View and export audit logs

From the Dashboard page you can view and export audit logs. Authentication audit logs track authentications made to your Identity as a Service account by location, user, and authentication type. Management audit logs track actions performed in your Identity as a Service account by action and user.

Click the following options for instructions on viewing and exporting audit logs:

View audit events

1. Click > Dashboard. The Dashboard page appears.
2. Click the Authentication or Management radio button to set the type of audit log you want to view.
3. Set the number of audits on a page:
   1. Scroll to the bottom of the page.
   2. From the Rows per page drop-down list, select the number of rows to display on the page.
   3. To move to a new page, on the right-hand side of the page, do the following, as required:
      • Click > to go to the next page.
      • Click < to go to the previous page.
      • Click |< to go to the first page.

View a specific audit event

1. Click > Dashboard. The Dashboard page appears.
2. Click the Authentication or Management radio button to set the type of audit log you want to view.
3. Click the row for the specific audit log you want to view. The Audit Event page appears.
4. Click OK to close the page.

View audit logs for specific users

1. Click > Members > Users. The Users List page appears.
2. Click the UserID of the user. The User Details page appears.
3. Click the Audits tab. The list of audits appears.
4. Click the row for the specific audit log you want to view. The Audit Event page appears.
5. Click OK to close the page.

Filter audit events

1. Click > Dashboard. The Dashboard page appears.
2. Click the Authentication or Management radio button to set the type of audit log you want to view.
3. Click to enable filtering.
4. The Filters dialog box appears.
5. Select your filter options and click Apply.
6. You are returned to the Audit Log page. The page displays your filter results.
7. To clear the filter, click again.
8. On the Filters dialog box, click Reset.

Export audit events

1. Click > Dashboard. The Dashboard page appears.
2. Click the Authentication or Management radio button to set the type of audit log you want to view.
3. Click to export the audit log to a .CSV file. The Export Table to CSV dialog box appears.
4. Optional: Enter a Name for the file.
5. Optional: Enter a Description for the file.
6. Select the File Delimiter radio button: Comma (,) or Pipe (|).
7. Select the attributes you want to include in the file. If you do not select any attributes, by default all attributes are included in the CSV file.
8. Click Export. The CSV file is exported to the Reports page (see Manage reports).

Audit Data Dictionary

Event Attribute	Description	Example
id	Unique ID for the event.	313b43e7-098a-4cc9-a6fd-a1ac1c703e53
eventTime	When the event happened in UTC time. The format is YYYY-MM-DDThh:mm:ssZ.	2016-08-21T14:27:55Z
eventCategory	The event category. Valid values are AUTHENTICATION or MANAGEMENT.	AUTHENTICATION
eventType	Identifies the source of the event. Valid AUTHENTICATION values are listed under "Authentication Events" below. For MANAGEMENT actions, event types are built from the entity and action performed using this format: "<EntityType><EntityAction>Event" where EntityType and EntityAction have the first letter capitalized. For instance, the events for the USERS entity type are the following: UsersAddEvent UsersEditEvent UsersRemoveEvent	Some AUTHENTICATION examples: AuthenticationDeniedEvent AuthenticationOtpSuccessEvent AuthenticationTokenSuccessEvent AuthenticationTokenPushSuccessEvent AuthenticationOtpEmailSentEvent AuthenticationOtpSmsSentEvent Some MANAGEMENT examples: UsersAddEvent ContextrulesEditEvent ApplicationsRemoveEvent
accountId	The account UUID.	a6cb609f-c6ea-48ad-ab61-433b4054a1f8
subjectId	The user authenticating (in an AUTHENTICATION event) or administrator performing a management action—contains the internal UUID. Note: For Azure AD conditional access authentication audits where a mapping to an IDaaS user is not found or the request fails validation, the subjectId value is a random UUID value.	72fd8717-fffe-462f-83c6-131c12539af7
subjectName	The userId value of the user authenticating (in an AUTHENTICATION event) or administrator performing a MANAGEMENT action. Note: For Azure AD conditional access authentication audits where a mapping to an IDaaS user is not found or the request fails validation, the subjectName is the Azure AD provided user value (for example, the Azure AD user UPN value).	lp1415@brawlers.es
subjectType	The type of the subject. Valid values are: USER - The subject is an end user or administrator user. The subjectName is the userId of that user. ADMIN_API - The subject is an admin API application. The subjectName is the name of the application. SERVICE_PROVIDER - The subject is a service provider. The subjectName is hard-coded to "Service Provider". The subjectId is a random value. AGENT - The subject is an Enterprise Service Gateway (ESG) agent. The subjectName is the ESG name.	USERS
eventOutcome	The event outcome. Valid values are SUCCESS or FAIL.	SUCCESS
message	A message key for indicating what the event did. Note that the eventType and the message identify the same action. For management actions, the message key is built from the entity and action performed. For instance, for users, there are these message keys: users.add users.remove users.edit	service_authentication.otp_sms_send users.add
resourceId	The resource identifier (for example, the application's UUID).	a6cb609f-c6ea-48ad-ab61-433b4054a1f8
resourceName	The resource name (for example, the application name).	Salesforce
sourceIp	The request IP address or IP address provided for authentication API applications.	1.23.47.122
eventVersion	Reserved for future use. Currently always "v1".	v1
token	Depending on the stage at which the event is generated, it can contain nothing, the type of authentication the user is trying to use (OTP, TOKEN, TOKENPUSH), or the token serial number.	1234-5678
requiredPermission	The permission required to access a management entity. The permission is a duple <entityType:entityAction> in lowercase.	users:add
subscriberRoleId	The role UUID used to access the Admin Portal management application.	775419bf-efff-467a-8743-e77930cc7ed9
subscriberRoleName	The subscriber role name.	Super Administrator
serviceProviderRoleId	The role UUID used to access the Service Provider management application.	a6cb609f-c6ea-48ad-ab61-433b4054a1f8
serviceProviderRoleName	The service provider role name.	Auditor
entityType	Identifies the business entity type. Valid values are listed under "Entity Types" below.	USERS
entityAction	Identifies the action invoked on the entity. Valid values are: ADD, EDIT, REMOVE, VIEW. Note that there are a few non-standard actions that are used at times (for example, ACTIVATE).	ADD
entityId	The entity UUID identifier.	a6cb609f-c6ea-48ad-ab61-433b4054a1f8
entityName	The entity name (for example, role name, group name, user ID).	Auditor, Contractors, jdoe
auditDetails	Additional audit details: a JSON document with these possible attributes: messageTokens: reserved for future use modifiedEntityAttributes: [{name: "...", oldValue: "...", newValue: "..."}, {...}] entityAttributes: [{name: "...", value: "..."}, {...}] The attribute values are specific to the event type and are currently not documented.	{ "entityAttributes": [ { "name": "Identity Provider", "value": "SP::twoco" }, { "name": "Type", "value": "SP" }, { "name": "Issuer", "value": "https://entrust.us.dev.trustedauthdev.com/api/oidc" } ], "messageTokens": null, "modifiedEntityAttributes": null }

