Audit Events Reference
| NAME | CODE | SEVERITY | DESCRIPTION |
|---|---|---|---|
| License-error | 0 | Critical(2) | The system license does not allow operation. |
| Configuration-error | 1 | Critical(2) | The system configuration is invalid. |
| Service-starting | 10 | Info(6) | The service is starting. |
| Service-running | 11 | Info(6) | The service is running. |
| Service-stopped | 12 | Warning(4) | The service has been stopped. |
| Unknown-event | 99 | Critical(2) | Unknown event ID |
| User-logged-in | 100 | Info(6) | User has logged in to the system. |
| User-login-failed | 102 | Warning(4) | User login operation failed. |
| User-MFA-challenge-sent | 103 | Info(6) | User tried to log in without MFA pin code. |
| User-MFA-challenge-accepted | 104 | Info(6) | User successfully authenticated with MFA pin code. |
| User-MFA-challenge-setup-sent | 105 | Info(6) | User was MFA setup information. |
| Access-token-granted | 106 | Info(6) | Access token granted. |
| User-access-token-refreshed | 110 | Info(6) | User refreshed the access token. |
| User-access-token-refresh-failed | 111 | Warning(4) | User access token refresh failed. |
| OAuth-client-authenticated | 121 | Info(6) | OAuth client authenticated. |
| OAuth-client-authentication-failed | 122 | Warning(4) | OAuth client authentication failed. |
| User-login-attempt-rate-limited | 130 | Info(6) | User login attempt rate limited. |
| Role-added | 201 | Info(6) | New role added to the system. |
| Role-modified | 202 | Info(6) | Role has been modified. |
| Role-removed | 203 | Info(6) | Role has been removed. |
| Directory-added | 210 | Info(6) | New directory added to the system. |
| Directory-modified | 211 | Info(6) | Directory has been modified. |
| Directory-removed | 212 | Info(6) | Directory has been removed. |
| Directory-authentication-failed | 213 | Info(6) | Directory authentication failed. |
| User-roles-modified | 220 | Info(6) | The user's role associations were changed. |
| AWS-token-granted | 230 | Info(6) | AWS token was granted to a user. |
| AWS-token-grant-failed | 231 | Warning(4) | AWS token grant failed. |
| LogConf-collector-created | 232 | Info(6) | LogConf collector created. |
| LogConf-collector-modified | 233 | Info(6) | LogConf collector modified. |
| LogConf-collector-removed | 234 | Info(6) | LogConf collector removed. |
| LogConf-collector-failed | 235 | Warning(4) | LogConf collector failed. |
| RoleContext-usage-alert | 250 | Warning(4) | RoleContext limitations were violated. |
| RoleContext-role-blocked | 251 | Warning(4) | RoleContext limitations were violated, role blocked. |
| Authorized-key-added | 260 | Info(6) | Authorized key added. |
| Authorized-key-modified | 261 | Info(6) | Authorized key modified. |
| Authorized-key-removed | 262 | Info(6) | Authorized key removed. |
| Identity-provider-added | 270 | Info(6) | New IDP added to the system. |
| Identity-provider-modified | 271 | Info(6) | IDP has been modified. |
| Identity-provider-removed | 272 | Info(6) | IDP has been removed. |
| Connection-requested | 300 | Info(6) | Connection was requested. |
| Connection-authenticated | 301 | Info(6) | Connection was authenticated. |
| Connection-rejected | 302 | Warning(4) | Connection was rejected. |
| Connection-closed | 303 | Info(6) | Connection was closed. |
| Connection-failed | 304 | Info(6) | Connection closed with an error. |
| Client-authenticated | 305 | Info(6) | Client was authenticated. |
| Session-added | 310 | Info(6) | A session was added to a connection. |
| Session-removed | 311 | Info(6) | A session was removed from a connection. |
| Session-rejected | 312 | Warning(4) | A session was rejected. |
| File-upload | 320 | Info(6) | File upload performed. |
| File-download | 321 | Info(6) | File download performed. |
| File-upload-rejected | 322 | Warning(4) | File upload was rejected. |
| File-download-rejected | 323 | Warning(4) | File download was rejected. |
| Host-key-matched | 324 | Info(6) | Host key matched. |
| Host-key-denied | 325 | Alert(1) | Host key denied. |
| Host-key-accepted | 326 | Info(6) | Host key accepted. |
| Host-key-saved | 327 | Info(6) | Host key saved. |
| Extender-connected | 328 | Info(6) | Extender connected. |
| Extender-disconnected | 329 | Warning(4) | Extender disconnected. |
| File-removed | 330 | Info(6) | File removed via SSH. |
| Folder-removed | 331 | Info(6) | Folder removed via SSH. |
| File-moved | 332 | Info(6) | File moved. |
| Folder-created | 333 | Info(6) | Folder created. |
