The Event Maturity Matrix (EMM) is a comprehensive framework that provides clarity regarding the capabilities and nuances of SaaS audit logging. It is a valuable resource for security practitioners who want to obtain visibility into the different types of user activities that are logged, see real-world examples of SaaS audit logs, and use these insights to guide security monitoring and operational objectives.
The SaaS Event Maturity Matrix (EMM) was developed with the defensive security practitioner in mind. As such, the matrix’s overarching theme is to provide context regarding the depth of visibility as it pertains to security monitoring use cases. The Matrix consists of the following concepts:
Events (3)
An account attempted to login to a system.
An account attempted to login to a system.
{
"action_at": "2023-06-22T19:06:47.149965+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_google",
"log_id": "ad9ddec3-8542-4d5a-b710-67928321abdc",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}
{
"action_at": "2023-06-14T21:57:50.583325+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.2",
"user_username": "pmcandrew+test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_login_failed",
"log_id": "6cbd2dc5-c125-40d1-8dcf-9936abda6c5f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": null
}
An account attempted to logout of a system.
An account attempted to logout of a system.
{
"action_at": "2023-06-22T20:48:41.714659+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "bob@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_logout",
"log_id": "49fc4cd2-653e-4261-bb59-25dc6ee7a1c0",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}
Enter or acknowledge an MFA factor which indicates success or failure.
Enter or acknowledge an MFA factor which indicates success or failure.
{
"action_at": "2023-06-23T20:11:06.106260+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_totp_challenge",
"log_id": "76812b0e-d9b0-4730-b5a1-5d4169743e2e",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}
Events (18)
Creates a user.
Creates a user.
{
"action_at": "2023-06-20T14:20:30.626150+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 13148,
"target_user_username": "pmcandrew_test11",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_created",
"log_id": "188fdcf3-143a-49e9-ba80-452b48f42e4f",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}
Reads information about a user.
Reads information about a user.
Updates information about a user.
Updates information about a user.
Removes or deletes a user.
Removes or deletes a user.
{
"action_at": "2023-06-15T02:02:19.147946+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.3",
"user_username": "john@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_disabled",
"log_id": "7f75c117-f8f8-4739-bfcf-cac8a728d486",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}
Creates a logical group.
Creates a logical group.
Reads a group.
Reads a group.
Updates a group.
Updates a group.
Removes or deletes a group.
Removes or deletes a group.
Adds a service, user or account to a group.
Adds a service, user or account to a group.
Removes a service, user or account from a group.
Removes a service, user or account from a group.
Creates a new role.
Creates a new role.
Reads a role.
Reads a role.
Updates a role.
Updates a role.
Removes or deletes a role.
Removes or deletes a role.
Adds a permission to a resource.
Adds a permission to a resource.
Removes a permission from a resource.
Removes a permission from a resource.
A MFA enrollment was added to an account.
A MFA enrollment was added to an account.
{
"action_at": "2023-06-14T22:00:24.705316+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": "TOTP",
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_enabled",
"log_id": "7ed13faf-9e3c-4905-839d-ff44309c2f72",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}
A MFA enrollment was removed from an account.
A MFA enrollment was removed from an account.
{
"action_at": "2023-06-23T20:12:09.106337+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "+1 856-981-2588",
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": 12893,
"target_user_username": "pmcandrew_test10",
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "pmcandrew_test10",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "user_mfa_disabled",
"log_id": "34628772-1560-46da-81d0-2371c5cc3106",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 12893
}
Events (8)
Creates a security configuration policy or enables settings.
Creates a security configuration policy or enables settings.
Reads a security configuration policy or settings.
Reads a security configuration policy or settings.
Updates a security configuration policy or settings.
Updates a security configuration policy or settings.
{
"action_at": "2023-06-22T15:51:50.253793+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": "True",
"oauth_application_id": null,
"old_value": "False",
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": "Direct Auth Enabled",
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.5",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ao_sys_setting_change",
"log_id": "d2c46cde-44f7-43ac-84f5-79b8184c8105",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": null,
"service_name": null,
"service_type": "None",
"user_id": 3187
}
Removes or deletes a security configuration policy or setting.
Removes or deletes a security configuration policy or setting.
Creates a new integration.
Creates a new integration.
Reads an existing integration.
Reads an existing integration.
Updates an existing integration.
Updates an existing integration.
Removes or deletes an existing integration.
Removes or deletes an existing integration.
Events (5)
A resource was created.
A resource was created.
{
"action_at": "2023-06-22T20:21:55.407230+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": 442431,
"policy_name": "EMM Test Policy",
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.1",
"user_username": "jane@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "policy_created",
"log_id": "cb89b034-2f3b-4b41-9a34-6fdb289f4a6a",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": 442431,
"service_id": null,
"service_name": null,
"service_type": "box",
"user_id": 3187
}
A resource was read.
A resource was read.
A resource was updated.
A resource was updated.
