User_f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"f1c08887-d776-42f8-9911-06faa5ab392f",
"Type":2
},{
"ID":"User",
"Type":2
}],
"ActorContextId":"8326222c-5c86-45a1-b768-561ad270c694",
"InterSystemsId":"5e481f17-a030-48a4-818d-94e014f54189",
"IntraSystemId":"00000000-0000-0000-0000-000000000000",
"SupportTicketId":"",
"Target":[{
"ID":"Application_9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"9b59f56e-9679-4503-b31f-594503399e1e",
"Type":2
},{
"ID":"Application",
"Type":2
},{
"ID":"Box Test",
"Type":1
},{
"ID":"fd81b5e5-74e3-4447-bfe5-3ad3ab319e12",
"Type":2
}],
"TargetContextId":"8326222c-5c86-45a1-b768-561ad270c694"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Azure Active Directory Audit Logs
Includes logs from Azure Active Directory including authentication and user management.
References
Retention Details
Storage Duration: 180 days
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Latency Details
Duration: Typically 60 to 90 minutes after an event occurs.
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
User Agent Name
-
Device/Client Type
Unsupported
-
Result
-
IP Geolocation / ASN
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Success
{
"CreationTime":"2024-04-30T01:50:30",
"Id":"15146ca7-c8b4-4661-1189-08dc68b7ea96",
"Operation":"MailboxLogin",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"test4@test.onmicrosoft.com",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=/owa/startupdata.ashx; Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"test4@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"SJ0PR06MB7068",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:20:08",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:25:27",
"Id":"60ee7c61-f9d1-49eb-1743-08dc69fb4fdc",
"Operation":"New-DistributionGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:13736",
"ObjectId":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Alias",
"Value":"testdistro"
},{
"Name":"Description",
"Value":"This is a test distribution group"
},{
"Name":"RequireSenderAuthenticationEnabled",
"Value":"True"
},{
"Name":"DisplayName",
"Value":"Test Group"
},{
"Name":"MemberDepartRestriction",
"Value":"Open"
},{
"Name":"ManagedBy",
"Value":"example@test.onmicrosoft.com"
},{
"Name":"Name",
"Value":"Test Group20240501162508"
},{
"Name":"MemberJoinRestriction",
"Value":"Open"
},{
"Name":"PrimarySmtpAddress",
"Value":"testdistro@test.onmicrosoft.com"
}],
"RequestId":"a36f3f21-295b-52e0-28bf-4ed14ed99ae1",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Group Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:21:28",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:26:29",
"Id":"baba650a-2d56-4b03-586a-08dc69fb74e4",
"Operation":"Set-DistributionGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:14492",
"ObjectId":"Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508"
},{
"Name":"GrantSendOnBehalfTo",
"Value":""
},{
"Name":"ModeratedBy",
"Value":""
},{
"Name":"BypassModerationFromSendersOrMembers",
"Value":""
},{
"Name":"AcceptMessagesOnlyFromSendersOrMembers",
"Value":""
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
},{
"Name":"DisplayName",
"Value":"Test Group 24"
}],
"RequestId":"de7de5af-cf19-7e5d-375b-1d32f22226a4",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:21:50",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:26:51",
"Id":"165ebb45-ec0e-40a2-0a76-08dc69fb81d7",
"Operation":"Remove-DistributionGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:12185",
"ObjectId":"Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508"
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
}],
"RequestId":"e7b9495a-3dae-61c4-d07b-061ca7db5010",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:21:07",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:26:08",
"Id":"33c59316-c708-4a04-7a24-08dc69fb680a",
"Operation":"Add-DistributionGroupMember",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:17461",
"ObjectId":"Test Group20240501162508",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group20240501162508"
},{
"Name":"Member",
"Value":"93714996-ddb9-4e6a-b1aa-6db081388f73"
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
}],
"RequestId":"377d3ffb-35c0-1272-3ca4-c373e68de9f1",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Group Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T16:36:14",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T16:41:15",
"Id":"5c59f5eb-e4fb-49aa-8a57-08dc69fd84ef",
"Operation":"Remove-DistributionGroupMember",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:21866",
"ObjectId":"Test Group 220240501164027",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000006-0000-0ff1-ce00-000000000000",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Group 220240501164027"
},{
"Name":"Member",
"Value":"0c1966ef-97c2-4558-a7fd-962fba9dcbc4"
},{
"Name":"BypassSecurityGroupManagerCheck",
"Value":"True"
}],
"RequestId":"7c5778ce-acd5-a41f-8078-5de5af9dc897",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Role Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:54:48",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:00:43",
"Id":"f09281ab-848e-4de0-6356-08dc69934603",
"Operation":"New-RoleGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:10267",
"ObjectId":"NAMPR06A004.prod.outlook.com/Microsoft Exchange Hosted Organizations/test.onmicrosoft.com/Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Name",
"Value":"Test Role Group"
},{
"Name":"Roles",
"Value":"Address Lists"
},{
"Name":"Members",
"Value":"fff85c15-3ce8-48c0-af17-4088dbdc5d62"
}],
"RequestId":"1e83e21b-eb7d-1e92-c02c-09292b02ebac",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Target Role Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:22:00",
"Id":"557d12c8-6bd9-4ad4-3b52-08dc69963f27",
"Operation":"Set-RoleGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:3533",
"ObjectId":"Security Operator",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"56882e99-c987-4492-aded-48e8bb029d3a"
},{
"Name":"Description",
"Value":"Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through Microsoft Exchange or Security and Compliance Center (SCC). Members of this role group may include cross-service administrators that have access beyond Exchange and SCC. By default, this group is not assigned any roles. However, it will be a member of the 'Records Management' and 'Compliance Management' role groups in Exchange and 'Compliance Data Administrator' role group in SCC. It will inherit the permissions of these role groups."
