Audit Log Object

Defines the schema for audit logs.


The Audit Log object schema includes the following attributes:

actorThe user or system that made the change.

type - whether the change was made by a user or the system. One of system-generated or user
user - (Only included in changes performed by a user) Data on the user account that performed the action. Attributes: id, email, and name.
context(Only included in changes performed by a user)
Actor access details as reported by the client.
actor_access object attributes:
user_agent - information about the user’s browser.
ip_address - the access point used to access the system.
timestampUnix epoch time when the event occurred (in seconds).Timestamp (in seconds)
resource_idThe system id of the resource that was changed.String
resource_typeThe resource type that was changed.
Possible returns are:
- auto_share_rules
- correlation_patterns
- enrichment v1 custom_tags
- environments
- users
- integrations
- enrichment v2 resources:
-- tag_enrichments_order
-- tag_enrichments
-- tag
-- mapping_enrichment
action_typeThe action that was made.

The following action types are available:
init_state: this type is used only as an initial value
create: when a resource is created.
update: when a resource is updated.
delete: when a resource is deleted.
objectThe resource object after the change.

Resource objects include:
-Alert Correlation
-Alert Enrichments

When the resource is deleted, the object is {null}.

Sample Objects:

curl --request GET \
     --url '' \
     --header 'Authorization: Bearer <User API Key>' \
     --header 'accept: application/json'
  "actor": {
    "type": "user",
    "user": {
      "id": "62f0ec2d95918d0012bba5553",
      "email": "[email protected]"
  "action_type": "update",
  "context": {
    "actor_access": {
      "ip_address": "::ffff:",
      "user_agent": "axios/0.24.0"
  "resource_type": "users",
  "resource_id": "631471d494528700126ca555",
  "timestamp": 1662284339,
  "object": {
    "createdAt": 1662284244,
    "lastLoginAt": 1662284281,
    "name": "Nataly",
    "state": "valid",
    "firstLoginAt": 1662284281,
    "username": "[email protected]",
    "id": "631471d494528700126a5559"