{
"action_at": "2023-06-22T20:05:09.728571+00:00",
"action_data":
{
"access_token_id": null,
"detail_str": null,
"detection_alert_id": null,
"detection_rule_id": null,
"detection_rule_name": null,
"detection_ruleset_id": null,
"detection_ruleset_name": null,
"element_id": null,
"element_list_id": null,
"element_type": null,
"email_addresses": null,
"email_identifier": null,
"email_reason": null,
"error_str": null,
"external_entity_id": null,
"file_id": null,
"global_value_list_collection_id": null,
"group_id": null,
"group_name": null,
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"new_value": null,
"oauth_application_id": null,
"old_value": null,
"platform_ingest_job_id": null,
"policy_assessment_completion_date": null,
"policy_assessment_id": null,
"policy_id": null,
"policy_name": null,
"reason_str": null,
"refresh_token_id": null,
"rule_id": null,
"ruleevent_id": null,
"ruleexception_id": null,
"setting_name": null,
"sink_id": null,
"sink_name": null,
"tag_id": null,
"tag_name": null,
"target_user_id": null,
"target_user_username": null,
"third_party_application_id": null,
"third_party_application_name": null,
"type_str": null,
"unified_identity_email": null,
"unified_identity_id": null,
"user_agent": null,
"user_ip": null,
"user_username": "mallory@example.com",
"workflow_instance_id": null,
"workflow_instance_name": null
},
"action_type": "ms_detection_ingestion_disabled",
"log_id": "ea080b00-2cf0-49fe-b1ba-6081f17a66ff",
"omnitab_user_id": null,
"org_id": 176,
"perspective_id": null,
"perspective_name": null,
"policy_id": null,
"service_id": 35781,
"service_name": "AppOmni",
"service_type": "box",
"user_id": 3187
}
A resource was removed or deleted.
A resource was removed or deleted.
{
"action_at": "2023-07-12T19:07:57.569196+00:00",
"action_data":
{
"md_kind": "core.aoaudit.auditdata",
"md_version": 1,
"policy_id": 410860,
"policy_name": "Test Salesforce Policy",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"user_ip": "198.51.100.4",
"user_username": "bob@example.com"
},
"action_type": "policy_deleted",
"log_id": "d4b105e8-d29b-436e-947e-52a6be5f58de",
"org_id": 176,
"service_type": "sfdc",
"user_id": 3187
}
A resource was downloaded.
A resource was downloaded.
AppOmni audit logs that provide a record of user activity.
Storage Duration: 180 days
Historical audit logs are stored for 180 days.
Duration: Near Real-Time
Historical audit logs are stored for 180 days.
AppOmni is a cloud-based platform designed to help organizations assess, monitor, and protect their data and configurations within SaaS applications. AppOmni audit logs are collected via the *auditlogs* API, and can be streamed to a Threat Detection event sink. Historical audit logs are also stored for 180 days and can be accessed via the scheduled reports feature. There are currently minor formatting differences between API/Event Sink logs, and the logs retrieved via scheduled reports.
To collect events, make a call to the /core/auditlogs endpoint and specify the desired parameters.
Audit logs are delivered to all Threat Detection event sinks.
Create a scheduled report of type "AppOmni Audit Logs" to download audit logs.
Events (3)
An account attempted to login to a system.
An account attempted to login to a system.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T08:28:41-07:00",
"created_by":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "00000000-abcd-1234-ab08-2cfe92d42606",
"event_type": "LOGIN",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"id": "16779123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:08:06-07:00",
"created_by":
{
"id": "2",
"login": "",
"name": "Unknown User",
"type": "user"
},
"event_id": "00000000-abcd-1234-84ee-12298e09cfa9",
"event_type": "FAILED_LOGIN",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"id": "12345648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"type": "event"
}
An account attempted to logout of a system.
An account attempted to logout of a system.
Enter or acknowledge an MFA factor which indicates success or failure.
Enter or acknowledge an MFA factor which indicates success or failure.
Events (18)
Creates a user.
Creates a user.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:34:43-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-92ad-46f2f69e45cd",
"event_type": "NEW_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "25512345631",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}
Reads information about a user.
Reads information about a user.
Updates information about a user.
Updates information about a user.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:29-07:00",
"created_by":
{
"id": "12345648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "00000000-abcd-1234-be64-7fdc0421e478",
"event_type": "EDIT_USER",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}
Removes or deletes a user.
Removes or deletes a user.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:35:58-07:00",
"created_by":
{
"id": "12345648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "00000000-abcd-1234-9c97-5e32f323b9f0",
"event_type": "DELETE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863123456",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}
Creates a logical group.
Creates a logical group.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:36-07:00",
"created_by":
{
"id": "18863648385",
"login": "John Doe",
"name": "john@example.com",
"type": "user"
},
"event_id": "00000000-abcd-1234-a8a6-6f5474e5d86d",
"event_type": "GROUP_CREATION",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "my_sample_group"
},
"type": "event"
}
Reads a group.
Reads a group.
Updates a group.
Updates a group.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:36:46-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "49d24c58-a0e5-4ec7-9ccd-347827b0afed",
"event_type": "GROUP_EDITED",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"type": "event"
}
Removes or deletes a group.