},{
"Name":"Name",
"Value":"Security Operator Test"
}],
"RequestId":"aadf0312-2bee-a4ec-e212-23b4c6ebf90d",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:07:35",
"Id":"e7305c7e-6db5-410e-e973-08dc69943bab",
"Operation":"Remove-RoleGroup",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:8259",
"ObjectId":"Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"def12b29-0bac-42d0-8d75-fbfcfa3536cc"
}],
"RequestId":"3d63ba16-ade5-b4a1-eb17-b9ad63c5554f",
"SessionId":"273fa545-05fe-4d22-af37-fa899f0b91ca"
}Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:06:31",
"Id":"3f044723-212c-4b70-966f-08dc6994156a",
"Operation":"New-ManagementRoleAssignment",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:8259",
"ObjectId":"test.onmicrosoft.com\\Audit Logs-Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Role",
"Value":"Audit Logs"
},{
"Name":"SecurityGroup",
"Value":"def12b29-0bac-42d0-8d75-fbfcfa3536cc"
}],
"RequestId":"f975c651-1df4-8b35-d560-2cb34a0f4c0f",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109"
}Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Permission Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Resource Name
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T03:56:21",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:06:22",
"Id":"159c17b5-7735-4d7f-d5a5-08dc69941015",
"Operation":"Remove-ManagementRoleAssignment",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:8259",
"ObjectId":"Address Lists-Test Role Group",
"UserId":"example@test.onmicrosoft.com",
"AppId":"497effe9-df71-4043-a8bb-14cf78c4b63b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"379109cd-46a3-4a83-bfa9-6e4fbaf88531"
}],
"RequestId":"4e7af3ce-88f6-b205-007b-3abd6ecfc56d",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T04:41:30",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:47:03",
"Id":"02a67a6e-bddc-4a8b-bd8a-08dc6999bf35",
"Operation":"New-HostedContentFilterPolicy",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:10521",
"ObjectId":"test.onmicrosoft.com\\Inbound Spam",
"UserId":"example@test.onmicrosoft.com",
"AppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"MarkAsSpamEmptyMessages",
"Value":"Off"
},{
"Name":"TestModeBccToRecipients",
"Value":""
},{
"Name":"EnableLanguageBlockList",
"Value":"False"
},{
"Name":"MarkAsSpamFromAddressAuthFail",
"Value":"Off"
},{
"Name":"MarkAsSpamEmbedTagsInHtml",
"Value":"Off"
},{
"Name":"ModifySubjectValue",
"Value":""
},{
"Name":"MarkAsSpamNdrBackscatter",
"Value":"Off"
},{
"Name":"QuarantineRetentionPeriod",
"Value":"15"
},{
"Name":"AdminDisplayName",
"Value":""
},{
"Name":"MarkAsSpamWebBugsInHtml",
"Value":"Off"
},{
"Name":"TestModeAction",
"Value":"None"
},{
"Name":"SpamZapEnabled",
"Value":"True"
},{
"Name":"BlockedSenderDomains",
"Value":""
},{
"Name":"EnableRegionBlockList",
"Value":"False"
},{
"Name":"PhishQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"HighConfidencePhishAction",
"Value":"Quarantine"
},{
"Name":"MarkAsSpamFramesInHtml",
"Value":"Off"
},{
"Name":"RecommendedPolicyType",
"Value":"Custom"
},{
"Name":"HighConfidenceSpamQuarantineTag",
"Value":""
},{
"Name":"LanguageBlockList",
"Value":""
},{
"Name":"PhishZapEnabled",
"Value":"True"
},{
"Name":"HighConfidenceSpamAction",
"Value":"MoveToJmf"
},{
"Name":"SpamQuarantineTag",
"Value":""
},{
"Name":"RedirectToRecipients",
"Value":""
},{
"Name":"MarkAsSpamFormTagsInHtml",
"Value":"Off"
},{
"Name":"AllowedSenderDomains",
"Value":""
},{
"Name":"Name",
"Value":"Inbound Spam"
},{
"Name":"IncreaseScoreWithRedirectToOtherPort",
"Value":"Off"
},{
"Name":"BulkSpamAction",
"Value":"MoveToJmf"
},{
"Name":"AddXHeaderValue",
"Value":""
},{
"Name":"MarkAsSpamBulkMail",
"Value":"On"
},{
"Name":"HighConfidencePhishQuarantineTag",
"Value":"AdminOnlyAccessPolicy"
},{
"Name":"RegionBlockList",
"Value":""
},{