Entity Types

• SUBSCRIBERS
• USERS
• APPLICATIONS
• TOKENS
• ROLES
• SPROLES
• CONTEXTRULES
• AUTHORIZATIONGROUPS
• USERATTRIBUTES
• USERATTRIBUTEVALUES
• AGENTS
• GROUPS
• SETTINGS
• DIRECTORIES
• DIRECTORYSYNC
• DIRECTORYCONNECTIONS
• TEMPLATES
• USERSITEROLES
• REPORTS
• BULKUSERS
• BULKGROUPS
• USERPASSWORDS
• SERVICEPROVIDERS
• SERVICEPROVIDERACCOUNTS
• USERMACHINES
• CAS
• BULKHARDWARETOKENS
• BULKSMARTCARDS
• DIGITALIDCONFIGS
• DIGITALIDCONFIGVARIABLES
• DIGITALIDCONFIGCERTTEMPS
• DIGITALIDCONFIGSANS
• SCDEFNS
• SCDEFNPIVAPPLETCONFIGS
• SCDEFNVARIABLES
• SMARTCREDENTIALS
• SMARTCREDENTIALSSIGNATURE
• USERSPROLES
• EXPECTEDLOCATIONS
• USERLOCATIONS
• USERRBASETTINGS
• SPCLIENTCREDENTIALS
• SPMANAGEMENTPLATFORM
• ENTITLEMENTS
• QUESTIONS
• USERQUESTIONS
• USERQUESTIONANSWERS
• USERKBACHALLENGES
• WORDSYNONYMS
• GATEWAYS
• GATEWAYCSRS
• SPUSERMGMT
• BULKIDENTITYGUARD
• TEMPACCESSCODES
• TEMPACCESSCODECONTENTS
• GRIDS
• GRIDCONTENTS
• FIDOTOKENS
• EXPORTREPORTS
• CUSTOMIZATIONVARIABLES
• BLACKLISTEDPASSWORDS
• SPENTITLEMENTS
• CREATETENANT
• TENANTS
• ARCHIVES
• CERTIFICATES
• INTELLITRUSTDESKTOPS
• ACTIVESYNC
• PRINTERS
• ISSUANCE
• IDPROOFING
• IDPROOFINGLICENSE
• OTPS
• AD_CONNECTOR_DIRECTORIES
• AZURE_DIRECTORIES
• SCHEDULEDTASKS
• CREDENTIALDESIGNS
• ENROLLMENTS
• BULKENROLLMENTS
• EMAILTEMPLATES
• EMAILVARIABLES
• SENDEMAIL
• SENDSCIM
• SENDAZUREAD
• DIRECTORYPASSWORD
• TRANSACTIONITEMS
• TRANSACTIONRULES
• ENROLLMENTDESIGNS
• HIGH_AVAILABILITY_GROUPS
• PKIAASCREDENTIALS
• DIGITALIDCERTIFICATES
• PIVCONTENTSIGNER
• RESOURCESERVERAPIS
• RESOURCESERVERSCOPES
• USEROAUTHTOKENS
• GROUPPOLICIES
• OAUTHROLES
• IDENTITYPROVIDERS
• SMARTCARDS
• IPLISTS
• DOMAINCONTROLLERCERTS
• OTPPROVIDERS
• PREFERREDOTPPROVIDERS
• SPIDENTITYPROVIDERS
• PUSHCREDENTIALS
• DIRECTORYSEARCHATTRIBUTES
• DIRECTORYATTRIBUTES
• RISKENGINES
• SCIMPROVISIONINGS
• RATELIMITING
• CLAIMS
• CONTACTVERIFICATION
• HOSTNAMESETTINGS
• MAGICLINKS
• MAGICLINKCONTENTS
• AUTHENTICATIONFLOWS
• FACE
• TOKENACTIVATIONCONTENTS
• PASSTHROUGH
• POLICYOVERRIDE
• ORGANIZATIONS
• WEBHOOKS
• WEBHOOK_NOTIFICATION
• VCDEFNS
• VCS
• PLAYINTEGRITYCREDENTIALS
• VPDEFNS
• ACRS
• FLEET_MANAGEMENT_ALERT
• VERIFYUSER

