List Audit Events

Lists audit events that match query parameters.

Headers

AuthorizationstringRequired

Bearer authentication of the form Bearer <token>, where token is your auth token.

Query parameters

filterOps.context.changeIDstringOptionalformat: "uuid"<=36 characters
ID for the audit event.
filterOps.context.requestIDstringOptionalformat: "uuid"<=36 characters
ID for the request that caused the event.
filterOps.context.traceIDstringOptional<=2048 characters
ID for the request set by the service that received the request.
filterOps.context.sessionIDstringOptionalformat: "uuid"<=36 characters
ID for the session in which the request was sent.
filterOps.context.actorstringOptional<=2048 characters

Member who sent the request. Depending on actorType, this may be a user ID or a service account ID.

filterOps.context.actorTypeenumOptional
Type of member who sent the request.
Allowed values:
filterOps.context.accessTypeenumOptional
Type of access for the request.
Allowed values:
filterOps.context.ipAddressstringOptionalformat: "ipv4"<=15 characters
IP Address of the client that made the request.
filterOps.context.originstringOptional<=2048 characters

HTTP Origin request header (including scheme, hostname, and port) of the request.

filterOps.context.authModeenumOptional

Authentication mode the actor used.

Allowed values:
filterOps.context.jwtIDstringOptional<=2048 characters
ID of the JWT token.
filterOps.context.bearerTokenContextIDstringOptional<=2048 characters
Embedded User Context.
filterOps.parentAccountIDstringOptional<=2048 characters
Resources with the specified parent account ID.
filterOps.accountIDstringRequired<=2048 characters
Resources with the specified account ID.
filterOps.workspaceIDstringOptional<=2048 characters
Resources with the specified workspace ID.
filterOps.vaultIDstringOptional<=2048 characters
Resources with the specified vault ID.
filterOps.resourceIDsstringOptional<=2048 characters

Resources with a specified ID. If a resource matches at least one ID, the associated event is returned. Format is a comma-separated list of “<resourceType>/<resourceID>”. For example, “VAULT/12345, USER/67890”.

filterOps.actionTypeenumOptional
Events with the specified action type.
filterOps.resourceTypeenumOptional
Resources with the specified type.
filterOps.tagsstringOptional<=2048 characters

Events with associated tags. If an event matches at least one tag, the event is returned. Comma-separated list. For example, “login, get”.

filterOps.responseCodeintegerOptional>=100<=599
HTTP response code of the request.
filterOps.startTimestringOptionalformat: "date-time"<=100 characters
Start timestamp for the query, in SQL format.
filterOps.endTimestringOptionalformat: "date-time"<=100 characters
End timestamp for the query, in SQL format.
filterOps.apiNamestringOptional<=2048 characters
Name of the API called in the request.
filterOps.responseMessagestringOptional<=2048 characters
Response message of the request.
filterOps.httpMethodstringOptional<=2048 characters
HTTP method of the request.
filterOps.httpURIstringOptional<=2048 characters
HTTP URI of the request.
sortOps.sortBystringOptional<=2048 characters

Fully-qualified field by which to sort results. Field names should be in camel case (for example, “capitalization.camelCase”).

sortOps.orderByenumOptionalDefaults to ASCENDING
Ascending or descending ordering of results.
Allowed values:
afterOps.timestampstringOptionalformat: "date-time"<=100 characters

Timestamp provided in the previous audit response’s nextOps attribute. An alternate way to manage response pagination. Can’t be used with sortOps or offset. For the first request in a series of audit requests, leave blank.

afterOps.changeIDstringOptionalformat: "uuid"<=36 characters

Change ID provided in the previous audit response’s nextOps attribute. An alternate way to manage response pagination. Can’t be used with sortOps or offset. For the first request in a series of audit requests, leave blank.

limitlongOptionalDefaults to 25
Number of results to return.
offsetlongOptionalDefaults to 0
Record position at which to start returning results.

Response

A successful response.
eventlist of objects or null
Events matching the query.
nextOpsobject or null

Errors