"Name":"BlockedSenders",
"Value":""
},{
"Name":"BulkQuarantineTag",
"Value":""
},{
"Name":"MarkAsSpamObjectTagsInHtml",
"Value":"Off"
},{
"Name":"IncreaseScoreWithBizOrInfoUrls",
"Value":"Off"
},{
"Name":"MarkAsSpamJavaScriptInHtml",
"Value":"Off"
},{
"Name":"MarkAsSpamSensitiveWordList",
"Value":"Off"
},{
"Name":"PhishSpamAction",
"Value":"Quarantine"
},{
"Name":"InlineSafetyTipsEnabled",
"Value":"True"
},{
"Name":"IncreaseScoreWithImageLinks",
"Value":"Off"
},{
"Name":"BulkThreshold",
"Value":"7"
},{
"Name":"MarkAsSpamSpfRecordHardFail",
"Value":"Off"
},{
"Name":"AllowedSenders",
"Value":""
},{
"Name":"SpamAction",
"Value":"MoveToJmf"
},{
"Name":"IncreaseScoreWithNumericIps",
"Value":"Off"
}],
"RequestId":"ff34430c-1050-0ab8-672d-4ff36901a536",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Read Security Configuration
ET0023
Reads a security configuration policy or settings.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Update Security Configuration
ET0024
Updates a security configuration policy or settings.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Configuration / Setting Name
-
Configuration / Setting Value
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Previous Configuration / Setting Value
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T04:41:30",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:47:36",
"Id":"c3d67096-6e45-4642-6454-08dc6999d2cd",
"Operation":"Set-HostedContentFilterPolicy",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:27251",
"ObjectId":"Inbound Spam",
"UserId":"example@test.onmicrosoft.com",
"AppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"MarkAsSpamEmptyMessages",
"Value":"Off"
},{
"Name":"EnableLanguageBlockList",
"Value":"False"
},{
"Name":"MarkAsSpamFromAddressAuthFail",
"Value":"On"
},{
"Name":"MarkAsSpamEmbedTagsInHtml",
"Value":"Off"
},{
"Name":"ModifySubjectValue",
"Value":""
},{
"Name":"IntraOrgFilterState",
"Value":"Default"
},{
"Name":"MarkAsSpamNdrBackscatter",
"Value":"On"
},{
"Name":"AdminDisplayName",
"Value":""
},{
"Name":"MarkAsSpamFormTagsInHtml",
"Value":"Off"
},{
"Name":"MarkAsSpamWebBugsInHtml",
"Value":"Off"
},{
"Name":"TestModeAction",
"Value":"None"
},{
"Name":"SpamZapEnabled",
"Value":"True"
},{
"Name":"Identity",
"Value":"Inbound Spam"
},{
"Name":"BlockedSenderDomains",
"Value":""
},{
"Name":"EnableRegionBlockList",
"Value":"False"
},{
"Name":"PhishQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"HighConfidencePhishAction",
"Value":"Quarantine"
},{
"Name":"MarkAsSpamFramesInHtml",
"Value":"Off"
},{
"Name":"HighConfidenceSpamQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"LanguageBlockList",
"Value":""
},{
"Name":"PhishZapEnabled",
"Value":"True"
},{
"Name":"DownloadLink",
"Value":"False"
},{
"Name":"HighConfidenceSpamAction",
"Value":"MoveToJmf"
},{
"Name":"SpamQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"RedirectToRecipients",
"Value":""
},{
"Name":"TestModeBccToRecipients",
"Value":""
},{
"Name":"AllowedSenderDomains",
"Value":""
},{
"Name":"IncreaseScoreWithRedirectToOtherPort",
"Value":"Off"
},{
"Name":"BulkSpamAction",
"Value":"MoveToJmf"
},{
"Name":"AddXHeaderValue",
"Value":""
},{
"Name":"QuarantineRetentionPeriod",
"Value":"15"
},{
"Name":"HighConfidencePhishQuarantineTag",
"Value":"AdminOnlyAccessPolicy"
},{
"Name":"RegionBlockList",
"Value":""
},{
"Name":"BlockedSenders",
"Value":""
},{
"Name":"BulkQuarantineTag",
"Value":"DefaultFullAccessPolicy"
},{
"Name":"MarkAsSpamObjectTagsInHtml",
"Value":"Off"
},{
"Name":"IncreaseScoreWithBizOrInfoUrls",
"Value":"Off"
},{
"Name":"MarkAsSpamJavaScriptInHtml",
"Value":"Off"
},{
"Name":"MarkAsSpamSensitiveWordList",
"Value":"Off"
},{
"Name":"PhishSpamAction",
"Value":"Quarantine"
},{
"Name":"InlineSafetyTipsEnabled",
"Value":"True"
},{
"Name":"IncreaseScoreWithImageLinks",
"Value":"Off"