Authentication Events

• AuthenticationDeniedEvent
• VerificationDeniedEvent
• VerificationIdpSuccessEvent
• AuthenticationOtpUnavailableEvent
• AuthenticationExternalSuccessEvent"
• AuthenticationExternalSecondFactorBypassEvent
• AuthenticationOtpSentToAllEvent
• AuthenticationOtpEmailSentEvent
• AuthenticationOtpNoCreditEvent
• AuthenticationOtpSmsSentEvent
• AuthenticationOtpVoiceSentEvent
• AuthenticationOtpCreatedEvent
• AuthenticationLockedEvent
• UserPasswordChangeLockedEvent
• UserPasswordChangeFailedEvent
• UserStepUpAuthenticationSuccess
• SamlAuthenticationFailedEvent
• SamlAuthenticationSuccessEvent
• OidcAuthenticationFailedEvent
• OidcAuthenticationSuccessEvent
• MachineLockedEvent
• AuthenticationAdminApiSuccessEvent
• AuthenticationMagicLinkSuccessEvent
• AuthenticationPasswordSuccessEvent
• AuthenticationExternalSuccessEvent
• AuthenticationKbaSuccessEvent
• AuthenticationTempAccessCodeSuccessEvent
• AuthenticationOtpSuccessEvent
• AuthenticationOtpWithTempAccessCodeSuccessEvent
• AuthenticationGridSuccessEvent
• AuthenticationGridWithTempAccessCodeSuccessEvent
• AuthenticationTokenSuccessEvent
• AuthenticationTokenWithTempAccessCodeSuccessEvent
• AuthenticationTokenPushSuccessEvent
• AuthenticationFIDOSuccessEvent
• AuthenticationPasskeySuccessEvent
• AuthenticationSmartCredentialPushSuccessEvent
• AuthenticationSmartLoginSuccessEvent
• AuthenticationUserCertificateSuccessEvent
• AuthenticationPassthroughSuccessEvent
• AuthenticationIdpSuccessEvent
• AuthenticationFaceSuccessEvent
• AuthenticationFirstFactorPasswordSuccessEvent
• AuthenticationFirstFactorExternalSuccessEvent
• AuthenticationFirstFactorIdpSuccessEvent
• AuthenticationSecondFactorKbaSuccessEvent
• AuthenticationSecondFactorTempAccessCodeSuccessEvent
• AuthenticationSecondFactorOtpSuccessEvent
• AuthenticationSecondFactorOtpWithTempAccessCodeSuccessEvent
• AuthenticationSecondFactorGridSuccessEvent
• AuthenticationSecondFactorGridWithTempAccessCodeSuccessEvent
• AuthenticationSecondFactorTokenSuccessEvent
• AuthenticationSecondFactorTokenWithTempAccessCodeSuccessEvent
• AuthenticationSecondFactorTokenPushSuccessEvent
• AuthenticationSecondFactorFIDOSuccessEvent
• AuthenticationSecondFactorUserCertificateSuccessEvent
• AuthenticationSecondFactorSmartCredentialPushSuccessEvent
• AuthenticationSecondFactorFaceSuccessEvent
• AuthenticationSecondFactorMagicLinkSuccessEvent
• AuthenticationAllowedCompromisedPasswordDetectedEvent
• AuthenticationForceChangeCompromisedPasswordDetectedEvent
• Modify Contact Events
• ModifyContactOtpSmsSentEvent
• ModifyContactOtpVoiceSentEvent
• ModifyContactOtpEmailSentEvent
• ModifyContactOtpWechatSentEvent
• ModifyContactOtpWhatsappSentEvent
• Verify User Events
• VerifyUserSuccessUserResponseEvent
• VerifyUserInvalidUserResponseEvent

Audit Details

SamlAuthenticationSuccessEvent

• Application Name
• SP/IDP Initiated (IDP or SP)
• SP Issuer
• Name ID
• ACR URL
• Organization ID
• Organization Name

OidcAuthenticationSuccessEvent

• Client ID
• Application Name
• Response Types
• ID Token Subject
• Redirect URI
• ACR
• AMR
• Organization ID
• Organization Name