| Connection-audit-started | 334 | Info(6) | Connection audit started. |
| Connection-audit-failed | 335 | Alert(1) | Connection audit failed. |
| Host-certificate-trusted | 336 | Info(6) | Host certificate trusted. |
| Host-certificate-matched | 337 | Info(6) | Host certificate matched. |
| Host-certificate-denied | 338 | Alert(1) | Host certificate denied. |
| Host-certificate-accepted | 339 | Info(6) | Host certificate accepted. |
| Host-certificate-saved | 340 | Info(6) | Host certificate saved. |
| Connection-accepted | 341 | Info(6) | Connection accepted. |
| File-upload-blocked | 342 | Warning(4) | File upload blocked by ICAP. |
| File-download-blocked | 343 | Warning(4) | File download blocked by ICAP. |
| Authorization-requested | 400 | Info(6) | A client requested an authorization. |
| Authorization-certificate-granted | 401 | Info(6) | An authorization certificate granted. |
| Authorization-role-key-granted | 402 | Info(6) | An authorization role key granted. |
| Authorization-role-key-sign-operation-rejected | 403 | Warning(4) | An authorization role key sign operation was rejected. |
| Authorization-role-key-sign-operation-accepted | 404 | Info(6) | An authorization role key sign operation was accepted. |
| Authorization-rejected | 405 | Alert(1) | An authorization was rejected. |
| Authorization-certificate-warning | 406 | Warning(4) | Authorization certificate creation generated warnings. |
| Authorization-passphrase-returned | 407 | Info(6) | Authorization passphrase was returned. |
| Principal-added | 410 | Info(6) | A principal was added. |
| Principal-removed | 411 | Info(6) | A principal was removed. |
| Trusted-client-added | 420 | Info(6) | A trusted client was added. |
| Trusted-client-modified | 421 | Info(6) | A trusted client was modified. |
| Trusted-client-removed | 423 | Info(6) | A trusted client was removed. |
| API-client-added | 424 | Info(6) | An API client was added. |
| API-client-modified | 425 | Info(6) | An API client was modified. |
| API-client-removed | 426 | Info(6) | An API client was removed. |
| License-updated | 430 | Info(6) | The service license was updated. |
| CA-certificate-created | 440 | Info(6) | CA certificate was created. |
| CA-certificate-deleted | 441 | Info(6) | CA certificate was deleted. |
| EE-certificate-enrolled | 442 | Info(6) | End entity certificate was enrolled. |
| EE-certificate-revoked | 443 | Info(6) | End entity certificate was revoked. |
| CA-certificate-enrolled | 444 | Info(6) | CA certificate was enrolled. |
| CA-certificate-revoked | 445 | Info(6) | CA certificate was revoked. |
| EE-certificate-deleted | 446 | Info(6) | EE certificate was deleted. |
| Access-group-created | 450 | Info(6) | Access group created. |
| Access-group-modified | 451 | Info(6) | Access group modified. |
| Access-group-deleted | 452 | Info(6) | Access group deleted. |
| User-added | 500 | Info(6) | New user added to the system. |
| User-modified | 501 | Info(6) | User has been modified. |
| User-removed | 502 | Info(6) | User has been removed. |
| User-password-modified | 510 | Info(6) | User password has been modified. |
| User-authenticated | 520 | Info(6) | User has been authenticated. |
| User-authentication-failed | 521 | Warning(4) | User authentication has failed. |
| Workflow-added | 600 | Info(6) | A workflow was added. |
| Workflow-modified | 601 | Info(6) | A workflow was modified. |
| Workflow-removed | 602 | Info(6) | A workflow was removed. |
| Request-added | 610 | Info(6) | A request was added. |
| Request-removed | 612 | Info(6) | A request was removed. |
| Decision-made | 620 | Info(6) | A decision has been made on a request. |
| Email-sent | 630 | Info(6) | A email notification has been sent. |
| Email-configuration-modified | 631 | Info(6) | Email configuration has been modified. |
| Email-not-sent | 632 | Info(6) | Email not sent. |
| Log-downloaded | 700 | Info(6) | Log files have been downloaded. |
| Log-level-modified | 710 | Info(6) | The log level was modified. |
| Host-added | 801 | Info(6) | A host was added. |
| Host-modified | 802 | Info(6) | A host was modified. |
| Host-removed | 803 | Info(6) | A host was removed. |
| Host-service-connection-re-established | 804 | Info(6) | A host service connection re-established. |
| Host-service-connection-failure | 805 | Warning(4) | A host service connection failed. |
| Host-disabled-state-changed | 806 | Info(6) | Host disabled state changed. |
| White-list-added | 811 | Info(6) | A white list was added. |