},{
"Name":"MarkAsSpamBulkMail",
"Value":"On"
},{
"Name":"BulkThreshold",
"Value":"7"
},{
"Name":"MarkAsSpamSpfRecordHardFail",
"Value":"Off"
},{
"Name":"AllowedSenders",
"Value":""
},{
"Name":"SpamAction",
"Value":"MoveToJmf"
},{
"Name":"IncreaseScoreWithNumericIps",
"Value":"Off"
}],
"RequestId":"60356c4d-fe0b-a381-1840-3cd0eb74e865",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Delete Security Configuration
ET0025
Removes or deletes a security configuration policy or setting.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Configuration / Setting Name
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Value
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-01T04:41:30",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-01T04:48:06",
"Id":"646780a6-8b79-4310-9f6e-08dc6999e476",
"Operation":"Remove-HostedContentFilterPolicy",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:11212",
"ObjectId":"Inbound Spam",
"UserId":"example@test.onmicrosoft.com",
"AppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.7544.013)",
"Parameters":[{
"Name":"Identity",
"Value":"Inbound Spam"
}],
"RequestId":"27f63301-2d1e-13f2-24e3-17b499983d95",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Create Integration
ET0026
Creates a new integration.
Create Integration
ET0026
Creates a new integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Integration / App Name
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"UniqueTokenId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2"
},
"CreationTime":"2024-05-01T01:11:16",
"Id":"323fd199-99bb-4bd5-5ca7-08dc697b9a0c",
"Operation":"New-App",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)",
"UserType":3,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:14804",
"ObjectId":"\\fe93bfe1-7947-460a-a5e0-7a5906b51360",
"UserId":"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)",
"AppId":"3c896ded-22c5-450f-91f6-3d1ef0848f6e",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2",
"CorrelationID":"",
"ExternalAccess":true,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4945 (15.20.7519.031)",
"Parameters":[{
"Name":"DefaultStateForUser",
"Value":"Enabled"
},{
"Name":"Enabled",
"Value":"True"
},{
"Name":"FileData",
"Value":"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhLS1DcmVhdGVkOmNiODViODBjLWY1OA==..."
},{
"Name":"OrganizationApp",
"Value":"True"
},{
"Name":"Organization",
"Value":"test.onmicrosoft.com"
}],
"RequestId":"28c1fbd6-98d3-4ee9-8411-d4ced8ae313a",
"SessionId":""
}Read Integration
ET0027
Reads an existing integration.
Read Integration
ET0027
Reads an existing integration.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Integration / App Name
Update Integration
ET0028
Updates an existing integration.
Update Integration
ET0028
Updates an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Integration / App Name
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Configuration / Setting Name
-
Previous Configuration / Setting Value
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-04-29T19:52:05",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-04-30T15:48:21",
"Id":"ba11eba1-fd2a-4091-9356-08dc692cf680",
"Operation":"Enable-App",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:56377",
"ObjectId":"e06a29d3-3e3c-4f6a-8ae5-17cac1719f14\\fe93bfe1-7947-460a-a5e0-7a5906b51360",
"UserId":"example@test.onmicrosoft.com",
"AppId":"fb78d390-0c51-40cd-8e17-fdbfab77341b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4835 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"fe93bfe1-7947-460a-a5e0-7a5906b51360"
},{
"Name":"Mailbox",
"Value":"test4@test.onmicrosoft.com"
}],
"RequestId":"9e2c2638-a684-07dc-91d9-71366f88e271",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Delete Integration
ET0029
Removes or deletes an existing integration.