Removes or deletes a group.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T10:46:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "24ada35a-a9e9-4c67-8fc9-33b5b9f9b52b",
"event_type": "GROUP_DELETION",
"ip_address": "198.51.100.2",
"session_id": null,
"source":
{
"group_id": "15299083860",
"group_name": "a_sample_group"
},
"type": "event"
}
Adds a service, user or account to a group.
Adds a service, user or account to a group.
{
"action_by": null,
"additional_details":
{
"group_id": "15297703631",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:24:15-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "f0545aa9-4be4-451e-a8d2-3c56aa257b8a",
"event_type": "GROUP_ADD_USER",
"ip_address": "198.51.100.3",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"type": "event"
}
Removes a service, user or account from a group.
Removes a service, user or account from a group.
{
"action_by": null,
"additional_details":
{
"group_id": "9744086129",
"group_name": "a_sample_group"
},
"created_at": "2023-05-09T10:45:45-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "56ae6ebb-7d6c-418e-bdeb-98d067c52af2",
"event_type": "GROUP_REMOVE_USER",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"id": "18863890488",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"type": "event"
}
Creates a new role.
Creates a new role.
Reads a role.
Reads a role.
Updates a role.
Updates a role.
Removes or deletes a role.
Removes or deletes a role.
Adds a permission to a resource.
Adds a permission to a resource.
{
"accessible_by":
{
"id": "25575650631",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"action_by": null,
"additional_details":
{
"collab_id": "44582004179",
"is_performed_by_admin": false,
"role": "Editor",
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:57:12-07:00",
"created_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"event_id": "15f0f70a-4502-496a-badf-5a0b12e49656",
"event_type": "COLLABORATION_INVITE",
"ip_address": "198.51.100.5",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "jane@example.com",
"name": "Jane Miller",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_id": "25575650631",
"user_name": "John Doe"
},
"type": "event"
}
Removes a permission from a resource.
Removes a permission from a resource.
{
"action_by": null,
"additional_details":
{
"collab_id": "44582741378",
"is_performed_by_admin": false,
"type": "box://event/additional_details/collaboration",
"version_id": "1328658101408"
},
"created_at": "2023-05-18T12:47:09-07:00",
"created_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"event_id": "052e68a2-7a29-4694-a77f-fec5713cb26f",
"event_type": "COLLABORATION_REMOVE",
"ip_address": "198.51.100.1",
"session_id": null,
"source":
{
"file_id": "1209733707368",
"file_name": "a_sample_file.doc",
"owned_by":
{
"id": "18863648385",
"login": "john@example.com",
"name": "John Doe",
"type": "user"
},
"parent":
{
"id": "206846635609",
"name": "My Box Notes",
"type": "folder"
},
"user_email": "alice@example.com"
},
"type": "event"
}
A MFA enrollment was added to an account.
A MFA enrollment was added to an account.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:27:03-07:00",
"created_by":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"event_id": "7fd655c7-5a4a-4e13-8375-dc08cd2cf8b9",
"event_type": "MULTI_FACTOR_AUTH_ENABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "alice@example.com",
"name": "Alice Brown",
"type": "user"
},
"type": "event"
}
A MFA enrollment was removed from an account.
A MFA enrollment was removed from an account.
{
"action_by": null,
"additional_details": null,
"created_at": "2023-05-09T09:29:19-07:00",
"created_by":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"event_id": "0bf5e6ad-a068-4770-9979-c7f409eb976b",
"event_type": "MULTI_FACTOR_AUTH_DISABLE",
"ip_address": "Unknown IP",
"session_id": null,
"source":
{
"id": "18863648385",
"login": "bob@example.com",
"name": "Bob Smith",
"type": "user"
},
"type": "event"
}
Events (8)
Creates a security configuration policy or enables settings.
Creates a security configuration policy or enables settings.
Reads a security configuration policy or settings.
Reads a security configuration policy or settings.
Updates a security configuration policy or settings.
Updates a security configuration policy or settings.
Removes or deletes a security configuration policy or setting.
Removes or deletes a security configuration policy or setting.
Creates a new integration.
Creates a new integration.
Reads an existing integration.
Reads an existing integration.
Updates an existing integration.
Updates an existing integration.
Removes or deletes an existing integration.
Removes or deletes an existing integration.
Events (5)
A resource was created.
A resource was created.
{
"action_by": null,
"additional_details":
{
"ekm_id": "b87156a9-6aff-4c21-910b-c5f1a8a02afd",
"service_id": "231318",
"service_name": "Multiput Uploads",
"size": 2584,
"version_id": "1319684204015"
},
"created_at": "2023-05-09T11:15:47-07:00",
"created_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"event_id": "aeffeb99-f9a5-4243-9d3c-93f862dceec7",
"event_type": "UPLOAD",
"ip_address": "198.51.100.4",
"session_id": null,
"source":
{
"item_id": "1209714644015",
"item_name": "a_sample_file.csv",
"item_type": "file",
"owned_by":
{
"id": "18863648385",
"login": "mallory@example.com",
"name": "Mallory Jones",
"type": "user"
},
"parent":
{
"id": "206849236842",
"name": "Test Folder",
"type": "folder"
}
},
"type": "event"
}
A resource was read.
A resource was read.