| White-list-modified | 812 | Info(6) | A white list was modified. |
| White-list-removed | 813 | Info(6) | A white list was removed. |
| Connection-terminated | 900 | Info(6) | Connection terminated. |
| Connection-terminated-for-host | 901 | Info(6) | Connection terminated for host. |
| Connection-terminated-for-user | 902 | Info(6) | Connection terminated for user. |
| Licensed-connection-count-exceeded | 903 | Warning(4) | Licensed connection count exceeded. |
| Access-role-granted | 910 | Info(6) | Access role granted. |
| Access-role-revoked | 911 | Info(6) | Access role revoked. |
| Connections-meta-removed | 920 | Info(6) | Connections meta removed. |
| Connection-blocked-by-ueba | 930 | Alert(1) | Connection blocked by Ueba. |
| Connection-unusual-behavior-by-ueba | 931 | Warning(4) | Connection marked as unusual by Ueba. |
| Connection-marked-anomaly-by-ueba | 932 | Alert(1) | Connection marked as anomaly by Ueba. |
| Trail-opened | 1000 | Info(6) | Trail opened. |
| Trail-open-failed | 1001 | Alert(1) | Failed to open trail. |
| Trail-file-open-failed | 1002 | Alert(1) | Failed to open trail file. |
| Trail-file-read-failed | 1003 | Alert(1) | Failed to read trail file. |
| Trail-removed | 1004 | Info(6) | Trail removed. |
| Trail-remove-failed | 1005 | Warning(4) | Failed to remove trail. |
| Trail-file-integrity-failed | 1006 | Alert(1) | Trail file integrity check failed. |
| Trail-file-downloaded | 1007 | Info(6) | Trail file downloaded. |
| Config-checksum-added | 1100 | Info(6) | A config file checksum was added. |
| Config-checksum-changed | 1101 | Info(6) | A config file checksum has changed. |
| Transcript-status-scheduled | 1201 | Info(6) | Transcript status: scheduled. |
| Transcript-status-indexing | 1202 | Info(6) | Transcript status: indexing. |
| Transcript-status-indexed | 1203 | Info(6) | Transcript status: indexed. |
| Transcript-status-error | 1204 | Warning(4) | Transcript status: error. |
| Transcript-status-not-indexed | 1205 | Info(6) | Transcript status: not indexed. |
| Transcript-trail-removed | 1206 | Info(6) | Transcript trail removed. |
| Transcript-opened | 1207 | Info(6) | Transcript opened. |
| Disk-full | 1301 | Critical(2) | Disk full. |
| Auditevent-removed | 1302 | Info(6) | Auditevent removed. |
| PrivX-restarted | 1303 | Info(6) | PrivX restarted. |
| PrivX-db-clock-out-of-sync | 1304 | Warning(4) | PrivX and Database clocks are out of sync. |
| Secret-created | 1400 | Info(6) | Secret created. |
| Secret-removed | 1401 | Info(6) | Secret removed. |
| Secret-accessed | 1402 | Info(6) | Secret accessed. |
| Secret-changed | 1403 | Info(6) | Secret changed. |
| Secret-metadata-changed | 1404 | Info(6) | Secret's metadata changed. |
| Settings-modified | 1501 | Info(6) | Settings modified. |
| Network-target-created | 1600 | Info(6) | Network target created. |
| Network-target-modified | 1601 | Info(6) | Network target modified. |
| Network-target-removed | 1602 | Info(6) | Network target removed. |
| Router-initialized | 1603 | Info(6) | Router initialized for network access manager. |
| Router-init-failed | 1604 | Warning(4) | Router initialization for network access manager failed. |
| Network-session-opened | 1605 | Info(6) | Network session opened. |
| Network-session-closed | 1606 | Info(6) | Network session closed. |
| Network-session-failure | 1607 | Warning(4) | Network session failure. |
| Network-session-fatal-failure | 1608 | Alert(1) | Network session fatal failure. |
| Network-target-disabled-state-changed | 1609 | Info(6) | Network target disabled state changed. |
| Password-rotation-policy-created | 1700 | Info(6) | Password rotation policy created. |
| Password-rotation-policy-modified | 1701 | Info(6) | Password rotation policy modified. |
| Password-rotation-policy-removed | 1702 | Info(6) | Password rotation policy removed. |
| Password-rotation-script-created | 1703 | Info(6) | Password rotation script created. |
| Password-rotation-script-modified | 1704 | Info(6) | Password rotation script modified. |
| Password-rotation-script-removed | 1705 | Info(6) | Password rotation script removed. |
| Password-rotation-failure | 1706 | Alert(1) | Password rotation failure. |
| SSH-live-event | 1800 | Info(6) | SSH live event |
| SSH-whitelisted-command-allowed | 1801 | Info(6) | SSH whitelisted command allowed |
| SSH-non-whitelisted-command-allowed | 1802 | Info(6) | SSH non-whitelisted command allowed |
| SSH-command-blocked | 1803 | Info(6) | SSH command blocked |
Updated over 1 year ago