Delete Integration
ET0029
Removes or deletes an existing integration.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
Integration / App Name
Unsupported
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-04-29T19:52:05",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-04-30T15:49:40",
"Id":"86328dc9-8a8d-4612-2156-08dc692d25cb",
"Operation":"Remove-App",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":1,
"ResultStatus":"True",
"UserKey":"100320015ED2DA21",
"UserType":2,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1:56403",
"ObjectId":"f1c08887-d776-42f8-9911-06faa5ab392f\\fe93bfe1-7947-460a-a5e0-7a5906b51360",
"UserId":"example@test.onmicrosoft.com",
"AppId":"fb78d390-0c51-40cd-8e17-fdbfab77341b",
"AppPoolName":"MSExchangeAdminApiNetCore",
"ClientAppId":"",
"CorrelationID":"",
"ExternalAccess":false,
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"BL0PR06MB4835 (15.20.7519.031)",
"Parameters":[{
"Name":"Identity",
"Value":"fe93bfe1-7947-460a-a5e0-7a5906b51360"
},{
"Name":"OrganizationApp",
"Value":"True"
},{
"Name":"Confirm",
"Value":"False"
}],
"RequestId":"53b9dec4-d210-788c-60cd-c365c8fd3666",
"SessionId":"d15707db-ca84-4096-be63-c6126b7391d5"
}Activity Audit
Events (5)
No Results Found
Create Resource
ET0030
A resource was created.
Create Resource
ET0030
A resource was created.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success - email
{
"CreationTime":"2024-04-30T01:50:44",
"Id":"b879cd77-f6df-4dd0-526a-08dc68b7f338",
"Operation":"Send",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"2603:1036:307:44::5",
"UserId":"test4@test.onmicrosoft.com",
"AppId":"63224634-e46c-47db-921f-42bf5bfeaf4e",
"ClientAppId":"6e1c5a56-fb53-46ae-8b6d-24988bdcced2",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=REST;Client=RESTSystem;;",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"test4@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"SJ0PR06MB7068 (15.20.4200.000)\r\n",
"Item":{
"Attachments":"LogoM365.png (3442b); welcome_email_v3_conversations.png (12282b); welcome_email_v3_calendar.png (9778b); welcome_email_v3_files.png (10267b); welcome_email_v3_sharing_laptop.png (95913b); welcome_email_v3_onenote.png (8844b); welcome_email_v3_teamwork_laptop.png (75139b); group_photo (13165b); twitter_icon.png (2248b); salesforce.png (2742b); trello.png (1610b); jira.png (2516b); microsoft.png (2896b); arrow.png (415b)",
"Id":"RgAAAADVmE95ewSjS4ZrC2ktggLuBwBJYlPF4gPyS7/L9chR1JeWAAAAAAEPAABJYlPF4gPyS7/L9chR1JeWAAANOg+9AAAJ",
"InternetMessageId":"<SJ0PR06MB7068F00A3EE360BB9B9F05A0B81A2@SJ0PR06MB7068.namprd06.prod.outlook.com>",
"ParentFolder":{
"Id":"LgAAAADVmE95ewSjS4ZrC2ktggLuAQBJYlPF4gPyS7/L9chR1JeWAAAAAAEPAAAB",
"Path":"\\Drafts"
},
"SizeInBytes":268282,
"Subject":"Test4 added you to the Test Group 1 group"
},
"SaveToSentItems":false
}Success - calendar
{
"CreationTime":"2024-05-01T19:00:24",
"Id":"64922ffb-a517-43af-a0ea-737e0b67c577",
"Operation":"Create",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"Item":{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAENAABx36FMViA4QL6OjQQj0W4QAAFb0NzKAAAP",
"InternetMessageId":"<DM6PR06MB4844B915A8B9DF344FBF868ED7192@DM6PR06MB4844.namprd06.prod.outlook.com>",
"IsRecord":false,
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
},
"SizeInBytes":6098,
"Subject":"Test Entry 2"
}
}Read Resource
ET0031
A resource was read.
Read Resource
ET0031
A resource was read.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T17:24:12",
"Id":"121899a5-ff77-49a0-b344-e368a192ca4e",
"Operation":"MailItemsAccessed",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":50,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OperationProperties":[{
"Name":"MailAccessType",
"Value":"Bind"
},{
"Name":"IsThrottled",
"Value":"False"
}],
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"Folders":[{
"FolderItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEMAABx36FMViA4QL6OjQQj0W4QAAEORT/FAAAJ",
"InternetMessageId":"<3b64c23d-1d09-42db-a14e-847e7c20cb7e@CO1NAM11BG401.eop-nam11.prod.protection.outlook.com>",
"SizeInBytes":68843
}],
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEMAAAB",
"Path":"\\Inbox"
},{
"FolderItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLaAAAJ",
"InternetMessageId":"<Share-fa260ca1-f088-5000-076e-5dff216ee852-8bf3a8c9-6c84-4d50-bfac-772d9a2c684a-be002b43-f444-4369-9a4c-1b927d261a0c-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51258
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLjAAAJ",
"InternetMessageId":"<Share-40590ca1-0059-5000-002e-6582ba280cc1-cdb8a2df-27bf-4477-9e14-07ac42fe59f4-725c7be5-0afe-4c1a-ac8f-9499ed7c2659-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51854
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLiAAAJ",
"InternetMessageId":"<Share-05590ca1-e07b-5000-002e-61d3e2d54929-2a0ed38c-71da-4fda-ab73-be8cace5b65f-b84488ee-32fd-414c-b689-c4a088f18cfd-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51844
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLhAAAJ",
"InternetMessageId":"<Share-e3580ca1-10de-5000-002e-6500144c00a7-ad2892e9-321d-4107-a265-2578c4352ac6-d84bd92b-3723-4544-be37-75741e4f12cd-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51854
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLfAAAJ",
"InternetMessageId":"<Share-2a4b0ca1-8090-5000-002e-608620e7e3bb-98b79516-151c-4a43-b394-f522f34cb537-0cfb15fa-b2c7-4226-b20d-4b9b15007844-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":51821
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAErAHLcAAAJ",
"InternetMessageId":"<Share-4e270ca1-2084-4000-d966-c5768aef30b1-c04a7cd6-2ec7-498e-b0f9-0fc821693b88-4595fc54-514c-4550-9684-245a97d76ceb-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":50892
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAB+0FwBAAAJ",
"InternetMessageId":"<odspmicro-Share-0e00b8a0-80a1-3000-a0d4-731f58e6eed1-2c744e41-f54d-47ec-a9db-4f77b3a242ae-346559c5-37cc-4251-850d-c5b77406336d-DispatchToRecipients-PreprocessPayload-r0-SendEmail@142E6560D08B>",
"SizeInBytes":53663
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAE4b96cAAAJ",
"InternetMessageId":"<Share-d0bd12a1-102a-5000-076e-5593148f9444-2078f187-0c3b-402b-b06a-fed510c0d20c-4cb255bc-096a-438e-b43f-638f8f632824-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":47826
},{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEJAABx36FMViA4QL6OjQQj0W4QAAE4b96bAAAJ",
"InternetMessageId":"<Share-c6bd12a1-204a-5000-0ea1-59536b5f1b95-fe36bb80-8416-4235-8628-2497d71e9df3-3057687e-93de-47cb-b2c6-82e17a79c9a5-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>",
"SizeInBytes":47825
}],
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEJAAAB",
"Path":"\\Sent Items"
}],
"OperationCount":10
}Update Resource
ET0032
A resource was updated.
Update Resource
ET0032
A resource was updated.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
Success
{
"CreationTime":"2024-05-01T19:00:32",
"Id":"0b41bd99-5ab2-4d17-359c-08dc6a10f9ac",
"Operation":"Update",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":2,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"Item":{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAENAABx36FMViA4QL6OjQQj0W4QAAFb0NzJAAAP",
"InternetMessageId":"<DM6PR06MB4844135DDF8FB5589A0935CAD7192@DM6PR06MB4844.namprd06.prod.outlook.com>",
"IsRecord":false,
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
},
"SizeInBytes":6758,
"Subject":"Test Calender Entry 24"
},
"ModifiedProperties":["MapiEndTime","MapiPREndDate","MapiStartTime","MapiPRStartDate","MapiSubject","NormalizedSubjectInternal"]
}Delete Resource
ET0033
A resource was removed or deleted.
Delete Resource
ET0033
A resource was removed or deleted.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User Type / Role
-
Session ID
-
IP Address
-
Resource Name
-
Resource Type
Unsupported
-
User ID
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success - email
{
"CreationTime":"2024-05-01T17:24:22",
"Id":"400c8963-12c3-417e-3e2c-08dc6a038ac8",
"Operation":"MoveToDeletedItems",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":3,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"AffectedItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAEMAABx36FMViA4QL6OjQQj0W4QAAFas18+AAAJ",
"InternetMessageId":"<SJ0PR06MB7068F4D6BE10AC2D8368FC41B81A2@SJ0PR06MB7068.namprd06.prod.outlook.com>",
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEMAAAB",
"Path":"\\Inbox"
},
"Subject":"Test Message"
}],
"CrossMailboxOperation":false,
"DestFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEKAAAB",
"Path":"\\Deleted Items"
},
"Folder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEMAAAB",
"Path":"\\Inbox"
}
}Success - calendar
{
"CreationTime":"2024-05-01T19:21:16",
"Id":"e1fb94cb-2adc-4b4c-98bd-08dc6a13df45",
"Operation":"MoveToDeletedItems",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":3,
"ResultStatus":"Succeeded",
"UserKey":"100320015ED2DA21",
"UserType":0,
"Version":1,
"Workload":"Exchange",
"ClientIP":"198.51.100.1",
"UserId":"example@test.onmicrosoft.com",
"AppId":"00000002-0000-0ff1-ce00-000000000000",
"ClientIPAddress":"198.51.100.1",
"ClientInfoString":"Client=OWA;Action=ViaProxy",
"ExternalAccess":false,
"InternalLogonType":0,
"LogonType":0,
"LogonUserSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxGuid":"90d31cb1-d428-43a7-82cb-9ecaf526bda8",
"MailboxOwnerSid":"S-1-5-21-1587198437-855871042-1312952668-23578732",
"MailboxOwnerUPN":"example@test.onmicrosoft.com",
"OrganizationName":"test.onmicrosoft.com",
"OriginatingServer":"DM6PR06MB4844 (15.20.4200.000)\r\n",
"SessionId":"c73392a1-6d2e-42f5-ace1-f3965111e109",
"AffectedItems":[{
"Id":"RgAAAAAgL0dcqfr+QYkwnaCB+wwMBwBx36FMViA4QL6OjQQj0W4QAAAAAAENAABx36FMViA4QL6OjQQj0W4QAAFb0NzJAAAA",
"InternetMessageId":"<DM6PR06MB4844135DDF8FB5589A0935CAD7192@DM6PR06MB4844.namprd06.prod.outlook.com>",
"ParentFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
},
"Subject":"Test Calender Entry 24"
}],
"CrossMailboxOperation":false,
"DestFolder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAEKAAAB",
"Path":"\\Deleted Items"
},
"Folder":{
"Id":"LgAAAAAgL0dcqfr+QYkwnaCB+wwMAQBx36FMViA4QL6OjQQj0W4QAAAAAAENAAAC",
"Path":"\\Calendar"
}
}Download Resource
ET0034
A resource was downloaded.
Download Resource
ET0034
A resource was downloaded.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Resource Name
-
Resource Type
-
Resource Metadata
Exchange Audit Logs
Includes logs for Exchange administration and mailbox activities.
References
Retention Details
Storage Duration: 180 days
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Latency Details
Duration: Typically 60 to 90 minutes after an event occurs.
Minimum retention is 180 days, but organizations can set a retention policy up to 10 years dependent on licensing, reference https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
Authentication
Events (3)
No Results Found
Account Login
ET0001
An account attempted to login to a system.
Account Login
ET0001
An account attempted to login to a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Failure Context
-
Credential Context
-
Identity Service Provider Context
Account Logout
ET0002
An account attempted to logout of a system.
Account Logout
ET0002
An account attempted to logout of a system.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
MFA Verification
ET0003
Enter or acknowledge an MFA factor which indicates success or failure.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Verification Method
-
Verification Flagged
-
Activity Performed
Authorization
Events (18)
No Results Found
Create User
ET0004
Creates a user.
Create User
ET0004
Creates a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Read User
ET0005
Reads information about a user.
Read User
ET0005
Reads information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Update User
ET0006
Updates information about a user.
Update User
ET0006
Updates information about a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Target Attribute Context
Delete User
ET0007
Removes or deletes a user.
Delete User
ET0007
Removes or deletes a user.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
Create Group
ET0008
Creates a logical group.
Create Group
ET0008
Creates a logical group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
User ID
-
User Type / Role
-
Target Group Name
Unsupported
-
Result
-
Username
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-03T15:29:06",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-03T15:34:16",
"Id":"64ecdac9-543e-4046-99be-087dd56c2150",
"Operation":"TeamCreated",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":2,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"TeamGuid":"19:ni2H9QQogRGdOxflsO1Y_JGNwcM_g2bmD6ng483GF_41@thread.tacv2",
"TeamName":"New Team 1"
}Read Group
ET0009
Reads a group.
Read Group
ET0009
Reads a group.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Group Name
Update Group
ET0010
Updates a group.
Update Group
ET0010
Updates a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Attribute Context
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T21:11:45",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-03T15:50:19",
"Id":"2c658d54-4fc9-477f-b98c-48500df799b4",
"Operation":"TeamSettingChanged",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"Name":"Team name",
"TeamGuid":"19:908b4ca6d6d84b989347b8427e5048ce@thread.tacv2",
"NewValue":"Test Updated Team Name",
"OldValue":"Digital Initiative Public Relations",
"TeamName":"Test Updated Team Name"
}Delete Group
ET0011
Removes or deletes a group.
Delete Group
ET0011
Removes or deletes a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"AppAccessContext":{
"IssuedAtTime":"2024-05-02T21:26:11",
"UniqueTokenId":"XeDaLWgRe1rsdtbkm15SAw"
},
"CreationTime":"2024-05-03T15:33:02",
"Id":"6718936a-de28-4f7d-9b40-29256adfca43",
"Operation":"TeamDeleted",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"62b732f7-fc71-40bc-b27d-35efcb0509de",
"UserType":5,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"Microsoft Teams Sync",
"TeamGuid":"19:xd7VhKaazsuwrJCpopRmHA1KCyC00Iftn7mqR-fV_ik1@thread.tacv2",
"TeamName":"Test Group 200"
}Add To Group
ET0012
Adds a service, user or account to a group.
Add To Group
ET0012
Adds a service, user or account to a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-01T05:10:10",
"Id":"d84f2254-5d4b-5274-91ad-6729e781821f",
"Operation":"MemberAdded",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"AADGroupId":"a86f3642-1b11-468d-aaa3-8398902bd512",
"CommunicationType":"Team",
"ExtraProperties":[],
"Members":[{
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"DisplayName":"Alex Wilber",
"Role":1,
"UPN":"AlexW@test.onmicrosoft.com"
}],
"ParticipantInfo":{
"HasForeignTenantUsers":false,
"HasGuestUsers":false,
"HasUnauthenticatedUsers":false,
"ParticipatingDomains":[],
"ParticipatingSIPDomains":[]
},
"ResourceTenantId":"8326222c-5c86-45a1-b768-561ad270c694",
"TeamGuid":"19:xd7VhKaazsuwrJCpopRmHA1KCyC00Iftn7mqR-fV_ik1@thread.tacv2",
"ItemName":"Test Group 100",
"TeamName":"Test Group 100"
}Remove From Group
ET0013
Removes a service, user or account from a group.
Remove From Group
ET0013
Removes a service, user or account from a group.
Supported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Username
-
User ID
-
Target Username
-
Target Group Name
Unsupported
-
Result
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
Success
{
"CreationTime":"2024-05-03T15:49:22",
"Id":"a7c73bdd-0302-533a-bff4-97d64dc681a9",
"Operation":"MemberRemoved",
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"RecordType":25,
"UserKey":"f1c08887-d776-42f8-9911-06faa5ab392f",
"UserType":0,
"Version":1,
"Workload":"MicrosoftTeams",
"UserId":"example@test.onmicrosoft.com",
"AADGroupId":"21492354-b302-4664-ae50-bf7e27cabc0e",
"CommunicationType":"Team",
"ExtraProperties":[],
"Members":[{
"OrganizationId":"8326222c-5c86-45a1-b768-561ad270c694",
"DisplayName":"Pradeep Gupta",
"Role":1,
"UPN":"PradeepG@test.onmicrosoft.com"
}],
"ParticipantInfo":{
"HasForeignTenantUsers":false,
"HasGuestUsers":false,
"HasUnauthenticatedUsers":false,
"ParticipatingDomains":[],
"ParticipatingSIPDomains":[]
},
"ResourceTenantId":"8326222c-5c86-45a1-b768-561ad270c694",
"TeamGuid":"19:fdeeeb50e13d4630ac6be879c2318b53@thread.tacv2",
"ItemName":"U.S. Sales Updated v2",
"TeamName":"U.S. Sales Updated v2"
}Create Role
ET0014
Creates a new role.
Create Role
ET0014
Creates a new role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Read Role
ET0015
Reads a role.
Read Role
ET0015
Reads a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Update Role
ET0016
Updates a role.
Update Role
ET0016
Updates a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Attribute Context
-
Target Role Name
Delete Role
ET0017
Removes or deletes a role.
Delete Role
ET0017
Removes or deletes a role.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Role Name
Add Permission
ET0018
Adds a permission to a resource.
Add Permission
ET0018
Adds a permission to a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Remove Permission
ET0019
Removes a permission from a resource.
Remove Permission
ET0019
Removes a permission from a resource.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Permission Name
-
Target Resource Name
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Add Enrollment
ET0020
A MFA enrollment was added to an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Remove Enrollment
ET0021
A MFA enrollment was removed from an account.
Supported
No Supported Attributes
Unsupported
-
Timestamp
-
Event ID
-
Event Code / Type
-
Result
-
Username
-
User ID
-
User Type / Role
-
Session ID
-
IP Address
-
IP Geolocation / ASN
-
User Agent Name
-
Device/Client Type
-
Target Username
-
Enrollment Type
System Audit
Events (8)
No Results Found
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Create Security Configuration
ET0022
Creates a security configuration policy or enables settings.
Supported
<